In the event of a cyberattack that impacts the functionality of medical devices, a rapid and effective response is essential to ensure patient safety and the continuity of clinical operations. While healthcare organizations have practiced protocols that can be implemented immediately in the event of a natural disaster such as a hurricane, they tend to be less well prepared to deal with cybersecurity incidents. Earlier this month, Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, published a white paper – Cybersecurity is Patient Safety – highlighting this problem, which he said is due to an outdated mode of thinking, where cybersecurity is viewed as a secondary or tertiary concern, and that is something that needs to change.
The key to a rapid recovery from a cyberattack is preparedness. Healthcare organizations need to treat cyberattacks as a primary concern and ensure they have a tried and tested plan for responding to attacks, and protocols that can be implemented immediately when a cyberattack is detected. Following the WannaCry ransomware attacks in 2017, which caused massive disruption to clinical operations at several U.S. healthcare organizations, the Food and Drug Administration (FDA) asked MITRE to develop a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to help hospitals and healthcare delivery organizations (HDOs) develop a cybersecurity preparedness and response framework.
According to MITRE, “[The playbook] supplements HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents.” Since the playbook was published in 2018, cyberattacks on the healthcare sector have continued to increase in number and sophistication. From the middle of 2020 to the end of 2021, 82% of healthcare systems reported a cyber incident, and 34% of those incidents were ransomware attacks. Those attacks were often sophisticated and impacted multiple IT systems, resulting in widespread disruption to business operations, and in many cases that disruption continued for weeks or months.
In light of the increase in cyberattacks and the changing threat landscape, the FDA contacted MITRE to reach out to stakeholders to identify gaps in the playbook, challenges, and additional resources that had become available since the original publication of the playbook. An updated version of the playbook has now been released.
The playbook focuses on preparedness and response for medical device cybersecurity issues that impact medical device functions, with the updated version emphasizing the importance of having a diverse team participating in cybersecurity preparedness and response exercises. Cyberattacks impact many individuals, so it is important that those individuals participate in preparedness exercises, including clinicians, healthcare technology management professionals, the IT team, emergency response, and risk management and facilities staff.
Version 2.0 of the playbook highlights considerations for widespread impacts and extended downtimes that are common following ransomware attacks, which benefit from the use of regional response models and partners. MITRE has also added a resource appendix that makes it easier to find tools, references, and other resources to help healthcare organizations prepare for and respond to medical device cybersecurity incidents, including ransomware attacks.
In addition to the updated Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, a Playbook Quick Start Companion Guide has also been released, which is a shorter version of the playbook that discusses preparedness and response activities that health care organizations might want to start when developing their medical device incident response program.
It may not be possible to prevent cyberattacks, but by preparing and practicing the incident response, the severity of those attacks and the impact they have on clinical operations can be greatly reduced.
The post FDA, MITRE Update Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook appeared first on HIPAA Journal.