Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing efforts to protect patients from cybersecurity vulnerabilities associated with the use of medical devices. The Playbook highlights high-profile cybersecurity attacks, including the WannaCry and Petya/Not Petya attacks, and the need for preparation for handling large-scale incidents involving medical devices. The Playbook’s primary audience includes healthcare delivery organizations, clinicians, healthcare technology management professionals, risk managers, facilities staff and information technology personnel involved with emergency response and preparedness. The Playbook provides preparedness and response recommendations for large-scale, multi-patient medical device cybersecurity issues that impact the functionality of a device and patient safety, and recommends that medical device cybersecurity incidents be included as part of the overall incident response plan.
The Playbook focuses on regional medical device cybersecurity incident preparedness and response, and developing regional partnerships to draw upon the expertise across a “region” to help ensure that patient safety is maintained. The Playbook also provides guidance for all phases of medical device incident response, including preparedness, detection and analysis, containment, eradication, recovery, and post-activity analysis. The Playbook is available here.