Endpoint/Device Security, Incident Response

Device functionality, stakeholders focus of update to medical device security guide

A hospital facility emergency department is seen.
Mitre and the FDA updated the year-old Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook with a focus on device functionality and stakeholder preparedness and response. (Army)

Mitre and the Food and Drug Administration issued an update to their Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, with a particular focus on incidents that could affect the function of a device and the importance of involving a wide range of stakeholders in preparedness and response activities.

"Of particular concern are threats or vulnerabilities that raise patient safety concerns and have the potential for large-scale, multi-patient impact," according to the report. "The playbook is not intended to aid in the day-to-day risk management of devices."

Overall, the playbook is designed as a starting point for those entities without a current medical device cybersecurity response plan in place and can be incorporated into existing response plans. It should be considered a tool for readiness and response activities.

Released in 2018, the resource aims to help entities prepare for the inevitable cyber incident with a keen focus on proactive cybersecurity measures and understanding needed response measures for cyber disruptions that create medical device issues.

The FDA worked with Mitre on the development of both the initial release and the update in hopes of supporting entities develop a systemic, consistent threat modeling process to these critical challenges.

The updates include insights into building diverse teams for participation in preparedness and response exercises, such as clinicians, healthcare tech management, IT and other departments, along with a new resource appendix with tools and references for better understanding the more important elements of response teams.

The insights center around the critical need to take into account operational impacts of widespread, prolonged downtimes amid cyberattack recovery and the benefit of relying on regional response models and partners.

The release comes on the heels of the cyberattack and subsequent network outages across CommonSpirit Health care sites across the country. The health system’s electronic health record system and critical care devices were offline for more than a month after the initial incident and have only recently brought the majority of its systems back online.

The outages led to care diversion and paper processes, with patients reporting to local media outlets that their care was highly impacted during this time.

Indeed, when SC Media last spoke with Mitre Cyber Solutions Technical Center’s healthcare leaders Margie Zuk, senior principal cybersecurity engineer, and Penny Chase, information technology and cybersecurity integrator, they urged provider organizations to get back to proactive security measures and practice response plans.

“Priorities will change as people understand the implications of attacks on the hospitals downstream,” Zuk said at the time. “In particular with healthcare, they have so many goals to address in a hospital, and patient safety is their top goal. People are becoming aware that security is a big piece of that due to the impacts of cyberattacks. I don’t think people previously linked that as closely as they do now.”

Correction: This story has been updated to clarify the update is to the 2018 FDA/Mitre medical device incident response guidance, not the 2021 guide drafted by FDA/Mitre/MDIC.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.