Review - FDA Publishes Medical Device Cybersecurity Response Playbook

This week the Food and Drug Administration published the updated version of their Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. Produced under contract by Mitre, the playbook presents target capabilities for medical device cyber incident preparedness and response. There are actually two parts to this playbook, the 54-page Regional Incident Preparedness and Response Playbook and the 10-page supplemental Quick Start Companion Guide.

According to the Mite web site for the publication:

“The playbook outlines how hospitals and other HDOs [Healthcare Delivery Organizations] can develop a cybersecurity preparedness and response framework. It supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents. The revised version includes more explicit alignment with the Hospital Incident Command System for managing complex incidents, considerations for the widespread impacts and extended downtimes that are common during cyber incidents, and an appendix of resources.”

Commentary

The news almost daily reports a new healthcare delivery organization that has been impacted by some form of cybersecurity breach. It is clear that HDO’s need assistance to help them avoid the worst consequences of such attacks. Unfortunately, it does not look like either of these two documents is going to provide any timely assistance. To be fair, I do not think that any guidance document is going to be much help, as much of the problem is the lack of cybersecurity talent to support these organizations. Even if grant monies were thrown at HDO’s to improve their cybersecurity profiles, I do not think that there is a sufficient base of cybersecurity personnel to implement even minimal controls on all of the potential targets.

For more information about these two documents, including a discussion of their shortcomings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fda-publishes-medical-device-cybersecurity - subscription required.