FDA, MITRE Publish Updated Medical Device Security Incident Response Playbook

The US Food and Drug Administration (FDA) and MITRE released an updated version of their “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.” The playbook provides healthcare organizations with actionable strategies and resources for responding to cyber incidents while ensuring medical device security.

Since the first iteration of the playbook was released in 2018, cyberattacks have continued to impact the healthcare sector at alarming rates. Medical device security remains a top concern for healthcare organizations, and keeping those devices in operation throughout a cyber incident is crucial.

“Because these cyber incidents have often affected multiple medical devices and IT systems, they have led to widespread disruptions from which it can take weeks or months to fully recover,” the playbook stated.

“FDA believed that it would be valuable to update the playbook to reflect these evolving trends, and once again contracted MITRE to reach out to stakeholders to identify gaps, challenges, and additional resources since the original publication of the playbook.”

The updated playbook contains a resource appendix, which will make it easier for healthcare organizations to navigate the playbook’s contents and identify key resources. Additionally, the playbook highlights the need to have a diverse team take part in incident response exercises, from clinicians to IT staff.

FDA and MITRE also aimed to better align the playbook with the Hospital Incident Command System for managing complex incidents. The revised version is also accompanied by a “Playbook Quick Start Companion Guide” to help organizations orient themselves and identify key priority areas.

Ideally, these revisions will make it easier for healthcare organizations to take full advantage of the customizable framework. Healthcare organizations are the primary audience for the playbook, but device manufacturers and other entities may find it useful.

“Of particular concern are threats or vulnerabilities that raise patient safety concerns and have the potential for large-scale, multi-patient impact,” the document explained.

“The playbook is not intended to aid in the day-to-day risk management of devices.”

The playbook stressed the importance of collaboration and trust between regional partners and emphasized the importance of creating a medical device asset inventory and conducting a Hazard Vulnerability Analysis (HVA), among other measures.

“With healthcare-related cyber incidents growing in size and scope, preparedness before a cyber event takes place with a strong, well-exercised, support infrastructure in place is foundational to executing a rapid, comprehensive and robust response,” the playbook continued.

Healthcare experts have long called for increased collaboration and clearly-defined roles and responsibilities when it comes to managing medical device security.

Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected and naturally pose security risks. Ongoing struggles with securing and keeping track of medical devices and the industry's reliance on legacy systems have even prompted legislative action.

But as the sector awaits legislation, healthcare organizations can use free resources and voluntary frameworks to manage medical device security risks and bolster incident response plans.