How to Use FDA's Medical Device Cybersecurity 'Playbook'Julie Connolly of Mitre Corp. Explains How to Make the Most of the New Guide
A new "playbook" co-developed by the Food and Drug Administration and Mitre Corp. aims to assist healthcare delivery organizations in responding to cybersecurity incidents involving medical devices, says Julie Connolly, who helped develop the guide.
"One thing we tried to do with the playbook was not recreate the wheel," Connolly says in an interview with Information Security Media Group. "We wanted to graft on to existing emergency management, preparedness and response [activities] that hospitals were already doing ... such as responding to a hurricane or active shooter."
But responding to a cybersecurity incident involving medical devices requires the involvement of more players, says Connolly, a cybersecurity engineer at Mitre.
The new playbook is directed "to anyone who might have a role in incident response," she notes. "So while the obvious candidates are health technology management or bioengineering, IT and emergency management, it also applies to risk management, facility staff and clinicians," she says.
Because medical devices cybersecurity situations are more complex than other security incidents, healthcare delivery organizations need to make specific response preparations, she says.
The playbook addresses many scenarios, such as issues that arise out of software system vulnerabilities - whether it be from the device itself or a component of that device, she says.
"For instance, WannaCry was a Windows-based vulnerability, and a lot of these devices are running on the Windows operating system," Connolly notes.
During the Wannacry outbreak last year, she says, "the big question was: 'I know these devices are running on Windows. Are they affected also by this ransomware?' Some manufacturers had the answer, and some didn't, and for some it took a while."
FDA's recently drafted update to cybersecurity premarket guidance calls for device manufacturers to issue a "bill of materials" for their products, which could prove helpful in these situations, she notes.
In the interview (see audio link below photo), Connolly also discusses:
- The regional nature of incident response, including cybersecurity situations involving medical devices;
- The input from device manufacturers in developing the playbook;
- Plans for updating the playbook.
Connolly, CISSP, is a principal cybersecurity engineer with more than 20 years experience at MITRE's Cybersecurity Technical Center. She has expertise in working across the cybersecurity domain on policy, strategy, standards, research and operations. Connolly is part of a MITRE team supporting FDA's effort to develop collaborative approaches to manage medical device cybersecurity. She has also helped make governance and cybersecurity recommendations to improve the Department of Health and Human Services' information technology infrastructure, including helping improve the Centers for Medicare & Medicaid Services' cyber threat intelligence capability.