FDA Collaborates with MITRE to update Medical Device Cybersecurity Playbook | Nexsen Pruet, PLLC

/in


On November 14, 2022, under contract with the United States Food and Drug Administration (FDA), the MITRE Corporation (MITRE), an organization that administers the National Cybersecurity Center of Excellence, a federally funded research and development center dedicated to cybersecurity, published an update to the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the “Playbook”). MITRE also published a Quick Start Companion Guide to the Playbook, which is shorter than the Playbook and consists of tables that align with the structure of the Playbook. MITRE, under contract with the FDA, had prepared and published the first version of the Playbook in October 2018, which followed the 2017 WannaCry ransomware attack (the first known ransomware attack to affect networked medical devices). Since the publication of the first version of the Playbook, the healthcare and public health sector has experienced an increasing number of cyber incidents. For instance, from mid-2020 through 2021, 82% of healthcare systems reported a cyberattack, 34% of which reportedly involved ransomware. Moreover, 133 healthcare entities in the United States appeared on a ransomware extortion blog in 2021.

The Playbook is a resource designed primarily for healthcare delivery organizations (HDOs), such as hospitals and large physician practices, and can be incorporated into an HDOs’ existing medical device cybersecurity response plan or serve as a starting point for HDOs that have no response plan. The Playbook outlines a framework to assist HDOs, their staff involved in medical device cybersecurity incident preparedness and response, and other stakeholders, such as device manufacturers and other entities that support HDOs’ response efforts, prepare for and respond to medical device-related cybersecurity incidents helping ensure effectiveness of medical devices and patient care and safety. The framework outlined in the Playbook is designed to provide baseline medical device cybersecurity information for emergency preparedness and response; define roles and responsibilities for internal and external responders; describe a standardized approach to response efforts that…

Source…