Medical Device Cybersecurity: Are you Prepared?

February 14, 2023

Unrecognizable,Male,Physician,Is,Accessing,Electronic,Medical,Records,Of,A

Medical device manufacturers form part of the first line of defense that health delivery organizations (HDOs) rely upon to manage and combat a cybersecurity attack.

[C]yber risks are increasing constantly” due to the interconnectedness of the complex systems we rely on for our everyday needs.[1]

- Puesh Kumar, the director of the US Department of Energy’s Office of Cybersecurity, Energy, Security, and Emergency, National Public Radio interview on January 30, 2023.

Due to the healthcare industry’s increasing reliance on complex computer systems and connected networks in the healthcare space, cybersecurity incidents will result in disruptions to patient care. According to the FDA, the increase in the exchange and sharing of medical device-related health information highlights the critical need for robust cybersecurity controls to ensure medical device safety and effectiveness.[2]

On November 14, 2022, the FDA and MITRE[3] published an updated Playbook titled: Health Delivery Organization (HDO) Medical Device Cyber Incident Preparedness and Response Ver. 2.0 (or “Playbook”).[4] The Playbook focuses on “preparedness and response for medical device cybersecurity issues that impact the functionality of a device.” [5]

Although the Playbook’s intended audience is HDOs, medical device manufacturers form part of the first line of defense that its customers (HDOs) rely upon to help manage and combat a cybersecurity attack.

Below we’ve summarized the updated Playbook and compiled a list of key takeaways for medical device manufacturers.

Key Takeaways for Medical Technology Companies:

med tech AdobeStock_348406557 [Converted]
  • Embed cybersecurity into the company’s culture and Quality Management System (QMS) and design controls processes.
    • Adhere to FDA Quality System Regulations (QSR) and guidance related to cybersecurity in medical devices.
    • Incorporate cybersecurity risk in every phase of the device design and development process.
    • Train applicable staff on cybersecurity risks and mitigations related to the company’s products so that staff may be prepared to help HDOs and patients in case of a cybersecurity incident affecting the manufacturer’s product.
  • Be well-prepared for questions from customers and potential buyers of your device.
    • Device makers should expect cybersecurity questions in the early stages of the procurement or vendor onboarding process with HDOs.
    • Also be prepared to answer questions regarding any suspicious activity after deployment. Some might be benign, some might not.
  • Be a partner in mitigating cybersecurity risks.
    • Be open and prepared to collaborate in security exercises as required by the HDO.
    • Expect to provide cybersecurity support related to the company’s products, as needed.
  • Be ready.
    • HDOs will contact manufacturers for assistance with cybersecurity risks, questions, and incident response plans.
    • The FDA may contact device makers if cybersecurity support is needed.
    • Companies should review their incoming communication channels processes to ensure that if FDA or an HDO reaches out, the message would get to the appropriate person/team at the company promptly.
  • Plan ahead.
    • Medical device manufacturers should consider drafting pre-prepared templates that are ready to be used in the case of a cybersecurity incident.
    • Identify members and roles of your cybersecurity incident response team ahead of any incident.
    • Develop a plan for communicating, analyzing the incident, and responding to it that can guide your team during an incident.
  • Follow QMS requirements.
    • If software fixes or other device design changes are needed to address cybersecurity risks, the company should follow its Quality Management System and FDA regulations.
    • Conduct regular risk assessments to ensure that any new or increased risks are accounted for in the device risk management file.
    • Evaluate and submit post-market device changes to FDA for approval, where required.

[1] Recent attacks on electric substations have the Department of Energy concerned. https://www.npr.org/2023/01/30/1152448772/recent-attacks-on-electric-substations-have-the-department-of-energy-concerned. Last accessed February 2, 2023.

[2] FDA Guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. https://www.fda.gov/media/119933/download

[3] MITRE is a non-profit organization that runs several federally funded research and development centers (FFRDC), including the CMS Alliance to Modernize Healthcare, the National Cybersecurity Center of Excellence, and the Homeland Security Systems Engineering and Development Institute.

[4] The Playbook is available here: https://www.mitre.org/news-insights/publication/medical-device-cybersecurity-regional-incident-preparedness-and-response  

[5] Playbook at 2.

[6] “Conducting a thorough device inventory and developing a baseline of medical device cybersecurity information are the first steps in developing a cybersecurity preparedness and response framework.” Id at 25.

[7] Id. at 9.

[8] Id. at 4. Internal preparation for an HDO includes creating a cybersecurity component to the Hospital’s Incident Management Team (HIMT). Including Information Security Officer (ISO) and Chief Information Officer (CIO), as well as including specialized staff to act as cybersecurity liaisons with outside organizations, could result in quicker resolution of cybersecurity incidents and faster decision-making in critical situations.

[9] Id. at 7.

[10] Id.

[11] Id. at 14-15.

[12] Id. at 16-17.

[13] Id. at 18-19.

[14] Id. at 19.

[15] Id. at 20-21.

[16] Id. at 22.

[17] Id.

[18] Id. at 22-23.

[19] Id. at 23.

[20] Id. at 24.  These considerations, and more, were adapted from the National Institute of Standards and Technology (NIST) publication NIST SP 800-61r2, available at: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final.

Need help?

Information provided on this website is not legal advice. Communications sent to or from this site do not establish an attorney-client relationship. © 2023 Gardner Law. All Rights Reserved.