- The FDA released Oct. 1 a medical device security playbook it developed with MITRE to advise healthcare organizations on securing their medical equipment.
The playbook is intended to enable healthcare organizations plan for and respond to cybersecurity incidents involving medical devices, to ensure the effective operations of those devices, and to protect patient privacy.
The playbook details how healthcare organizations can develop a cybersecurity preparedness and response framework, which includes conducting device inventory, developing a baseline of medical device cybersecurity information, and conducting training exercises.
It supplements existing emergency management and incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents.
“Over the past four years, the FDA has benefitted from the outstanding strategic and technical support it has received from the MITRE Corporation — helping us to establish and grow our medical device cybersecurity program at the Center for Devices and Radiological Health,” said Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health (CDRH).
“There is now a customizable tool that healthcare delivery organizations may voluntarily use so that they are better positioned to respond to a cyberattack that may affect medical devices and that can potentially impact continuity of care and patient safety,” she added.
In developing the playbook’s recommendations, MITRE worked with the FDA and consulted with several healthcare providers, regional healthcare groups, researchers, state health departments, and medical device manufacturers.
FDA Commissioner Scott Gottlieb related that his agency’s work in medical device security dates to 2013, when it created a Cybersecurity Working Group within CDRH to respond to concerns and address the need for new approaches and new policies. It also established a framework to address cybersecurity regulatory considerations which, taken together, represent recommendations for product developers at each stage of a product’s life cycle.
The FDA’s premarket guidance identifies issues manufacturers should consider in the design and development of their medical device to address cybersecurity vulnerabilities. Its postmarket guidance outlines a risk-based framework that manufacturers should use to ensure they respond to new cybersecurity threats once a device is in use.
The FDA’s policy leverages the NIST Cybersecurity Framework, underscoring the importance of adoption by medical device manufacturers of the framework’s five core functions: identify, protect, detect, respond and recover.
In addition, the FDA signed two memoranda of understanding with stakeholders to create information sharing analysis organizations (ISAOs), which are groups of experts that gather, analyze, and disseminate cyberthreat information.
In these ISAO forums, manufacturers willl be able to share information about potential vulnerabilities and emerging threats. Gottlieb said this transparent sharing of information will help manufacturers address issues earlier and result in more protection for patients.
In addition, the FDA is working with the Department of Homeland Security in improving medical device security, including holding joint cybersecurity exercises that simulate scenarios involving medical device security threats.
The exercises include the DHS-led Cracked Domain functional exercise in 2013, the DHS-Led Capstone National Level Exercise in 2016, AdvaMed’s Cybersecurity Summit in 2016, and a MITRE-convened table top on behalf of the FDA in 2017. In addition, FDA participated in the security research community-led DefCon Biohacking Village — Medical Device Hacking Lab this year.
Gottlieb said the playbook and the new ISAOs build on the Medical Device Safety Action Plan that the agency’s unveiled in April.
“We’re committed to staying ahead of these risks and unscrupulous cybercriminals who may seek to use cybersecurity vulnerabilities in a way that puts patient lives in danger. To protect against these threats and mitigate them when they do emerge, we must be forward leading and nimble,” Gottlieb said.
“Continuing to proactively address medical device cybersecurity is a key priority for the FDA. We remain fully committed to protecting American patients by fully addressing these emerging threats,” he concluded.