Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook Published by FDA

On October 1, 2018, the U.S. Food and Drug Administration presented a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook created to assist healthcare delivery organizations be prepared for and take steps to resolve medical device cybersecurity issues.

The playbook is meant to guide healthcare delivery organizations in creating a readiness and response framework to make certain they are all set for medical device security problems, can spot and assess security breaches swiftly, handle problems, and promptly recover from cyber attacks.

The playbook was produced by MITRE Corp along with the FDA, researchers, healthcare delivery companies, state health departments, medical device companies and local healthcare teams.

There were numerous vulnerabilities discovered in medical equipment last year and cyber criminals can potentially take advantage of these vulnerabilities to obtain access to healthcare systems, patient medical data, or to cause problems to patients. Although no report has been obtained by the FDA indicating an attack on medical instruments and causing injury to patients, the growing cases of cyberattacks on healthcare providers has raised fears with the FDA concerning the cybercriminals possibly attacking patient healthcare instruments.

The playbook complements present HDO emergency management and/or incident response abilities with local readiness and response suggestions for medical instrument cybersecurity cases. It details how hospitals and HDOs could make a cybersecurity readiness and response framework, which starts off with doing device inventory and acquiring a baseline of medical device cybersecurity data.

Aside from issuing the playbook for HDOs, the FDA has made its own internal playbook to be sure that it could take action immediately to any medical device cybersecurity case.

The Playbook features a variety of suggestions for healthcare delivery organizations, however not all advice may possibly be done by healthcare delivery establishments as a result of operational restrictions. It acts as a starting line for building a response program for healthcare device security breaches and has suggestions that may be used in present disaster recovery procedures.

The FDA additionally announced the signing of two memoranda of understanding that is going to set up information sharing analysis organizations (ISAOs). ISAOs are assigned in getting, evaluating, and circulating vital information concerning new cyber threats to medical device security. It is hoped that with the sharing of helpful information, device vendors will have a way to solve security problems faster and prevent exploitation by cyber attackers.

The FDA is moreover working alongside the Department of Homeland Security in running joint cybersecurity exercises, which mimic attacks on medical instruments with a hope to enhancing medical device security. The FDA is likewise releasing in a couple weeks its up-to-date premarket guidance for healthcare device vendors.

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook is downloadable at MITRE (PDF – 543.73 KB)