The U.S. FDA, in collaboration with the McLean, Va.-based nonprofit organization MITRE Corp., has released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The playbook outlines a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.
“Over the past four years, the FDA has benefitted from the outstanding strategic and technical support it has received from the MITRE Corp.—helping us to establish and grow our medical device cybersecurity program at the Center for Devices and Radiological Health,” says Suzanne Schwartz, MD, MBA, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health. “There is now a customizable tool that healthcare delivery organizations may voluntarily use so that they are better positioned to respond to a cyberattack that may affect medical devices and that can potentially impact continuity of care and patient safety.”
The healthcare sector knows how to prepare for and respond to natural disasters. However, it is less prepared to handle cybersecurity incidents, particularly those involving medical devices, MITRE officials say. Recent global cyberattacks highlighted the need for more robust cybersecurity preparedness to execute an enhanced, effective, real-time response that enables continuity of clinical operations.
The playbook supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents. The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.
“The FDA recognized the need to work with the HDO and hospital community to provide guidance on how to help minimize the cybersecurity risks associated with medical devices,” says John Kreger, MITRE’s vice president of public sector programs, Center for Programs and Technology. “When working with the FDA on this playbook, we leveraged MITRE’s expertise across multiple federally funded research and development centers and independent research in the areas of cyber and homeland security.”
With this playbook, HDOs will be well positioned to manage these incidents through planning and practice, along with the support and collaboration of manufacturers and regional and national partners.
In a statement, FDA Commissioner Scott Gottlieb, MD, also spoke out about the agency’s efforts to strengthen medical device cybersecurity. “The threat of cyberattacks is no longer theoretical,” Gottlieb writes. “Cyber criminals and adversaries can inflict significant harm on networks through relatively simple methods, like emails or bugs known as malware.”
As such, he says, every stakeholder in the medical device community—including manufacturers, hospitals, and government agencies—must work together to address these new cyber-threats. “That’s why the FDA has long been committed to working hard with various stakeholders to stay a step ahead of constantly evolving cybersecurity vulnerabilities,” Gottlieb continues. “In this way, we can ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.”