Categories & Search

FDA Issues “PlayBook” for Medical Device Cybersecurity

The Food and Drug Administration is stepping up its game with respect to the cybersecurity of medical devices. 

On Monday, the agency announced its launch of a preparedness and response “playbook” to address threats to medical device cybersecurity. The move cited an uptick in cyber-attacks and the potential for bad actors to exploit medical devices.

The “playbook” provides a framework for healthcare providers to plan and respond to cyber-attacks that target medical devices. It was developed by MITRE Corp. under a federally funded research and development contract with the FDA.  Specifically, the “playbook” focuses on strategies for addressing large-scale, multi-patient threats and is not intended to give advice regarding “day-to-day patch management of devices.”

The Agency identified several ways that it plans to strengthen the cybersecurity of medical devices, while emphasizing the need for “shared responsibility with stakeholders.” FDA Commissioner Scott Gottlieb, MD, emphasized the importance of staying ahead of “evolving cybersecurity vulnerabilities.”  The FDA’s cybersecurity policy is aimed at “leveraging” the NIST framework.

The FDA also announced the signing of “two significant memoranda of understanding” aimed at bringing together “multiple stakeholders to allow for increased information sharing and transparency around cybersecurity risks.”  The memoranda of understanding establish an information sharing analysis organizations – or ISAOs – to analyze and disseminate important industry data about cyber threats. Although non-binding, memoranda of understanding are used by the agency to define lines of authority or responsibility or to clarify cooperative procedures.

In addition, the FDA announced it was in the process of updating its 2014 non-binding “Guidance on Postmarket Management of Cybersecurity in Medical Devices.” The update will “reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space.”  Among other things, the new Guidance is said to contain a “cybersecurity bill of materials,” which is expected to provide information regarding potentially vulnerable hardware and software. The FDA will be soliciting comments from stakeholders on the updated recommendations.

“Every stakeholder – manufacturers, hospitals, healthcare providers, cybersecurity researchers and government entities – all have a unique role in addressing these modern challenges … In this way, we can ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate,” said Gottlieb in a prepared statement.

We’ll continue to monitor developments in this area.