3rd Party Risk Management , Governance & Risk Management , Healthcare
Cyber Incident Response: Playbook for Medical Product Makers
New HSCC Publication Aims to Help Device, Drug Makers Improve Cyber ResponseA new playbook from the Health Sector Coordinating Council aims to help manufacturers of medical products such as pharmaceuticals, devices and durable equipment plot out and improve their response to ransomware attacks and other cyber incidents.
See Also: How Overreliance on EDR is Failing Healthcare Providers
The Medical Product Manufacturer Cyber Incident Response Playbook, or MPM-CIRP, was developed by an operational technology cyber task force within the HSCC's joint cybersecurity working group, whose members include stakeholders from government, including the Food and Drug Administration, and the private sector, including manufacturers, technology firms and others.
The playbook is a comprehensive guide offering step-by-step recommendations and processes for medical product makers to use in their incident response plans. Advice ranges from identifying, responding to, and remediating manufacturing cyber incidents, such as compromises of sensitive data, to defending against ransomware and denial-of-service attacks that can disrupt manufacturing and other critical operations.
"This playbook is meant to serve as a starting point - or accelerator - for companies to create and tailor their own internal playbooks for their specific circumstances," HSCC said.
Medical product manufacturers often face the same cyber incident response challenges as their peers in other industries, such as constraints in skills and technologies, said Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center, and a contributor to the HSCC playbook.
But manufacturing processes to ensure medical products perform as intended are essential to protecting public health and may require reporting to other government agencies such as the Department of Health and Human Services or the Cybersecurity Infrastructure and Security Agency, he told Information Security Media Group.
For instance, "under section 506J of the Federal Food, Drug, and Cosmetics Act, during or in advance of a public health emergency, manufacturers of certain medical devices must notify the FDA of an interruption or permanent discontinuance in manufacturing," he said.
Also, as in so many areas of IT security, "our common view of incident response is largely aligned with the traditional enterprise IT environment," said Axel Wirth, chief security strategist at device security firm MedCrypt and also a contributor to the playbook.
"For example, existing standards and frameworks deal with typical IT incidents and, as a result, most organizations' IR plans neglect the 'dark corners' of cyber risk," he said.
"The playbook overcomes that by not only highlighting the unique needs of the medical product manufacturing environment, but also by providing a usable framework to develop those specific incident response capabilities," he said.
Customizable Advice
While the MPM-CIRP's recommendations can be customized for any sized medical product manufacturer, the playbook notes that its guidance can be especially useful to small- and mid-sized companies that often lack dedicated cyber personnel.
Particularly at smaller manufacturers, one person may serve in multiple roles on the cyber incident response team. "For example, the cyber incident response manager and IT technical response leads are often the same person. Additionally, the liaison roles may be collapsed, or several liaison roles may be filled by one person," the playbook said.
Nonetheless, "small cybersecurity teams can deliver a flexible, agile response - provided roles, responsibilities and contacts are identified ahead of time," the playbook said.
The guidebook covers topics ranging from incident response plan preparation; incident detection, investigation and analysis; activating a response team; containment and eradication; incident recovery and post-incident activities.
"The playbook will feel familiar because incident response basics are similar across technologies," Englert said.
"In addition to framing the incident severity assessment in terms of business impact, national security, or civil liberties, the guidance also impacts public health or safety in the incident response planning," he said.
"Additionally, the guidelines infuse regulatory considerations into the cyber incident response team process, including reporting suspected or confirmed incidents to the Health-ISAC and other information-sharing and analysis organizations."
Christopher Gates, director of product security at medical device design and manufacturing company Velentium, who also contributed to the playbook, said there is a vacuum in awareness about the importance of cyber incident response planning among many medical product makers.
"I recently gave an in-person presentation to about 350 contract manufacturers about the playbook, and the ways to get started implementing security on the manufacturing floor," he said.
"It was by far the worst talk I have ever given when it comes to audience engagement. So, based upon this general state of apathy toward manufacturing-floor cybersecurity, I would have to answer that the biggest struggle is 'people,'" said Gates, who is a co-chair for the Health-ISAC's Medical Device Security Council.
"People would prefer to ignore the risks even when they are faced with the present-day cybersecurity reality," he said. "Why? It creates additional work and costs."