Today, the FDA issued a statement revealing their Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, a program intended to address cybersecurity breaches that target hospitals. The document was co-authored by Mitre Corporation, a non-profit organization that is working with FDA Commissioner Dr. Scott Gottlieb to better prepare healthcare delivery organizations (HDO) for these attacks on virtual files.
The playbook specifically entails procedures associated with HDOs and securing their medical devices, outlining steps for developing device inventory and training personnel. Their end goad is to allow product developers to optimize their device’s large-scale impact while maintaining patient safety.
“The playbook describes the types of readiness activities that’ll enable HDOs to be better prepared for a cybersecurity incident involving their medical devices,” said Gottlieb in his official FDA statement.
The FDA is not only taking steps to promote cybersecurity in HDOs but has created its own internal playbook for internet defense as well. This specialized set of guidelines is described as an “an effective and appropriate incident plan that’s flexible and clear,” aiming to assist the FDA in addressing cybersecurity breaches promptly to avoid negative impacts on devices and healthcare systems.
In addition, the FDA also announced two memoranda of understanding with multiple groups today, which are essentially agreements between the FDA and associated groups that allow experts to analyze data on medical device security. Specifically, these information sharing analysis organizations (ISAOs) are “groups of experts that gather, analyze and disseminate important information about cyber threats.” The FDA is planning to discuss forming similar inter-agency memoranda of understanding agreements with the US Department of Homeland Security in the near future. Gottlieb endorses the formation of these ISAOs, stating that “the FDA believes that manufacturers that participate in ISAOs signal they’re being proactive in addressing cybersecurity.”
The formation of these playbooks and memoranda of understanding coincide with the FDA’s other efforts to improve cybersecurity in healthcare, including their partaking in a device hacking lab and other guidance updates to manufacturers that are expected to surface in coming weeks, as per Gottlieb.
With cyber attacks on the rise, the FDA is attempting to suppress this issue before it gets worse. According to Solutionary, the healthcare industry was victimized by 88% of all ransomware cybersecurity attacks in the U.S. last year. 89% of healthcare organizations included in a report by the Ponemon Institute were found to experience patient data being theft over the last 2 years. With the implementation of these new programs, the FDA hopes to actively combat these crimes.
“The FDA, an agency within the U.S. Department of Health and Human Services, promotes and protects the public health by, among other things, assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency also is responsible for the safety and security of our nation’s food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.”
4/4 Securing medical devices from cybersecurity threats cannot be achieved by just the #FDA alone. Every stakeholder—manufacturers, hospitals, health care providers, cybersecurity researchers and govt entities – all have a unique role to play in addressing these modern cuchallenges
— Scott Gottlieb, M.D. (@SGottliebFDA) October 1, 2018