Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook

Cybersecurity attacks on Healthcare and Public Health (HPH) critical infrastructure, such as healthcare delivery organizations (HDOs), are occurring with greater frequency. Disruptions in clinical care operations can put patients at risk. The global ransomware event known as WannaCry demonstrated how the performance of vulnerable medical devices may be compromised by an exploit, whether it intentionally targets the healthcare system or is purely opportunistic. Similarly, other attacks such as Petya/NotPetya have highlighted key challenges in preparedness and response across the HPH critical infrastructure sector. Securing critical infrastucture is a shared responsibility across many stakeholders, and with respect to medical devices the primary stakeholders are FDA, Medical Device Manufacturers (MDMs), and HDOs.

A common preparedness and response challenge FDA heard from its stakeholders in the aftermath of the aforementioned attacks is that HDOs did not know with whom to communicate (e.g. MDM-HDO interactions); what actions they might consider taking; and what resources were available to aid in their response. Without timely, accurate information and incorporation of medical device cybersecurity into their organizational emergency response plans, it was difficult for HDOs to assess and mitigate the impact of these attacks on their medical devices. To address this unmet need, the MITRE team (with the support of FDA), engaged with a broad distribution of stakeholder groups to understand the gaps, challenges, and resources for HDOs participating in medical device cybersecurity preparedness and response activities. These stakeholders included HDOs of varying size and demographics, state departments of health, medical device manufacturers, and government agencies. Information gathered resulted in the creation of this playbook that may serve as a resource for HDOs. The playbook provides a stakeholder-derived, open source, and customizable framework that HDOs may choose to leverage as a part of their emergency response plans in order to ultimately limit disruptions in continuity of clinical care as well as the potential for direct patient harm stemming from medical device cyber security incidents.

The full playbook can be downloaded below.