Planning for Prolonged Regional Medical Device OutagesFDA's Aftin Ross & MITRE's Penny Chase on the Updated Medical Device Cyber Playbook
A ransomware attack knocking out the local medical center's imaging and lab equipment is an incident felt by an entire network of regional healthcare providers. Given the explosion in ransomware attacks, entities everywhere should plan for outages even when they don't directly experience an attack, say Aftin Ross of the Food and Drug Administration and Penny Chase of MITRE.
A cyberattack on diagnostic equipment creates a "blast radius for healthcare organizations that are dependent on those technologies, as well," particularly in regions where expensive imaging equipment is located in just one local center, says Ross, senior special adviser for emerging initiatives in the Office of Strategic Partnerships and Technology Innovation at the FDA's Center for Devices and Radiological Health.
Emergency care in particular is not possible without CT scanners and MRIs, says Chase, senior principal scientist at MITRE.
"In that case, they would have to divert patients to other hospitals, and that can create lots of issues in the region," Chase tells Information Security Media Group. She and Ross discuss MITRE and the FDA's recently released Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.
The playbook is a refresh of a joint FDA/MITRE document first issued in 2018 (see: FDA Updates Medical Device Cyber Response Playbook).
It accounts for the surge in ransomware and other evolving cyberthreats facing medical devices, Ross says.
In the interview (see audio link below photo), Ross and Chase also discuss:
- Cyber incident response planning considerations for medical devices makers;
- Other updates from FDA and MITRE included in the latest playbook release;
- Individuals and groups within the healthcare ecosystem that should use the playbook and how to best implement the guidance.
Ross provides leadership and coordination on a range of emerging public health issues, including medical device cybersecurity, respiratory protective devices, personal protective equipment and incident response.
Chase is a senior principal scientist and IT and cybersecurity integrator in the Data and Human-Centered Solutions Innovation Center at MITRE Labs. For the past several years, she has supported the FDA's efforts to encourage medical device threat modeling, develop a common vulnerability scoring system rubric tailored to medical devices, and improve cyber security preparedness and response. She also supported the VA in developing an enterprise security architecture for its medical technology ecosystem.