MITRE Creates Playbook on Medical Device Cybersecurity
Author: Michelle Herd
The MITRE Corporation, in collaboration with the U.S. Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook in October 2018. The playbook outlines a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.
“Over the past four years, the FDA has benefitted from the outstanding strategic and technical support it has received from the MITRE Corporation—helping us to establish and grow our medical device cybersecurity program at the Center for Devices and Radiological Health,” said Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health. “There is now a customizable tool that healthcare delivery organizations may voluntarily use so that they are better positioned to respond to a cyber attack that may affect medical devices and that can potentially impact continuity of care and patient safety. We look forward to our ongoing work with MITRE to further advance medical device security and cyber safety within our nation’s healthcare and public health critical infrastructure, faced with an ever-evolving threat landscape.”
The healthcare sector knows how to prepare for and respond to natural disasters. However, it is less prepared to handle cybersecurity incidents, particularly those involving medical devices. Recent global cyber attacks highlighted the need for more robust cybersecurity preparedness to execute an enhanced, effective, real-time response that enables continuity of clinical operations. The playbook supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents. The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.
“Our lives are becoming more digital and interconnected every day, especially in healthcare,” said John Kreger, MITRE’s vice president of public sector programs, Center for Programs and Technology. “The FDA recognized the need to work with the HDO and hospital community to provide guidance on how to help minimize the cybersecurity risks associated with medical devices. When working with the FDA on this playbook, we leveraged MITRE’s expertise across multiple federally funded research and development centers and independent research in the areas of cyber and homeland security.”
With this playbook, HDOs will be well positioned to manage these incidents through planning and practice, along with the support and collaboration of manufacturers and regional and national partners. In collaboration with the FDA, MITRE convened and consulted with several HDOs, regional healthcare groups, researchers, state health departments, and medical device manufacturers to help develop the playbook recommendations. The recommendations are practical steps to address some of the shortfalls outlined in the Report on Improving Cybersecurity in the Health Care Industry, issued by the Health Care Industry Task Force in June 2017.
Related article: The Evolving State of Medical Device Cybersecurity, co-authored by the FDA and MITRE in the Association for the Advancement of Medical Instrumentation (AAMI) Biomedical Instrumentation & Technology (BI&T) Journal, March/April 2018
Michelle Herd is a communications strategist for the MITRE Corporation.
© 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited. (Previously published October 1, 2018)
MITRE’s mission-driven team is dedicated to solving problems for a safer world. Learn more about MITRE.