Where does the JSP overlap with IMDRF guidance?

JSP 2.0 was deliberately aligned with IMDRF N60 and N73, so the lifecycle framings are compatible. JSP adds more operational templates than IMDRF documents typically do.

All terms

CybersecurityConnected & Cyber-Physical DevicesHSCC JSP

HSCC Joint Security Plan

An industry-developed reference framework from the Healthcare Sector Coordinating Council for end-to-end MedTech cybersecurity.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

The Joint Security Plan (JSP), maintained by the Healthcare Sector Coordinating Council (HSCC), is an industry-developed reference framework for cybersecurity across the medical device and health IT product lifecycle - from design through end-of-life. The JSP provides templates, role-and-responsibility matrices, and shared expectations between manufacturers and Healthcare Delivery Organizations (HDOs). The current JSP 2.0 (2023) aligns with FDA's 2023 guidance and IMDRF N60/N73.

What the regulation says

FDA explicitly references the HSCC JSP in the 2023 guidance as an industry resource. HSCC products are public-private (CISA, HHS, FDA, manufacturers, HDOs), giving them quasi-regulatory weight in MedTech cybersecurity practice without binding legal authority.

What this means in practice

The JSP is most useful as a shared vocabulary between MedTech vendors and hospital security teams. Procurement contracts increasingly reference JSP roles and responsibilities, and manufacturers that align to it have an easier conversation with HDO security committees.

Common pitfalls

•Treating the JSP as a checkbox rather than tailoring its templates to your product and supply chain.
•Ignoring the HDO-side responsibilities - leaves operators uncertain about what they need to do.

Frequently asked questions

No. It is industry-consensus guidance with strong public-private endorsement, not regulation. FDA cites it in the 2023 guidance as a recommended resource.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

HSCC·1FDA·1MDCG·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: HSCC JSP
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

An industry-developed reference framework from the Healthcare Sector Coordinating Council for end-to-end MedTech cybersecurity.

·The JSP is most useful as a shared vocabulary between MedTech vendors and hospital security teams.
·Procurement contracts increasingly reference JSP roles and responsibilities, and manufacturers that align to it have an easier conversation with HDO security committees.
·The JSP provides templates, role-and-responsibility matrices, and shared expectations between manufacturers and Healthcare Delivery Organizations (HDOs).

Remember this

Watch out: Treating the JSP as a checkbox rather than tailoring its templates to your product and supply chain.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.