HCB News: How has your work with the HSCC Cybersecurity Working Group shaped your approach to medical device cybersecurity?
SJ: The HSCC Cybersecurity Working Group (CWG) aims to build a health sector where threat actors must “beat all of us to beat one of us.”
To reach this new paradigm, healthcare must embrace two fundamental shifts:
Ad Statistics
Times Displayed: 35834
Times Visited: 967 Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money
1. Security isn’t an “us vs. them” discussion. HTM departments often blame manufacturers; IT blames HTM; hospitals blame third parties for the state of cybersecurity in healthcare. But once you begin collaborating through the cross-disciplinary CWG, it becomes clear: Healthcare is one of the most complex ecosystems in existence. No single person or group “built” this system—and no one is solely at fault for its current state. Stop the blame game. Finger-pointing drains the energy we need to focus on real solutions.
2. We’re all in this together—providers, payers, manufacturers, and public health departments. We must start leveraging each other’s work to move the bar faster and keep pace with the rapidly evolving threat landscape. No one person—or health sector organization—needs to solve the cybersecurity challenge alone. There are countless experts, resources, and tools available. Instead of using limited people and budgets to build your own solution from scratch, use what already exists.
The HSCC offers free guidance documents on many cybersecurity topics—including medical device security—at healthsectorcouncil.org. Use what’s out there. Don’t reinvent the wheel.
HCB News: Which HSCC Cybersecurity Working Group resources have had the greatest impact on healthcare?
SJ: There have been many initiatives over the years. I could mention the Health Industry Cybersecurity Practices, the Medical Device and Health IT Joint Security Plan, or the Supply Chain Risk Management Guide. The HSCC offers a wide range of resources covering everything from AI and machine learning to incident response playbooks and checklists. It also provides contract language recommendations and guidance for managing legacy medical devices.
However, the most recent initiative—one that may have the greatest impact—is set to be published by the end of the year. It’s called the SMART Initiative: A Sector Mapping and Risk Template. Although this work began before the Change Healthcare incident, that event underscored its importance.
The goal is to identify and prioritize systemic risks within the healthcare ecosystem—risks that are often poorly understood, rarely planned for, and frequently unmitigated. Currently, most organizations spend 80% of their time assessing third-party risk and only 20% mitigating it. The SMART Initiative aims to flip that ratio: 20% assessing and 80% preparing and mitigating in advance of the next attack.
