January 28, 2020

January 27, 2020

Subscribe to Latest Legal News and Analysis

New Handbook Provides Guidance to Healthcare Delivery Organizations on Preparation and Response to Medical Device Cybersecurity Incidents

Recently, the MITRE Corporation, in collaboration with the U.S. Food and Drug Administration (FDA), announced the release of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.  The Playbook was designed to provide “tools, references, and resources” for Healthcare Delivery Organizations (HDOs) to better prepare for and respond to medical device cybersecurity incidents.

As noted in the Playbook, cybersecurity attacks on health care and public health critical infrastructure, such as HDOs, are occurring with increasing frequency.  Given that attacks targeting or affecting medical devices – and, in particular, devices used in clinical care operations – can put patients at risk, the increase in cyber attacks affecting HDOs is particularly troublesome.  Indeed, recent global ransomware events – including, among others, WannaCry and Petya/NotPetya – have demonstrated how the performance of medical devices may be compromised by cyber attacks and have highlighted challenges in preparedness and response across the health care and public health critical infrastructure sector.

The Playbook attempts to address questions that repeatedly have been raised by HDOs to the FDA in the wake of significant cyber incidents, including:  with whom HDOs should be communicating before and after a cyber attack occurs; what actions should be taken during an attack; and what resources are available to aid in the response to a cyber attack.  As such, the Playbook provides detailed insight and guidance for HDOs on, among other topics, how to prepare for, detect, analyze, contain, eradicate, and recover from “threats or vulnerabilities that have the potential for large-scale, multi-patient impact and raise patient safety concerns.”

While the Playbook is not an official FDA rule, regulation, or guidance, it will be interesting to see whether, in future enforcement proceedings, the agency considers failure to abide by the Playbook’s recommendations as an aggravating factor warranting a less favorable administrative outcome.  Thus, HDOs and medical device companies would do well to familiarize themselves with the Playbook and, wherever feasible, incorporate its recommendations into existing cyber incident response plans.

A copy of the Playbook can be accessed here.

©2020 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Peter Baldwin, Securities lawyer, Drinker Biddle

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central...

(212) 248-3147