Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook Issued by FDA

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook designed to help healthcare delivery organizations prepare for medical device cybersecurity incidents and plan their response strategy.

The playbook includes a preparedness and response framework which will help healthcare organizations identify and evaluate security breaches, contain incidents, and quickly recover from cyber attacks. The playbook was created by MITRE Corp with assistance provided by the FDA, researchers, healthcare delivery institutions, state health departments, medical device vendors and regional healthcare groups.

There have been many vulnerabilities identified in medical devices in the past year. Hackers could potentially exploit these and new vulnerabilities to get access to healthcare networks, patient medical information, or medical devices. Attacks on the latter have potential to cause patients serious harm.  While no reports have been received by the FDA to suggest an attack on medical equipment has been conducted to harm patients, there is considerable concern within the healthcare community that such an attack could easily take place.

“The playbook supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents,” explained MITRE. “The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.”

Besides publishing the guidance for HDOs, the FDA has created its own internal playbook to make sure that it can respond quickly to any medical device cybersecurity incident.

The Playbook makes several recommendations for healthcare organizations, although operational limitations may mean some of the recommendations cannot be implemented. The Playbook is a good starting point for creating a response strategy for medical device security breaches and the recommendations can be integrated into current disaster recovery programs for organizations that have already developed a response plan.

In addition to releasing the Playbook, the FDA has signed two memoranda of understanding which establish information sharing analysis organizations (ISAOs). ISAOs are tasked with collecting, examining, and disseminating essential information regarding new cyber threats to medical device security. It is hoped that by sharing threat information rapidly, medical device makers will be able to address security vulnerabilities faster before they can be exploited by cybercriminals.

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook is available for download from MITRE (PDF)