The Food and Drug Administration’s (FDA’s) recently released Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook is the agency’s latest step in an ongoing effort to enhance medical device cybersecurity. Though these are merely guidelines and not regulations, it’s imperative hospitals and other vendors dealing with medical devices take them to heart. The FDA’s primary focus is on patient safety related to medical device incidents, but these guidelines could very well come into play if and when potential litigation over a device security incident arises.
The playbook provides guidance to healthcare organizations, recommending a layering approach to medical device incident preparedness and response by utilizing the healthcare organization’s current emergency preparedness plans1. If a solid emergency preparedness plan is already in place, complying with these new guidelines may not cause too much heartache. But now is always a good time to review your organization’s emergency preparedness plan to ensure that it is compliant with all regulations and available guidance.
A hospital that participates in the Medicare and Medicaid programs is required to comply with the Medicare Conditions of Participation (CoP). Effective November 2017, participating providers are required to comply with the Centers for Medicare & Medicaid Services (CMS) Emergency Preparedness Final Rule2. CMS issued the State Operations Manual Emergency Preparedness Final Rule Interpretive Guidance and Survey Procedures3 (interpretive guidance) for surveyors to use when surveying a hospital for compliance with the CoP.
The CoP requires a participating provider establish and maintain a comprehensive emergency preparedness plan utilizing an all-hazards approach to meeting the health, safety and security needs of their staff and patient population during an internal or external emergency or disaster situation and coordinate its response with other external partners such as healthcare facilities and local, state, and federal organizations. Additionally, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requires covered entities that maintain patients’ protected health information (PHI) to have policies and procedures in place to address security incidents and to establish contingency plans to respond to such incidents4.
The playbook recognizes that the hospital’s size and scope will determine the robustness of the medical device cybersecurity emergency preparedness plan. The playbook recommends that a smaller, less-resourced hospital work with external partners facilitate local and regional emergency preparedness involving medical device cybersecurity incidents. However, regardless of the size and scope, the hospital should include basic measures to identify and address medical device cybersecurity incidents in its emergency preparedness plan.
Additionally, under HIPAA, the hospital covered entity is required to conduct a security risk analysis of its systems that contain PHI. The hospital may incorporate the medical device vulnerability analysis into its current security risk analysis and complete and implement a risk management plan to mitigate the identified vulnerabilities.
The hospital should also incorporate cybersecurity into its medical device procurement and maintenance program that includes maintaining a current inventory of all medical devices, their location and their interconnectivity to other devices and networks. If an incident occurs, the hospital may be able to quickly locate the medical devices and pull them an off-line, patch or remediate, and/or replace the devices. The hospital must also be able to quickly identify the vendor in order to communicate the incident, coordinate a response, and remediate the affected medical device.
The playbook contains elements of medical device asset inventory that should be readily and easily available to the hospital’s incident response team, including:
– Device name and description.
– Device physical location.
– Logical device location (e.g., Internet Protocol address, switch port and/or wireless access point connection(s)).
– Device owner and manager.
– Device maintenance parameters (e.g., no longer supported by the manufacturer; internally maintained by the healthcare organization [with current contact information]; maintenance outsourced and provided by an entity with a service level agreement.
– Device operational status (in use, broken, etc.), to include the current operating system and patch status.
– Embedded components (e.g., Software Bill of Materials (SBoM)), to include component version, release, patch status, etc.
– Interaction with and/or dependencies on other devices/IT resources.
– Log files that capture device operating and/or diagnostic information (e.g., to diagnose malfunctions as cyber-related or not), ideally with a capability to interpret error codes, as applicable.
The asset inventory should also include documented scheduled and completed maintenance requirements based on the type of medical device and potential patient harm if the medical device malfunctions.
Hospitals and medical device vendors should include cybersecurity responsiveness in the vendor purchase and service-level agreements and define the roles and responsibilities and coordination efforts needed between the parties during a medical device incident6. Hospitals should foster a relationship with manufacturers, such as by establishing a point of contact for the manufacturer’s personnel with cybersecurity roles and maintaining at least two current methods of contact for each person.
Also, the hospital should determine whether the manufacturer has outward-facing product security and privacy webpage that includes contact information for reporting incidents and receiving incident-specific alerts7. It is especially important for a hospital to have current information so that it can quickly and effectively respond to a medical device security incident.
The type and breadth of the security incident will determine the hospital’s response. The hospital’s incident response plan should include a definition of a medical device cybersecurity incident, and scenarios that will trigger the incident response. The hospital should have dedicated medical-technical specialists or similar stakeholders who are familiar with vendor contracting, medical device maintenance and security, to be a liaison with medical device manufacturers and part of the incident response team.
The type of medical device security incident will dictate the level of involvement of the internal incident response team members and the need to involve local, regional, state or federal assistance. The emergency preparedness plan should include contact information for the external partners, such as affiliate healthcare organizations, local and state departments of health, law enforcement, and federal agencies such as the Federal Bureau of Investigation Cyber Division.
Finally, the CoP requires the emergency preparedness plan to be reviewed and updated at least annually. The hospital should conduct workforce training and mock incident response exercises annually. As part of its ongoing preparedness, the hospital should also evaluate its response to the mock incident, including what went well and what did not, and use this information to improve the emergency preparedness plan.
Whenever new guidance becomes available, it should serve as a reminder for the hospital to review its organization’s emergency preparedness plan and ensure it is up to date. Following these new guidelines could not only save a patient’s life but also protect the hospital from liability should a medical device-related security incident arise down the road.
References
[1]The playbook follows the incident response lifecycle outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61r2, Computer Incident Handling Guide, available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf. Additional resources include the National Incident Management System (NIMS), available at https://www.fema.gov/national-incident-management-system; Hospital Incident Command System (HICS), available at http://hicscenter.org/SitePages?HomeNew.aspx; and Assistant Secretary for Preparedness and Response (ASPR) Technical Resources, Assistance Center, and Information Exchange (TRACIE), available at https://asprtracie.hhs.gov.
[2]Medicare and Medicaid Programs: Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers Final Rule, 81 Fed. Reg. 63860 (Sept. 16, 2016).
[3]https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-17-29.pdf.
[4]45 C.F.R. §164.308 (a)(6)-(7).
[5]Medical Device Cybersecurity Regional Incident Preparedness and Response playbook, at p. 7.
[6]AAMI’s Medical Device Cybersecurity: A Guide for HTM Professionals resource is available at http://my.aami.org/store/detail.aspx?id=MDC-PDF.
[7]Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, at p. 8.
The views expressed in this article are those of the author and not necessarily those of BakerHostetler or its clients.
Paulette Thomas is counsel at BakerHostetler, based in Cincinnati. She has devoted the vast majority of her 25 years as an attorney to helping clients navigate HIPAA privacy and security laws.
