Consider Playing By This Book's Rules: FDA-MITRE Cybersecurity Guidance

ABSTRACT: In an October 1, 2018 statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA not only announced its efforts to strengthen its medical device cybersecurity program, but also unveiled its collaborative effort with MITRE, producing a cybersecurity "playbook" in order to assist entities in preparing for and responding to cybersecurity attacks.

As part of Cybersecurity Awareness Month, we continue our discussion about the FDA’s efforts to help prepare various entities to address cybersecurity threats, vulnerabilities, and even attacks. In our previous post, we previewed the FDA and MITRE’s cybersecurity Regional Incident Preparedness and Response Playbook (the “playbook”) for health care delivery organizations. Here, we take a more in depth look into what that playbook has to offer.

The playbook’s focus is primarily aimed at preparing Health Care Delivery Organizations (“HDOs”), including their stay, for addressing and responding to cybersecurity threats. The playbook is not intended to address the day-to-day patch management of devices, but rather addresses threats and vulnerabilities for large-scale, multi-patient impact and patient safety concerns.

The playbook’s guidance primarily consists of four guiding steps, going in chronological order: (1) preparation, (2) detection and analysis, (3) containment eradication and recovery, and (4) post-incident activity. Below is a summary of these action steps, but you are encouraged to read the actual playbook for a more in-depth explanation and/or expansion on the summary below.

(1)   PREPARATION

Assess and bolster cyber defensive measures and develop handling process and procedures to enable better operations when an incident arises.

Suggested Steps:   

1.      Incorporate cybersecurity awareness into medical device procurement in order to strengthen the response to a cybersecurity incident. (E.g. Request a Software Bill of Materials to identify and address vulnerable device components.)

2.      Take a medical device asset inventory. (E.g. Identify device name and description, physical location of device, device owner and manager.)

3.      Perform a hazard vulnerability analysis to assess and identify potential gaps in emergency planning, including a review as anticipated cybersecurity threats and existing mitigations. (E.g. Identify potential cybersecurity risks, such as lack of staff with the ability to detect and respond to a cybersecurity incident.)

4.      Prepare medical technical specialists (i.e. the response team to all hazard incidents) with cybersecurity and medical device expertise as part of the hospital incident management team.

5.      Create an Emergency Operation Plan to determine how the HDO will “respond to and recover from a threat, hazard, or other incident” with a device. (E.g. Identify members and their roles and responsibilities.)

6.      Create an overall Incident Response communication plan (E.g. Identity key internal and external communication roles.)

a.      Specify incident-sharing expectations for all participants in the above communication plan. (E.g. What incidents can and cannot be shared?)

b.      Identify cybersecurity incidents, initiate outreach to manufacturer and then to broader healthcare community. 

c.       Implement external incident notification and continue to stay abreast of intrusion information and/or mitigation recommendations from manufacturer(s).

d.      Create a communication template for how incident notification will occur and how.

7.      Implement user awareness training with all medical device users in your company and conduct preparedness and response exercises for all-hazards.

(2)   DETECTION AND ANALYSIS

Identify and establish that an incident has occurred.

Suggested Steps:

1.      Define the priority of and appropriate level of response to incidents.

2.      Implement formal and informal reporting obligations (Note: Manufacturers are required to conduct a formal notification of the incident to its customers and user community.)

3.      The incident investigation and analysis can begin once initial incident parameters have been set. 

4.      All activities taken to address cybersecurity incidents and responses must be recorded or otherwise documented. Benefits of recording these activities include preserving evidence for potential criminal activity and learning to improve the response for the future.

(3)   CONTAINMENT ERADICATION AND RECOVERY

Response to the confirmed cybersecurity incident begins. Such activities could include a strategy of “contain, clear, and deny” (i.e. halt cybersecurity incident, fix it and restore services quickly) or a “monitor and record” strategy (i.e. watch and “capture” adversary actions).

(4)   POST-INCIDENT ACTIVITY

Identify what went well and what did not; such information can be leveraged to improve existing plan and future response. It is also suggested to retain a trained, digital forensics expert to fully identify the damage done.

For immediate, additional information about addressing cybersecurity breaches in medical devices, consider visiting the Baker Sterchi blog posts below addressing cybersecurity:

• Summary of FDA’s 10.1.18 Announcement.
• Three-part series on addressing cybersecurity breaches in medical devices: Part I, Part II, Part III.
• Four-part series addressing postmarket management of cybersecurity in medical devices: Part I, Part II, Part III, Part IV.