Endpoint Security , Healthcare , Industry Specific
FDA Updates Medical Device Cyber Response Playbook
New Edition Emphasizes Regional, Cross-Functional Response PreparednessFederal officials released updated guidance for preparing and responding to medical device cybersecurity incidents, including ransomware, as cyberattacks against the healthcare sector continue to surge.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The new Food and Drug Administration's Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook is a refresh of guidance released in 2018 (see: How to Use FDA's Medical Device Playbook).
Since the publication of the first playbook, the healthcare and public health sector has experienced growing numbers of cyber incidents. From mid-2020 through 2021, 82% of healthcare systems reported a cyber incident, 34% of which involved ransomware, the document says.
Cyberattacks are more sophisticated, and supply chain compromises and incidents involving cloud services infrastructure complicate the threats. "Because these cyber incidents have often affected multiple medical devices and IT systems, they have led to widespread disruptions from which it can take weeks or months to fully recover," warns the playbook.
In the aftermath of a 2020 ransomware attack, the University of Vermont Medical Center needed nearly a month to restore its electronic health records systems, nearly six weeks to restore medical image viewing capability, and 3.5 months to fully recover all IT capabilities, the playbook says.
"Comprehending the extent of an incident may not be straightforward, mitigations may not be readily available, outsourced assistance may be needed, and more," the playbook says.
The playbook also offers suggestions related to regional cyber and emergency risk management. "While similarities exist with natural disaster emergency preparedness and response, cybersecurity has unique characteristics that increase risk in ways that warrant specific integration of cyber incident planning within an healthcare delivery organization's emergency plans and across different stakeholder groups responsible for responding to impacts to care delivery."
Cross-Functional Planning
The playbook's emphasis on cross-functional teams participating in cybersecurity preparedness and response exercises - such as clinicians, healthcare technology management professionals, IT, emergency response, risk management, and facilities staff - including across a geographic region - is critically important, says Axel Wirth, chief security strategist at security firm MedCrypt.
"We have learned from past events that security incidents are often not limited to single devices or even single departments and that good preparedness requires consideration of and preparation for broad impact across multiple clinical functions or even an entire region as patient loads need to be shifted to other providers," he says.
The rise in ransomware attacks on healthcare entities is a top concern spotlighted by the playbook that must be addressed by healthcare delivery organizations in effectively updating their incident preparedness and response plans, says Daniel dos Santos, head of security research at security firm Forescout.
"There have been many ransomware attacks on health system corporate IT networks that spilled over to medical devices, rendering them unusable," he says.
Those include WannaCry in 2017, the attack on Springhill Medical Center in Alabama affecting fetal monitors in 2019, and several attacks affecting radiation information systems in the U.S. and Ireland since 2020, he says.
"The effect of these attacks is typically delayed or canceled patient treatment. On top of that, ransomware gangs are among the most creative in terms of finding new 'business models' for their exploits, such as data exfiltration and public shaming of victims," dos Santos says.
"It could be a matter of time before some group finds a lucrative way to exploit medical devices directly rather than as a by-product of another attack - for instance, by extracting sensitive patient information and threatening to publish it."