The document, developed by MITRE Corp. under contract with the FDA, provides a framework for providers to plan for and respond to cyber incidents involving medical devices as well as to ensure the functionality of devices and patient safety.
In particular, the playbook focuses on cybersecurity threats affecting medical devices that could impact continuity of clinical operations for patient care.
“Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted,” says Scott Gottlieb, MD, commissioner of the FDA, in a written statement. “As the number of cyber attacks has increased, we’ve heard concerns about the potential for cyber criminals to attack patient medical devices.”
While Gottlieb notes that the agency isn’t aware of any unauthorized user exploiting a cybersecurity vulnerability in a medical device used by a patient, he added that “the risk of such an attack persists” and that the regulatory agency has “heard concerns about the potential for cyber criminals to attack patient medical devices.”
“The playbook covers preparedness and response for medical device cybersecurity issues that impact the functionality of a device,” states the document. “Of particular focus are threats or vulnerabilities that have the potential for large-scale, multi-patient impact and raise patient safety concerns; the playbook is not intended to aid in the day-to-day patch management of devices.”
At the same time, the document acknowledges that many healthcare delivery organizations “will not be able to fully execute all recommendations due to operational constraints” and that the playbook “may be a starting point for HDOs without a medical device cybersecurity response plan that can be incorporated into existing response plans.”
The FDA on Monday also announced the signing of two memoranda of understanding designed to bring together multiple stakeholders to enable increased information sharing and transparency regarding cybersecurity risks.
“Every stakeholder—manufacturers, hospitals, health care providers, cybersecurity researchers and government entities—all have a unique role to play in addressing these modern challenges,” said Gottlieb in announcing the MOUs. “That’s why the FDA has long been committed to working hard with various stakeholders to stay a step ahead of constantly evolving cybersecurity vulnerabilities. In this way, we can ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.”
Specifically, the memoranda of understanding establish information sharing analysis organizations (ISAOs), which are groups of experts that gather, analyze and disseminate critical data about cyber threats.
“In these ISAO forums, manufacturers have the opportunity to share information about potential vulnerabilities and emerging threats,” added Gottlieb. “We believe this transparent sharing of information will help manufacturers address issues earlier and result in more protection for patients.”