top of page
  • Writer's pictureShannon Lantzy

Health cyber innovators: the HSCC Strategic Plan is a gift

HSCC's new strategic plan is a valuable resource for anyone innovating, offering, or buying cybersecurity solutions for healthcare

The Health Sector Coordinating Council published its five-year strategic plan, including a target state for 2029, goals, objectives, and sample initiatives, and measures. The content of the plan represents input from medical device manufacturers, health systems, policy makers, pharma, and more. (Read more about it on the HSCC website or the preamble of the plan itself.)

I’m paying attention. While these documents are sometimes ignored by engineers and industry who scoff about “yet another whitepaper” I see these as foundational stepping stones leading a huge industry through the mire of a wicked and persistent grand challenge. While I agree that whitepapers along are not going to solve the problems of cybersecurity problems in healthcare themselves, they’re useful and important in many ways, for many stakeholders. Specifically, for tech innovators, here are a few:

Reasons to pay attention:


  1. Free, summarized customer research: Industry participants are also prospective customers. The best are collaborative innovators. Participants in this group know the core problems of the industry, know the available market solutions, and are intelligent buyers of new technology. When a problem is listed in this plan, it has been vetted. You can increase your assurance that investing in the solution is time well spent. (See caveat 1 below.)  

  2. Early insight of upcoming policy: Documents published by the HSCC are citable frameworks that can be used as guides for regulatory submission. For example, The Joint Security Plan ( offers a secure product development maturity framework for medical devices. It was published in 2019 by the HSCC, then cited in 2023 by FDA’s Premarket Guidance. That’s a four-year heads up on future policy. (See caveat 2 below.) Another example is the Model Contract template (, used by hospitals when conducting diligence of medical devices during acquisition. (Also important but not from HSCC: the MDS2 form).

  3. Market signaling, customer trust: If you have taken the time to align your products and marketing to industry working group thought leadership, you’re signaling to your buyers that you’re committed to both healthcare and evolving with the industry.

  4. Be the change you want to see in the world: Research and business results show that not only are employees happier when they are a part of a mission of doing good in the world, it’s also good for business. This strategic plan comes with an opportunity to sign up and pledge support.

Example Highlights for Tech Innovators


  • GOAL 6: This plan was revealed at ViVE. After the team briefed the contents to the audience, I asked the panel what they’d say to the technology innovators in the room. Linda Ricci took the microphone and enthusiastically said “Secure by design, secure by default.” This lines up with Goal #6: “Healthcare technology used inside and outside of the organizational boundaries is secure-by-design and secure-by-default while reducing the burden and cost on technology users to maintain an effective security posture” (p. 17)

  • SAMPLE MEASURABLE OUTCOMES: Creation and use of collaboration and research forums for medical device manufacturers, health providers and information technology suppliers to understand emerging tech and how it is applied to healthcare

I have helped a lot of cybersecurity vendors focus their efforts on developing and selling products to the healthcare industry. When they ask me for a framework, I note there are many, but they can start with the FDA guidances and the JSP. When they ask what customer requirements really look like, I show the HSCC model contract and the MDS2. These are great starting points. Now, we have this strategic plan as a reference and guide posts.

Thank you to the folks at HSCC (caveat 3) who developed this resource!

~Shannon, the Optimistic Optimizer.


  1. Some of the problems in the document exist because the people who could solve them do not have incentive to solve.

  2. Of course, this is not something you should be the farm on. HSCC has not authority to make binding policy on the industry.

  3. I had the opportunity to participate in the April 2023 all hands, where some of this work was done. It was great to see the development process that spanned stakeholder groups, government, commercial, and advisors.


Recent Posts

See All

Accelerating AI adoption requires RegTech Innovation

To achieve the promise but avoid the perils of the healthcare AI revolution, we need to accelerate RegTech innovation As technology advances in medicine, so too must regulatory processes and tools. AI

Adapt threat modeling for AI safety

Threat modeling could be adapted into a process for developing medical AI with safety-by-design Medical AI developers need to create products that are safe by design, and regulators need to review the


bottom of page