New Handbook Provides Guidance to Healthcare Delivery Organizations on Preparation and Response to Medical Device Cybersecurity Incidents
Thursday, October 25, 2018
Healthcare handbook provides tools and references for providers
Print Mail Download i

Recently, the MITRE Corporation, in collaboration with the U.S. Food and Drug Administration (FDA), announced the release of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.  The Playbook was designed to provide “tools, references, and resources” for Healthcare Delivery Organizations (HDOs) to better prepare for and respond to medical device cybersecurity incidents.

As noted in the Playbook, cybersecurity attacks on health care and public health critical infrastructure, such as HDOs, are occurring with increasing frequency.  Given that attacks targeting or affecting medical devices – and, in particular, devices used in clinical care operations – can put patients at risk, the increase in cyber attacks affecting HDOs is particularly troublesome.  Indeed, recent global ransomware events – including, among others, WannaCry and Petya/NotPetya – have demonstrated how the performance of medical devices may be compromised by cyber attacks and have highlighted challenges in preparedness and response across the health care and public health critical infrastructure sector.

The Playbook attempts to address questions that repeatedly have been raised by HDOs to the FDA in the wake of significant cyber incidents, including:  with whom HDOs should be communicating before and after a cyber attack occurs; what actions should be taken during an attack; and what resources are available to aid in the response to a cyber attack.  As such, the Playbook provides detailed insight and guidance for HDOs on, among other topics, how to prepare for, detect, analyze, contain, eradicate, and recover from “threats or vulnerabilities that have the potential for large-scale, multi-patient impact and raise patient safety concerns.”

While the Playbook is not an official FDA rule, regulation, or guidance, it will be interesting to see whether, in future enforcement proceedings, the agency considers failure to abide by the Playbook’s recommendations as an aggravating factor warranting a less favorable administrative outcome.  Thus, HDOs and medical device companies would do well to familiarize themselves with the Playbook and, wherever feasible, incorporate its recommendations into existing cyber incident response plans.

A copy of the Playbook can be accessed here.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins