U.S. Department of Health & Human Services


Overview
About Us	Join and Connect	Stay Up-To-Date
Strategic Plan \| 2022-2026	ASPR Careers	Newsroom
Leadership Biographies	Boards and Committees	Blog
Organization Chart	Partnering with ASPR
Budget and Funding


Overview
Join. Train. Respond.	Response Resources	Law and Strategy
National Disaster Medical System	Cybersecurity	Public Health Emergency Declarations
Medical Reserve Corps	At-Risk Individuals	Section 1135 Waivers
ESAR-VHP	Disaster Behavioral Health	National Response Framework and Emergency Support Function 8
	Emergency Prescription Assistance Program	Legal Authorities, Policies, and Strategies
	National Emergency Telemedicine Network
	ASPR TRACIE


Overview
Health Care Readiness	Programs and Activities	Resources and Funding	Related Programs
Stories from the Field	Hospital Preparedness Program	Health Care Readiness Funding	Critical Infrastructure Protection
Health Care Readiness Near You	Regional Disaster Health Response System	COVID-19 Health Care Preparedness and Response	Health and Social Services Recovery
	National Special Pathogen System	Health Care Readiness Program Webinars
	Workforce Capacity and Capability	Performance Measures, Guidance, and Reports


Overview
Medical Countermeasures	Biodefense
Project NextGen	Industrial Base Expansion
BARDA	S3: Science, Safety, and Security
Doing Business with BARDA	Strategic Planning and Committees
Strategic National Stockpile	Legal Authorities, Policies, and Strategies


Overview
Partnership Opportunities	Professional Resources	Join Us
Medical Countermeasures TechWatch	ASPR TRACIE	National Disaster Medical System
EZ-BAA: BARDA DRIVe Easy Broad Agency Announcement	National Emerging Special Pathogens Training and Education Center	Medical Reserve Corps
BARDA Broad Agency Announcement	Critical Infrastructure Protection	ESAR-VHP
IBx Connect	Boards and Committees
Blue Knight	NACCD - Children and Disasters
CARB-X	NACIDD - Disabilities and Disasters
BARDA Ventures	NACSD - Seniors and Disasters
BARDA DRIVe Accelerator Network	NBSB – Biodefense
Project BioShield
Find Us On SAM
ASPR Grant Opportunities


Overview
Technical Assistance and Information Management	GIS-Based Tools
ASPR TRACIE	HHS emPOWER Program
Regional Emergency Coordinators	GeoHEALTH
ASPR Ready	COVID-19 Test to Treat Locator
Training	COVID-19 Therapeutics Locator
HHS emPOWER Program Web-Based Training	Threat-specific Tools
Strategic National Stockpile Course Listing	CHEMM: Chemical Hazards Emergency Medical Management
Addressing the Needs of Older Adults in Disasters Web Based Training	REMM: Radiation Emergency Medical Management
Access and Functional Needs Web-Based Training
Risk Assessment Tools
Risk Identification and Site Criticality (RISC 2.0)


ASPR COVID-19 Response
For Health Care Professionals
For Patients
Test to Treat

NAVIGATION

Blog Home

ASPR Blog

Author: By Steve Curren, ASPR Critical Infrastructure Protection Program Manager

This spring two independent cyber security researchers identified a potential vulnerability among a sample of medical devices, spanning from general use to life-sustaining. If exploited, the vulnerability could result in unauthorized access to the device, changes in functionality that could cause harm to patients or, with networked devices, could compromise a hospital’s computer networks. The researchers alerted the U.S. Food and Drug Administration and to the Department of Homeland Security to the potential vulnerability.

Because of a new Presidential Policy Directive on critical infrastructure security, called PPD-21, and a new executive order on improving critical infrastructure cyber security, federal agencies were better prepared to take on this issue in a coordinated way.

In fact not long before this vulnerability was discovered, DHS, FDA, ASPR, the HHS Office of Security & Strategic Information, and the HHS Office of the Chief Information Officer completed an exercise on sharing cybersecurity information. The exercise established relationships and information sharing processes across the agencies which they drew on to respond to this real-time challenge.

FDA and DHS immediately began a coordinated effort to assure that the vulnerability was assessed properly and addressed by the medical device manufacturers. FDA and DHS notified the companies whose devices were identified by the researchers , cross-referencing each other’s communications. ASPR alerted its partners in the Healthcare and Public Health Sector, including hospitals and state and local public health departments. DHS provided technical expertise to the manufacturers to address specific IT vulnerabilities. The effort demonstrated to manufacturers that the agencies really are working together to strengthen cybersecurity and critical infrastructure in the healthcare space.

FDA also released draft guidance for medical device manufacturers that clarifies the cybersecurity risks that manufacturers should consider in the design of their medical devices and identifies what type of information should be included in premarket submissions to FDA.

They also sent an important safety communication on cybersecurity to medical device manufacturers, hospitals, medical device user facilities, health care IT and procurement staff, and biomedical engineers. The safety communication recommended that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyber attack.

This real-world example is what PPD21 and the executive order are all about: a more coordinated approach to infrastructure protection before, during and after a cyber crisis. A coordinated approach means situational awareness and information exchange among local, state, and federal agencies and the private sector.

PPD21 lays out the roles and responsibilities of federal agencies to drive a more coordinated federal approach. Better federal coordination means streamlined processes for sharing information with local and state agencies and the private sector.

Executive Order 13636, called “Improving Critical Infrastructure Cyber Security,” focuses on enhancing cyber security for everyone. The order helps the federal government to share information on cyber threats and vulnerabilities – like the medical device vulnerability – with the industries and agencies that would be affected. This information helps them fix the problems and protect their own systems. This information is often more comprehensive than the information previously available to the private sector and local and state agencies.

Also under the order, federal agencies are creating a new cybersecurity framework with non-regulatory standards to guide practices for private industry. The same practices could be applied by state and local agencies to protect health department systems.

Want to know more? Interested in participating in the writing the framework? Watch your association’s website or newsletter for upcoming workshops the cybersecurity framework taking place around the country or contact ASPR at CIP@hhs.gov.

What are your cybersecurity concerns when it comes to health care and public health?

Media Inquires

If you need more information or would like to request a media interview, please contact our media team.

Connect with Us

Was this page helpful?

Yes

Partially

ASPR Blog

Related Blog Posts

Media Inquires

If you need more information or would like to request a media interview, please contact our media team.

Connect with Us

Was this page helpful?

Thank you for taking the time to complete this survey.

Your response has been recorded and we will use information from this survey to help improve our site.

ASPR Blog

New Approach to Cyber Security

Related Blog Posts

Media Inquires

If you need more information or would like to request a media interview, please contact our media team.

Connect with Us

Was this page helpful?

Thank you for taking the time to complete this survey.

Your response has been recorded and we will use information from this survey to help improve our site.