The FDA and MITRE have compiled a new
playbook for combating cyberattacks
playbook for combating cyberattacks
FDA and MITRE offer 'playbook' for combating cybersecurity threats
October 12, 2018
by John R. Fischer, Senior Reporter
The FDA has issued a new “playbook” in conjunction with the MITRE Corporation to assist health delivery organizations (HDOs) in combating and preventing cybersecurity attacks.
Dubbed the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, the guidelines offer a holistic, systematic approach for establishing a medical device cybersecurity program with leadership and resources that build on the wider awareness and understanding already achieved by healthcare providers in addressing cybersecurity threats.
"Both healthcare facilities and medical device manufacturers recognize cybersecurity as a key business consideration and a fundamental patient safety issue," Sean Loughlin, AAMI vice president of communications and marketing, told HCB News. "We have also seen a large increase in healthcare technology management professionals working collaboratively with information technology departments to institute safeguards at their local institutions. Preparedness is moving in the right direction, but its success really hinges on leadership, expertise, and resources at any given organization."
Despite the rise in awareness about cyberattacks, many organizations lack appropriate cybersecurity leadership, as evidenced in a 2017 survey by Black Book Research which found that 84 percent of healthcare providers lacked appropriate leadership for such instances, and that only 11 percent planned to hire a cybersecurity officer in the new year.
The playbook illustrates the responsibilities of different healthcare players, from manufacturers and hospitals to government entities and cybersecurity researchers, in initiating enhanced and effective, real-time responses to attacks while maintaining clinical operations.
The aim of this shared responsibility is to supplement existing HDO emergency management and incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents.
Derived from conversations with several HDOs, regional healthcare groups, researchers, state health departments and medical device manufacturers, the information included in the playbook is meant to assist HDOs in planning and practicing to manage incidents effectively when they occur, and to establish a cybersecurity preparedness and response framework, which begins with conducting device inventory and developing a baseline of medical device cybersecurity information.
In addition, the book highlights ways to overcome shortfalls outlined in the Report on Improving Cybersecurity in the Health Care Industry, issued in June 2017 by the Health Care Industry Task Force.
Cybersecurity topped ECRI Institute’s 2019 top 10 list of health technology hazards for the second year, with 77 healthcare data breaches taking place in the first three months of 2018, according to the Department of Health and Human Services’ Office for Civil Rights. A survey released in May of this year by Protenus Breach Barometer found that nearly 1.13 million patient records were breached in those three months alone.
Loughlin says that while awareness has become sharper, any additional resources, such as the playbook, are necessary if it means furthering protection of patient data and medical technology. "In general, anything that helps organizations think strategically about cybersecurity is welcome. And the playbook provides good advice. More detailed guidance for key stakeholders is also valuable. It's vital that there are resources for professionals at every level of an organization, so that they can play an effective role in bolstering cybersecurity in healthcare technology."
Dubbed the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, the guidelines offer a holistic, systematic approach for establishing a medical device cybersecurity program with leadership and resources that build on the wider awareness and understanding already achieved by healthcare providers in addressing cybersecurity threats.
"Both healthcare facilities and medical device manufacturers recognize cybersecurity as a key business consideration and a fundamental patient safety issue," Sean Loughlin, AAMI vice president of communications and marketing, told HCB News. "We have also seen a large increase in healthcare technology management professionals working collaboratively with information technology departments to institute safeguards at their local institutions. Preparedness is moving in the right direction, but its success really hinges on leadership, expertise, and resources at any given organization."
Despite the rise in awareness about cyberattacks, many organizations lack appropriate cybersecurity leadership, as evidenced in a 2017 survey by Black Book Research which found that 84 percent of healthcare providers lacked appropriate leadership for such instances, and that only 11 percent planned to hire a cybersecurity officer in the new year.
The playbook illustrates the responsibilities of different healthcare players, from manufacturers and hospitals to government entities and cybersecurity researchers, in initiating enhanced and effective, real-time responses to attacks while maintaining clinical operations.
The aim of this shared responsibility is to supplement existing HDO emergency management and incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents.
Derived from conversations with several HDOs, regional healthcare groups, researchers, state health departments and medical device manufacturers, the information included in the playbook is meant to assist HDOs in planning and practicing to manage incidents effectively when they occur, and to establish a cybersecurity preparedness and response framework, which begins with conducting device inventory and developing a baseline of medical device cybersecurity information.
In addition, the book highlights ways to overcome shortfalls outlined in the Report on Improving Cybersecurity in the Health Care Industry, issued in June 2017 by the Health Care Industry Task Force.
Cybersecurity topped ECRI Institute’s 2019 top 10 list of health technology hazards for the second year, with 77 healthcare data breaches taking place in the first three months of 2018, according to the Department of Health and Human Services’ Office for Civil Rights. A survey released in May of this year by Protenus Breach Barometer found that nearly 1.13 million patient records were breached in those three months alone.
Loughlin says that while awareness has become sharper, any additional resources, such as the playbook, are necessary if it means furthering protection of patient data and medical technology. "In general, anything that helps organizations think strategically about cybersecurity is welcome. And the playbook provides good advice. More detailed guidance for key stakeholders is also valuable. It's vital that there are resources for professionals at every level of an organization, so that they can play an effective role in bolstering cybersecurity in healthcare technology."