On October 1, 2018, the Food and Drug Administration (FDA) issued its “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” to address continued threats to medical devices that could affect patient safety.
The 32 page playbook, developed by MITRE Corp., states that “the purpose of the playbook is to serve as a tool for regional readiness and response activities to aid [healthcare delivery organizations] in addressing cybersecurity threats affecting medical devices that could impact continuity of clinical operations for patient care and patient safety.”
The objectives of the framework are to:
- Provide baseline medical device cybersecurity that organizations can incorporate into their emergency preparedness and response
- Assist with clarifying lines of communication and outline roles and responsibilities for internal and external responders
- Offer a standardized approach to response efforts across organizations and regions
- Provide enhances coordination activities among stakeholders
- Provide information regarding decision making for escalated responses
- Identify resources that can be leveraged for preparedness and response
- Serve as a response tool that can be customized for regional preparedness that can be broadly implemented.
The playbook emphasizes that cybersecurity is a “team sport” and that patient safety is maximized with regional collaboration and information sharing. Part of the playbook recommends that regional partners must build trust relationships and share best practices with each other, develop mutual aid agreements, exchange point of contact information, conducting joint exercises, identify regional incident command/coordination center, and share cybersecurity advisories and alerts.
The playbook could also be a guide for states and municipalities on how to prepare for and respond to a cybersecurity threat beyond threats to medical devices as it outlines basic preparedness and response strategies. It is a virtual “how to” that can assist governmental and private entities alike. The playbook can be accessed here.