Recently, the MITRE Corporation, in collaboration with the U.S. Food and Drug Administration (FDA), announced the release of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The Playbook was designed to provide “tools, references, and resources” for Healthcare Delivery Organizations (HDOs) to better prepare for and respond to medical device cybersecurity incidents.
As noted in the Playbook, cybersecurity attacks on health care and public health critical infrastructure, such as HDOs, are occurring with increasing frequency. Given that attacks targeting or affecting medical devices – and, in particular, devices used in clinical care operations – can put patients at risk, the increase in cyber attacks affecting HDOs is particularly troublesome. Indeed, recent global ransomware events – including, among others, WannaCry and Petya/NotPetya – have demonstrated how the performance of medical devices may be compromised by cyber attacks and have highlighted challenges in preparedness and response across the health care and public health critical infrastructure sector.
The Playbook attempts to address questions that repeatedly have been raised by HDOs to the FDA in the wake of significant cyber incidents, including: with whom HDOs should be communicating before and after a cyber attack occurs; what actions should be taken during an attack; and what resources are available to aid in the response to a cyber attack. As such, the Playbook provides detailed insight and guidance for HDOs on, among other topics, how to prepare for, detect, analyze, contain, eradicate, and recover from “threats or vulnerabilities that have the potential for large-scale, multi-patient impact and raise patient safety concerns.”
While the Playbook is not an official FDA rule, regulation, or guidance, it will be interesting to see whether, in future enforcement proceedings, the agency considers failure to abide by the Playbook’s recommendations as an aggravating factor warranting a less favorable administrative outcome. Thus, HDOs and medical device companies would do well to familiarize themselves with the Playbook and, wherever feasible, incorporate its recommendations into existing cyber incident response plans.
A copy of the Playbook can be accessed here.