On October 1, 2018, in response to concerns about the risks of cyberattacks on patient medical devices, the U.S. Food and Drug Administration (“FDA”) Commissioner Scott Gottlieb, M.D. announced the release of a cybersecurity “playbook” to assist health care delivery organizations, as well as the signing of two memoranda of understanding (“MOUs”) to promote information sharing, preparedness, and response around cybersecurity risks. While the FDA is not aware of any report that a cyberhacker compromised a medical device in use by a patient, and while medical devices may not be the intended target of hackers, Dr. Gottlieb recognized that “if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted.”
The “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook,” prepared by the MITRE Corporation in coordination with the FDA, outlines “target capabilities” for healthcare delivery organizations in cybersecurity preparedness and response. Although not all organizations will be able to implement all of recommendations as a result of operational constraints, the “playbook” identifies key stakeholders, processes, and questions to consider in developing a baseline cybersecurity framework. Additionally, Dr. Gottlieb reported that FDA staff have developed an internal agency playbook to help respond to cybersecurity attacks.
The two signed MOUs will create information sharing analysis organizations (“ISAOs”) of stakeholder groups to share, analyze, and distribute about medical device cybersecurity vulnerabilities and emerging threats. Dr. Gottlieb noted that “the FDA believes that manufacturers that participate in ISAOs signal they’re being proactive in addressing cybersecurity.”
Dr. Gottlieb also announced that the FDA will soon publish a “significant update” to its premarket guidance for medical device cybersecurity, last updated in 2014. Dr. Gottlieb previewed that the new draft guidance will cite the value of providing medical device customers and users a “cybersecurity bill of materials,” described as “a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities.” The FDA will review comments from stakeholders on the updated guidance and will continue to update its regulations “to proactively address medical device cybersecurity.”
Dr. Gottlieb’s statement can be found here.
The cybersecurity “playbook” can be found here.
The MOUs can be found here and here.
