FDA playbook offers recommendations on medical device cybersecurity
The Department of Health and Human Services (HHS) Office of Information Security considers ransomware attacks a growing national security threat that has reached “pandemic” levels among health delivery organizations (HDOs). In an 18-month span from mid-2020 through the end of 2021, 82% of healthcare systems reported a cybercrime incident, 34% of which involved ransomware, according to HHS, which has turned its attention to key areas of vulnerability such as medical devices.
HDOs suffered the impact in terms of data theft, inaccessible electronic medical records, million-dollar ransoms, and emergency workarounds detracting from patient care. And despite what HHS calls “drastic” law enforcement countermeasures, cybersecurity problems will likely persist in forms such as bot-propagated malware infections, ransomware-as-a-service sold by criminal actors, and intruders establishing undetected network presence to steal sensitive data.
In response, the FDA contracted with non-profit security advisor MITRE to develop a medical device cybersecurity incident preparedness playbook, which became publicly available last month. The FDA document recommends HDO action in the following areas:
- Assess and strengthen cyber-defensive measures and develop processes and procedures to handle incidents as they arise. Negotiate and document cybersecurity responsibilities and accountability between your HDO and medical device manufacturers (MDMs). Seek commitment from MDMs to participate in HDO cybersecurity exercises. Request a software bill of materials to identify and address vulnerable third-party device components. Ask for timely notification of successful incidents against MDM infrastructure.
- Detection and analysis. Create a process for identifying or otherwise establishing that an incident has occurred and is not the result of system malfunction or human error. Define incident classes to prioritize and determine the appropriate response level. Within the HDO, responsibilities include providing incident status to senior leadership and issuing an advisory to device users. Use documented criteria to inform decision-making (e.g., shutting down systems, disconnecting devices from the network or disabling their functionality). Record all activities taken during incident response.
- Containment, eradication, and recovery. Focus on minimizing impact to care delivery, halting active disruption, assessing damage, and restoring normal business operations. Note that return to “normal” operations may take longer than anticipated due to potentially large numbers of devices impacted by disruption of IT services and network infrastructure. Recovery can take weeks or months, depending on the extent of the incident, availability of mitigation measures, and the need for outsourced assistance.
- Post-event activity. Identify which response activities went well—and those that did not. Consider how staff and management dealt with the incident, and whether documented procedures were followed. Look for steps or actions that might have inhibited recovery. Recognize actions that could be used to prevent future incidents. Update strategic operating plans and communications as needed and require annual review of those documents.
Overall, structure your efforts based on current information, including device inventory and cybersecurity baselines as part of your preparedness and response framework. Ensure understanding of internal and external responders’ roles and responsibilities to clarify lines of communication. By enabling a unified response among all stakeholders, you’ll be better prepared to execute a rapid and comprehensive response.
Frank Irving is a Philadelphia-based content writer and communications consultant specializing in healthcare and technology.