Playbook sets framework for dealing with medical device cybersecurity attacks

Citing the increasing number of cyber attacks in healthcare and concern about the potential for targeting medical devices, the FDA announced in an October 1, 2018 press release the publication of its Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.

The playbook was prepared in collaboration with MITRE, a non-profit, government-funded research and development organization that explores new uses of technologies to assist government agencies in solving problems.

The 38-page playbook outlines a framework for developing a regional collaborative approach to preventing and responding to cyber attacks targeting medical devices. Although the agency isn’t aware of any reports of an unauthorized user exploiting medical device cybersecurity, the FDA said it developed the playbook as a result of a number of security vulnerabilities identified by “white hat hackers.”

 While the thrust of the document is aimed at healthcare delivery organizations (HDOs) and other stakeholders including clinicians, IT, risk management and facilities staff, it also identifies device manufactures as having a role in prevention and response.

The recommendations call for organizations integrating cybersecurity preparedness into their overall emergency preparedness planning including regional coordination.

The first step to developing a successful preparedness plan on a regional level, the playbooks says is building trust relationships with partners including device makers. The recommendations call for NDAs that protect sensitive incident information while facilitating information sharing either with the Health Information Sharing and Analysis Center (H-ISAC) or Information Sharing and Analysis Organization (ISAO) acting as an initial conduit.

Here are some other specific recommendations affecting device makers:

• Include cybersecurity considerations in procurement negotiations for purchase or maintenance fees that mitigate device vulnerabilities, such as ensuring spare or extra devices needed during an incident.
• Requesting a software bill of materials (SBoM) that will help HDOs identify and address vulnerable device components.
• Arranging for cybersecurity preparedness user account that provides service layer access during an incident.
• Acquire resources to support cybersecurity hazard analysis including a Manufacturer Disclosure Statement for Medical Device Security.
• Developing a process for initiating outreach in the case of a cybersecurity incident involving a medical device first to the manufacturer and then the broader healthcare community.
• Developing a process for receiving notifications of externally discovered medical device cybersecurity issues with appropriate response actions.
• A manufacturer is required to conduct a formal notification of the incident to its customers and user community. Formal notification may be a condition of ISAC or ISAO membership.
• Manufacturers need to participate in incident analysis to determine full incident impact, as well as post incident response analysis.

The goal of the playbook framework is to establish an understanding of roles and responsibilities of responders internal and external to the HDO that will help to clarify lines of communication and concepts of operations across HDOs, medical device manufacturers, state and local governments, and the federal government.  The playbook is available online.

Whether you are facing issues with regulatory processes or cybersecurity Kapstone Medical has the experience and expertise to assist you through all phases of the device development and commercialization. For more information contact us today at (704) 843-7852 – or by email at info@kapstonemedical.com.