FDA unveils cybersecurity attack response playbook for medical devices

​In a statement, Dr. Scott Gottlieb detailed his agency’s ongoing cybersecurity efforts, which include the signing of two “significant memoranda of understanding” and discussions to facilitate collaboration across government agencies.
By Dave Muoio
Share
code on a computer screen

FDA Commissioner Dr. Scott Gottlieb unveiling the — a document co-authored with the non-profit Mitre Corporation describing how healthcare delivery organizations can best prepare their medical devices and staff for a device security breach. The agency also announced the development of its own internal playbook to help agency staff develop and carry out an incident response plan.

In addition, the commissioner announced two memoranda of understanding (MOA) — non-binding, formal agreements between the FDA and other entities — with “multiple stakeholder groups” focused on developing panels of experts who will collect, analyze, and spread information on medical device security, called “information sharing analysis organizations.” FDA is planning discussions with the US Department of Homeland Security on another inter-agency MOA specific to medical device cybersecurity, according to the statement.

Each of these actions comes alongside the FDA’s other initiatives to improve medical device security, such as participation in a recent medical device hacking lab and an update to premarket guidance for manufacturers that will be released in a few weeks, he wrote.

Why it matters

The past few years have seen a wealth of , and a growing number of heterogeneous connected medical devices is making it difficult for providers to keep up with new vulnerabilities.

“The FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” he wrote. “But the risk of such an attack persists. And we understand that the threat of such an attack can cause alarm to patients who may have devices that are connected to a network. We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified.”

In addition to serving as a model for hospitals looking to establish a response plan, the newly released playbook also offers medical devices manufacturers “more opportunity to address the potential for large scale, multi-patient impact,” when designing their offerings, Gottlieb wrote.

What’s the trend

The FDA previously outlined its growing commitment to digital health and medical device security in its Fiscal Year 2019 budget request, and has generally doubled down on its digital focus since Gottlieb came on board.

On the record

“When we issued our Medical Device Safety Action Plan in April, we outlined our vision for how the FDA will continue to enhance our programs and processes to assure the safety of medical devices including advancing medical device cybersecurity,” Gottlieb wrote. “Our actions today, and those we’ll take in the coming weeks, build on that effort. We’re committed to staying ahead of these risks and unscrupulous cybercriminals who may seek to use cybersecurity vulnerabilities in a way that puts patient lives in danger.”

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.