This toolkit serves as an educational resource for digital health companies at all stages of growth on both the fundamentals and best practices for cybersecurity and privacy protection. In addition to serving as a resource guide, the toolkit will also contain a Massachusetts common security checklist, created by MassChallenge HealthTech in collaboration with the Cybersecurity Group of Experts (CGE) and with funding support from MeHI. This checklist provides a standard set of questions asked by a hospital prior to deployment of a new device or software in a clinical setting. The checklist is designed to provide startups an upfront guide to the key security and standardization requirements they will need to meet for any hospital engagement.

Globe

A Startup's Guide to HIPAA

Rock Health guide to HIPAA

Show more

Architecting Your Healthcare Application for HIPAA Compliance

Medium post from AWS on privacy in digital health product development

Show more

HIPAA Compliance for Startups

Rock Health startup support video

Show more

Ten Steps Towards Achieving HIPAA Compliance

A list with advice for achieving HIPAA compliance

Show more

FDA Digital Health Innovation Plan

How does the FDA define digital health?

Show more

EU General Data Protection Regulation (GDPR)

Show more

FDA Medical Device Cybersecurity Page

Includes premarket and post market management of medical devices

Show more

Fact Sheet: the FDA’s Role in Medical Device Cybersecurity

Show more

Hippocratic Oath for Connected Medical Devices

Show more

Manufacturer Disclosure Statement for Medical Device Security

Consists of the MDS form and instructions for completing it. Assists professionals responsible for security-risk assessment in the management of medical device security issues.

Show more

AAMI TIR57

Provides medical device manufacturers with guidance on developing a cybersecurity risk management process for their products.

Show more

Healthcare Industry Cybersecurity Task Force

Report on Improving Cybersecurity in the Healthcare Industry

Show more

Health Industry Cybersecurity Practices (HICP)

Managing Threats and Protecting Patients – an industry-led effort in response to a mandate of the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry

Show more

Medical Device and Information Technology Joint Security Plan

Recommendations for manufacturing and managing the security of medical devices for clinical practice

Show more

DHS CISA Resources for Small and Midsize Businesses

Resources to assist SMBs and startups with securing their organization. Includes roadmap for critical infrastructure requirements for small and midsize businesses

Show more

FCC Small Biz Cyber Planner

FCC's 'Cyberplanner' helps businesses create and save a custom cyber security plan quickly to address specific business needs and concerns.

Show more

Federal Trade Commission (FTC)

FTC | Cybersecurity for Small Business – guidance and information on protecting your business from cyberattacks.

Show more

NIST Framework for Improving Critical Infrastructure Cybersecurity

Focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes

Show more

DHS Entrepreneurs Tip Card

Provides simple cybersecurity tips and resources for entrepreneurs.

Show more

HHS Quick Response Checklist for HIPAA Covered Entity or Business Associate

Provides HIPAA-related organizations brief guidance on responding to cyber incidents.

Show more

HIPAA Security Rule and NIST Crosswalk

Identifies “mappings” between the Cybersecurity Framework and the HIPAA Security Rule. This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification1 in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.

Show more

ISO/IEC 27000

Family of standards to help organizations keep information assets secure.

Show more

Center for Information Security Top 20 Security Controls

Show more

OWASP Secure Medical Device Deployment Standard

A guide and checklist organizations can use as the basis for securely deploying network enabled medical devices

Show more

OWASP Top Ten for Security - The Ten Most Critical Web Application Security Risks

Show more

UK Code of Practice for IOT

Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home

Show more

George Washington University workshop to develop a building code and research agenda for medical device software security

Show more

MITRE Secure coding course

Show more

CWE/SANS Top 25 Most Dangerous Software Errors

Show more

National Telecommunications and Information Administration Coordinated Disclosure Early Stage Template

Show more

ISO29147

Provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services

Show more

ISO30001

Guidelines for how to process and resolve potential vulnerability information in a product or online service

Show more

I am the Calvary

List of manufacturers in cyber safety industries who have coordinated vulnerability disclosure programs

Show more

DHS CISA Vulnerability Disclosure Policy

Show more

Digital Health Cybersecurity Group Of Experts

In February 2019, the Council launched the Cybersecurity Group of Experts (CGE) to facilitate the creation of a cybersecurity toolkit. The CGE, chaired by MITRE, is composed of 11 industry experts from hospitals, industries including software, security and medical devices, academia and government. The CGE will support the growth of the digital health ecosystem by enhancing access to security and validation information needed to support commercialization of products and working with the Massachusetts Cyber Center, as well as supporting future Hacker Hospital sandbox environments. The CGE will also offer ongoing hackathon events, development training workshops around cybersecurity, HIPAA and other relevant topics.

Margie Zuk

Principal Cybersecurity Engineer

MITRE –co-chair of Group of Experts

Maeghan Welford

Director, Growth and Transformation

MITRE –co-chair of Group of Experts

Josh Corman

Chief Security Officer

PTC

Jen Ellis

VP of Community and Public Affairs

Rapid 7

Ron Ford

Regional Cybersecurity Advisor New England

Department of Homeland Security, Office of Cybersecurity and Communications

Julian Goldman, MD

Director of Biomedical Engineering for Partners HealthCare, anesthesiologist at MGH

Director of Program on Medical Device Interoperability research program

Christina Mazzone

Chief Information Security Officer

BWH

Michael McNeil

Head of Global Product and Security

Phillips

Paul Schieb

Chief Information Security Officer

Boston Children’s

Daniel Weitzner

Director

MIT Internet Policy Research Initiative and Research Scientist at CSAIL Image