MITRE releases medical device cybersecurity regional incident preparedness, response playbook

Not-for-profit organization MITRE released a playbook providing practical considerations to address medical device cybersecurity incidents, revised this year. Featuring tools, techniques, and resources, the playbook outlines a framework for healthcare delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure the effectiveness of devices, and protect patient safety.

The playbook, prepared by MITRE under contract with the U.S. Food and Drug Administration (FDA), also outlines how hospitals and other HDOs can supplement existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents. The revised version includes a more explicit alignment with the ‘Hospital Incident Command System’ for managing complex incidents, considerations for widespread impacts and extended downtimes that are common during cyber incidents, and an appendix of resources.

Updates to the playbook include emphasizing the need for a diverse team participating in cybersecurity preparedness and response exercises, including clinicians, healthcare technology management professionals, IT, emergency response,  risk management, and facilities staff. It also highlights considerations for widespread impacts and extended downtimes during cybersecurity incidents that benefit from using regional response models and partners and adds a resource appendix. Thus, making it easier to find tools, references, and other resources to help healthcare organizations prepare for and respond to medical device cybersecurity incidents, including ransomware.

Along with the playbook, MITRE has also released a ‘Playbook Quick Start Companion Guide,’ which is a shorter version of the playbook. It discusses preparedness and response activities healthcare organizations might want to start with as they are developing their medical device incident response program.

In April, the U.S. Department of Health & Human Services (HHS) FDA agency announced the availability of draft guidance that provides recommendations to the healthcare industry regarding cybersecurity device design, labeling, and the documentation that the agency recommends to be included in premarket submissions for devices with cybersecurity risks. 

Since the initial version of the playbook was published in 2018, the healthcare and public health (HPH) sector has continued to experience growing numbers of cyber incidents. MITRE said that from mid-2020 through 2021, 82 percent of healthcare systems reported a cyber incident, 34 percent of which involved ransomware. In addition, cyber incidents are becoming increasingly sophisticated, including supply chain compromises and incidents involving cloud services infrastructure.

“Because these cyber incidents have often affected multiple medical devices and IT systems, they have led to widespread disruptions from which it can take weeks or months to fully recover,” MITRE said. “FDA believed that it would be valuable to update the playbook to reflect these evolving trends, and once again contracted MITRE to reach out to stakeholders to identify gaps, challenges, and additional resources since the original publication of the playbook.” 

The playbook provides a stakeholder-derived, open-source, and customizable framework that HDOs may choose to leverage as a part of their emergency response plans to limit disruptions in the continuity of clinical care. It also includes the potential for direct patient harm stemming from medical device cybersecurity incidents.

MITRE also points out that while similarities exist with natural disaster emergency preparedness and response, cybersecurity has unique characteristics that increase risk in ways that warrant specific integration of cyber incident planning within an HDO’s emergency plans and across different stakeholder groups responsible for responding to impacts to care delivery. 

The objectives of the framework include providing baseline medical device cybersecurity information that can be incorporated into an HDO’s emergency preparedness and response framework. It also outlines roles and responsibilities for responders internal and external to the HDO to clarify lines of communication and concept of operations (CONOPs) across HDOs, medical device manufacturers (MDMs), state and local governments, and the federal government. 

The framework also describes a standardized approach to response efforts that help enable a unified response within HDOs and across regions as appropriate, and serve as a basis for enhanced coordination activities among medical device cybersecurity stakeholders, including mutual aid across HDOs. 

Additionally, it informs decision-making and the need to escalate response, identifies resources HDOs may leverage as a part of preparedness and response activities and serves as a customizable regional preparedness and response tool for medical device cyber resiliency that could be broadly implemented. 

The MITRE playbook provides tools, references, and resources to help HDOs prepare for and respond to medical device cyber incidents, namely attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in medical devices. Its high-level structure follows the incident response lifecycle outlined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61r2, with the process, and the suggestions provided, intended to complement existing all-hazards incident preparedness and response activities and can be applied to specific cyber incidents involving medical devices. 

The phases in the lifecycle include the preparation phase, detection and analysis phase, containment, eradication, and recovery, and post-incident activity phase. 

The preparation phase establishes an incident response capability so that the organization is ready to respond to incidents, but also prevent incidents by ensuring that systems, networks, and applications are sufficiently secure. The detection and analysis phase determines whether an incident has occurred and, if so, the type, extent, and magnitude of the problem.

The containment, eradication, and recovery component includes containment which prevents the incident from overwhelming resources and increasing damage. Eradication remediates affected hosts, while recovery restores systems to normal operation, confirms that the systems are functioning normally, and if applicable remediates vulnerabilities to prevent similar incidents. Lastly, the post-incident activity improves security measures and the incident handling process by reviewing what occurred, what was done to intervene, and how well the intervention worked.

In July, the NIST updated its cybersecurity guidance to safeguard patients’ personal health information for healthcare organizations. With the SP 800-66r2 draft document, the NIST aims to assist healthcare organizations seeking further information on the security safeguards of the HIPAA Security Rule, regardless of the particular structures, methodologies, and approaches used to address its requirements.

MITRE said in the playbook that through planning and practice, and support from and collaboration with manufacturers and regional and national partners, HDOs can be ideal to manage medical device cyber incidents. Conducting a thorough device inventory and developing a baseline of medical device cybersecurity information are the first steps in developing a cybersecurity preparedness and response framework. 

“Within the framework, an understanding of roles and responsibilities of responders internal and external to the HDO will help to clarify lines of communication and CONOPs across HDOs, medical device manufacturers, state and local governments, and the federal government,” the playbook said. 

“The framework can also help to enable a unified response within HDOs and across regions, as well as serve as a basis for enhanced coordination activities among medical device cybersecurity stakeholders, including mutual aid across HDOs,” MITRE said. “With healthcare-related cyber incidents growing in size and scope, preparedness, before a cyber event takes place with a strong, well-exercised, support infrastructure in place, is foundational to executing a rapid, comprehensive and robust response,” it adds.

MITRE released last December guidance to the healthcare sector in the form of a playbook to increase knowledge of threat modeling throughout the medical device ecosystem. The organization said at the time that it seeks to use the playbook to strengthen the cybersecurity and safety of medical devices, and offered insights on how an organization can develop or evolve an approach to creating threat models systematically and consistently to achieve its security objectives.

Last month, MITRE announced its ATT&CK v12 featuring the Campaigns in ATT&CK, Detections in ATT&CK for ICS, and updates to the Enterprise, Mobile, and ICS knowledge bases, across techniques, software, mitigations, APT groups, data sources and/or components. The latest version is now live.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.