The Food and Drug Administration recently issued its Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to address continued threats to medical devices that could affect patient safety.

The 32-page playbook is a tool for regional readiness and response activities to aid organizations in "addressing cybersecurity threats affecting medical devices that could impact continuity of clinical operations for patient care and patient safety."

Medical Device Cybersecurity PlaybookThe objectives of the framework are to:

  • Provide baseline medical device cybersecurity that organizations can incorporate into their emergency preparedness and response
  • Assist with clarifying lines of communication and outline roles and responsibilities for internal and external responders
  • Offer a standardized approach to response efforts across organizations and regions
  • Provide enhances coordination activities among stakeholders
  • Provide information regarding decision making for escalated responses
    Identify resources that can be leveraged for preparedness and response
  • Serve as a response tool that can be customized for regional preparedness that can be broadly implemented

The playbook emphasizes that cybersecurity is a team sport and that patient safety is maximized with regional collaboration and information sharing.

Part of the playbook recommends that regional partners must build trust relationships and share best practices with each other, develop mutual aid agreements, exchange point of contact information, conducting joint exercises, identify regional incident command/coordination center, and share cybersecurity advisories and alerts.

The playbook could also be a guide for states and municipalities on how to prepare for and respond to a cybersecurity threat beyond threats to medical devices as it outlines basic preparedness and response strategies. It is a virtual how-to that can assist governmental and private entities alike.


Linn F. Freedman practices in data privacy and security law, cybersecurity, and complex litigation at Robinson+Cole where she chairs the firm's Data Privacy + Cybersecurity Team. The above article is also available on Robinson+Cole’s Data Privacy + Security Insider blog