Cybersecurity Toolkit for Digital Health
This toolkit serves as an educational resource for digital health companies at all stages of growth on both the fundamentals and best practices for cybersecurity and privacy protection. In addition to serving as a resource guide, the toolkit will also contain a Massachusetts common security checklist, created by MassChallenge HealthTech in collaboration with the CGE and with funding support from MeHI. This checklist provides a standard set of questions asked by a hospital prior to deployment of a new device or software in a clinical setting. The checklist is designed to provide startups an upfront guide to the key security and standardization requirements they will need to meet for any hospital engagement.
Applicable Regulations
Rock Health's guide to HIPAA
Medium post from AWS on privacy in digital health product development
Rock Health's startup support video
A list with advice for achieving HIPAA compliance
How does the FDA define digital health?
Cybersecurity Practices and Guidance for Medical Devices
Includes premarket and post market management of medical devices
Consists of the MDS form and instructions for completing it. Assists professionals responsible for security-risk assessment in the management of medical device security issues.
Provides medical device manufacturers with guidance on developing a cybersecurity risk management process for their products.
Health Sector Joint Cybersecurity Resources
Report on Improving Cybersecurity in the Healthcare Industry
Managing Threats and Protecting Patients – an industry-led effort in response to a mandate of the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry
Recommendations for manufacturing and managing the security of medical devices for clinical practice
Organizational Cybersecurity Best Practices
Resources to assist SMBs and startups with securing their organization. Includes roadmap for critical infrastructure requirements for small and midsize businesses
Helps businesses create and save a custom cyber security plan quickly to address specific business needs and concerns.
Covers cybersecurity basics and best practices including the NIST cybersecurity framework for SMBs, and covers security threats (e.g. phishing, ransomware, email spoofing, and tech support scams, etc.)
Focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes
Provides simple cybersecurity tips and resources for entrepreneurs.
Provides HIPAA-related organizations brief guidance on responding to cyber incidents.
Identifies “mappings” between the Cybersecurity Framework and the HIPAA Security Rule. This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification1 in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.
Family of standards to help organizations keep information assets secure.
Secure by Design Best Practices
A guide and checklist organizations can use as the basis for securely deploying network enabled medical devices
Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home
Vulnerability Disclosure Best Practices
Provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services
Guidelines for how to process and resolve potential vulnerability information in a product or online service
List of manufacturers in cyber safety industries who have coordinated vulnerability disclosure programs
Digital Health Cybersecurity Group Of Experts
In February 2019, the Council launched the Cybersecurity Group of Experts (CGE) to facilitate the creation of a cybersecurity toolkit. The CGE, chaired by MITRE, is composed of 11 industry experts from hospitals, industries including software, security and medical devices, academia and government. The CGE will support the growth of the digital health ecosystem by enhancing access to security and validation information needed to support commercialization of products and working with the Massachusetts Cyber Center, as well as supporting future Hacker Hospital sandbox environments. The CGE will also offer ongoing hackathon events, development training workshops around cybersecurity, HIPAA and other relevant topics.

Margie Zuk
Principal Cybersecurity Engineer, MITRE –co-chair of Group of Experts

Maeghan Welford
Director of Integration and Plans, MITRE –co-chair of Group of Experts

Josh Corman
Chief Security Officer, PTC

Jen Ellis
VP of Community and Public Affairs, Rapid 7

Ron Ford
Regional Cybersecurity Advisor New England, Department of Homeland Security, Office of Cybersecurity and Communications

Julian Goldman, MD
Director of Biomedical Engineering for Partners HealthCare, anesthesiologist at MGH and Director of Program on Medical Device Interoperability research program

Stephanie Helm
Director, MassCyberCenter

Christina Mazzone
Chief Information Security Officer, BWH

Michael McNeil
Head of Global Product and Security, Phillips

Paul Schieb
Chief Information Security Officer, Boston Children’s

Daniel Weitzner
Director, MIT Internet Policy Research Initiative and Research Scientist at CSAIL