Twitter LinkedIn Share this page Facebook RSS

Blogs

Drug / Device Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

Consider Playing By This Book's Rules: FDA-MITRE Cybersecurity Guidance

October 31, 2018 | Megan Sterchi Lammert and Paul Penticuff

As part of Cybersecurity Awareness Month, we continue our discussion about the FDA’s efforts to help prepare various entities to address cybersecurity threats, vulnerabilities, and even attacks. In our previous post, we previewed the FDA and MITRE’s cybersecurity Regional Incident Preparedness and Response Playbook (the “playbook”) for health care delivery organizations. Here, we take a more in depth look into what that playbook has to offer.

The playbook’s focus is primarily aimed at preparing Health Care Delivery Organizations (“HDOs”), including their stay, for addressing and responding to cybersecurity threats. The playbook is not intended to address the day-to-day patch management of devices, but rather addresses threats and vulnerabilities for large-scale, multi-patient impact and patient safety concerns.

The playbook’s guidance primarily consists of four guiding steps, going in chronological order: (1) preparation, (2) detection and analysis, (3) containment eradication and recovery, and (4) post-incident activity. Below is a summary of these action steps, but you are encouraged to read the actual playbook for a more in-depth explanation and/or expansion on the summary below. 

(1)   PREPARATION

Assess and bolster cyber defensive measures and develop handling process and procedures to enable better operations when an incident arises.

Suggested Steps:   

1.      Incorporate cybersecurity awareness into medical device procurement in order to strengthen the response to a cybersecurity incident. (E.g. Request a Software Bill of Materials to identify and address vulnerable device components.)

2.      Take a medical device asset inventory. (E.g. Identify device name and description, physical location of device, device owner and manager.)

3.      Perform a hazard vulnerability analysis to assess and identify potential gaps in emergency planning, including a review as anticipated cybersecurity threats and existing mitigations. (E.g. Identify potential cybersecurity risks, such as lack of staff with the ability to detect and respond to a cybersecurity incident.)

4.      Prepare medical technical specialists (i.e. the response team to all hazard incidents) with cybersecurity and medical device expertise as part of the hospital incident management team.

5.      Create an Emergency Operation Plan to determine how the HDO will “respond to and recover from a threat, hazard, or other incident” with a device. (E.g. Identify members and their roles and responsibilities.)

6.      Create an overall Incident Response communication plan (E.g. Identity key internal and external communication roles.)

a.      Specify incident-sharing expectations for all participants in the above communication plan. (E.g. What incidents can and cannot be shared?)

b.      Identify cybersecurity incidents, initiate outreach to manufacturer and then to broader healthcare community. 

c.       Implement external incident notification and continue to stay abreast of intrusion information and/or mitigation recommendations from manufacturer(s).

d.      Create a communication template for how incident notification will occur and how.

7.      Implement user awareness training with all medical device users in your company and conduct preparedness and response exercises for all-hazards.

(2)   DETECTION AND ANALYSIS

Identify and establish that an incident has occurred.

Suggested Steps:

1.      Define the priority of and appropriate level of response to incidents.

2.      Implement formal and informal reporting obligations (Note: Manufacturers are required to conduct a formal notification of the incident to its customers and user community.)

3.      The incident investigation and analysis can begin once initial incident parameters have been set. 

4.      All activities taken to address cybersecurity incidents and responses must be recorded or otherwise documented. Benefits of recording these activities include preserving evidence for potential criminal activity and learning to improve the response for the future.

(3)   CONTAINMENT ERADICATION AND RECOVERY

Response to the confirmed cybersecurity incident begins. Such activities could include a strategy of “contain, clear, and deny” (i.e. halt cybersecurity incident, fix it and restore services quickly) or a “monitor and record” strategy (i.e. watch and “capture” adversary actions).

(4)   POST-INCIDENT ACTIVITY

Identify what went well and what did not; such information can be leveraged to improve existing plan and future response. It is also suggested to retain a trained, digital forensics expert to fully identify the damage done.

For immediate, additional information about addressing cybersecurity breaches in medical devices, consider visiting the BSCR blog posts below addressing cybersecurity:

Subscribe
About Drug / Device Law Blog

The BSCR Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Angela Higgins, and our Drug and Device practice.

DISCLAIMER

The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.

CONFIDENTIAL INFORMATION

Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.