Kicking Off Cybersecurity Month, FDA Launches New Medical Device Security Playbook

Everyday objects are becoming “smart” at breakneck speed. Who would’ve thought a decade ago that we could hardly get on without our smart phones, cars, watches, and even refrigerators? The pace at which our surroundings are becoming “smart” — that is, connected to the internet – is so furious, that Wired co-founder Kevin Kelly recently declared that in the not-so-distant future, our children and grandchildren will look at any object that isn’t “smart” or interactive and immediately assume it’s broken.

This tide of smartness is washing indelibly over retail, investing, banking, and many other industries, but is being met with resistance in healthcare, where the personal health information that’s being exchanged on the internet of smart healthcare things is perhaps most valuable and most vulnerable.

Until now, health systems were left largely to their own devices to figure out how to stymie cyberattacks and ransomware. But today, US Food and Drug Administration (FDA) chairman Scott Gottlieb, MD, announced the agency’s launch of a new cybersecurity “playbook” that’s focused on promoting cybersecurity readiness, as well as the signing of “two significant memoranda of understanding. These agreements bring together multiple stakeholders to allow for increased information sharing and transparency around cybersecurity risks,” Gottlieb wrote in an October 1 statement.

The “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” outlines a framework for health systems and other stakeholders to plan for an respond to cybersecurity incidents around medical devices, ensure the effectiveness of their devices, and protect patient safety. It was built by the agency in conjunction with the MITRE Corporation, and guides medical device procurement strategies, vulnerability analyses, incident response plans, training, detection, reporting, and documentation.

“The framework can help enable a unified response within [health systems] and across regions, as well as serve as a basis for enhanced coordination activities among medical device cybersecurity stakeholders,” the report read.

The FDA’s announcement follows the founding of a Cybersecurity Working Group within the Center for Devices and Radiological Health (CDRH) in 2013, and the establishment of a framework to address cybersecurity regulatory considerations, which, taken together, represent the agency’s recommendations for product developers at each stage of a product’s life cycle, Gottlieb said.

“In the coming weeks, we plan to publish a significant update…to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space. For instance, the new draft guidance will highlight the utility of providing customers and users with a ‘cybersecurity bill of materials’ — a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities,” he said. “The list can be an important resource to help ensure that device customers and users are able to respond quickly to potential threats.”

Recent reports suggest that bundles of private health records and other health data can sell for $300 to $400 on the dark web, making them hundreds of times more valuable than credit card info. On top of that, healthcare’s cybersecurity defenses are lagging the industries who have adapted in the face of the so-called smart tide. The bottom line? Healthcare is easy to hack, and the spoils are profitable. The time for action is now.

Get the best insights in healthcare analytics directly to your inbox Register for our daily newsletter.

Related:

Securing the Forgotten Servers: Why Printers Are The Biggest Security Risk Today

Yes, Healthcare’s Data Breach Problem Really Is That Bad

What to Do Before and After a Data Breach