Tag

cybersecurity
I (Mike Russell) attended the neXus conference on medical device standards this year. Below are some observations and suggested takeaways from the talks I heard and the panel I was on. Remember, these are just selected highlights, not everything said 🙂 Session: Reducing Submission Rejections and Recalls with Software Standards This year’s conference added a third...
Read More
Cybersecurity for legacy medical devices plays a crucial role in healthcare but to remove these devices may pose a greater risk to patient safety, clinical operations, and financial stability than to leave them in service. The challenging task of “securing” these legacy devices is paramount. It must be recognized that overall management of the risk...
Read More
The U.S. Food and Drug Administration (FDA) announced today that AAMI SW96 Receives FDA Consensus Standard status.  Medical device manufacturers are now expected to conform to the requirements of this standard as applicable, or have processes that show address the requirements of the standard. The broad outline of AAMI SW96 is: General requirements for security...
Read More
The Open Worldwide Application Security Project (OWASP) released a white paper titled OWASP Top 10 for LLM.  The introduction states, The frenzy of interest of Large Language Models (LLMs) following of mass-market pre- trained chatbots in late 2022 has been remarkable. Businesses, eager to harness the potential of LLMs, are rapidly integrating them into their...
Read More
Tampa, FL, July 13, 2023. Crisis Prevention and Recovery, LLC, dba SoftwareCPR® is pleased to announce that our partner, Dr. Peter Rech, has received the Certified Information Systems Security Professional (CISSP) prestigious certification.  Peter has led the SoftwareCPR staff in cybersecurity related activities for our clients and is one of the premier regulatory experts with...
Read More
This Playbook was prepared by The MITRE Corporation and the Medical Device Innovation Consortium using funds from the U.S. Food and Drug Administration in November 2021.  Download playbook here:  Playbook-for-Threat-Modeling-Medical-Devices-2021 The playbook is not prescriptive in that it does not describe one approach to be used when threat modeling medical devices. It is intended to...
Read More
FDA Updates Cybersecurity Playbook for Health Care Organizations The healthcare sector knows how to prepare for and respond to natural disasters. It is less prepared, however, to handle cybersecurity incidents, particularly those involving medical devices.  With healthcare-related cyber incidents growing in size and scope, preparedness before a cyber event takes place with a strong, well-exercised,...
Read More
Since October is Cybersecurity Awareness Month, the US FDA released a new video to provide ideas and approaches for Healthcare Professionals (HCP) discuss and explain to patients, the concepts and methods for cybersecurity with regard to  interconnected medical devices.   The video titled, “xx,” is designed to promote, and perhaps facilitate, communication  between HCPs and patients....
Read More
Recently, a new cybersecurity standard, IEC 81001-5-1:2021, Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle, was released.  As the name implies, this standard addresses the overall software development lifecycle (SDLC) with regard to cybersecurity activities.  For medical device manufacturers, this is very...
Read More
The Markup, a nonprofit newsroom that investigates how powerful institutions are using technology to change our society, reports that Facebook has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook.  They found that 33 of Newsweek’s top 100 hospitals in America contained a tracker, called the...
Read More
FDA will host a webinar to discuss Cybersecurity quality system considerations on Tuesday, June 14, 2022, from 1 p.m. to 2:15 p.m. EDT.  The webinar will focus on the latest and current Cybersecurity Premarket Submissions draft guidance released in April 2022.  This draft guidance replaces the 2018 draft version and is intended to further emphasize the...
Read More
FDA has released a new draft of Premarket Cybersecurity in Medical Devices:  Quality System Considerations and Content of Premarket Submissions.  Per the scope, this 2022 FDA Premarket Cybersecurity Guidance “is applicable to devices that contain software (including firmware) or programmable logic, as well as software as a medical device (SaMD). The guidance is not limited to devices...
Read More
FDA recently posted the following cybersecurity alert: On Tuesday, December 21, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) published a vulnerability medical advisory ICSMA-21-355-01 on the Fresenius Kabi Agilia Connect Infusion System. Successful remote exploitation of these vulnerabilities could allow an attacker to gain access to sensitive information, modify settings, or perform arbitrary actions as an...
Read More
The US FDA announced on December 21, 2021, a cybersecurity alert for the Fresenius Kabi Agilia Connect Infusion System.  The announcement referenced a Cybersecurity and Infrastructure Security Agency (CISA) publication of a vulnerability disclosure ICSMA-21-355-01 on the Fresenius Kabi Agilia Connect Infusion System. Successful remote exploitation of these vulnerabilities could allow an attacker to gain...
Read More
The Medical Device Innovation Consortium (MDIC) recently partnered with the MITRE Corporation, Adam Shostack, and the FDA to host a webinar regarding the soon to be released “Playbook for Threat Modeling Medical Devices.” The playbook was created during a series of bootcamps held by the team over the past year and the webinar provided a...
Read More
FDA’s Digital Transformation and the regulation of Medical Device Cybersecurity? I read the recent FDA post that discussed the FDA’s Digital Transformation: “Today, the U.S. Food and Drug Administration announced the reorganization of the agency’s information technology (IT), data management and cybersecurity functions into the new Office of Digital Transformation (ODT).” Then I was reading...
Read More
Jonathan Zittrain and John Bowers of the Berkman Klein Center; Samuel Finlayson, Zachary Kohane, and Andrew Beam of Harvard Medical School; and Joichi Ito of the MIT Media Lab have published an article in Science highlighting potential uses of adversarial attacks on machine learning systems in the medical context.
Read More
This July 2021 Standards Navigator Report content is only available to Standards Navigator subscribers. See our Subscribe page for information on subscriptions. SoftwareCPR® Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices.  In addition to information on existing standards, our report keeps you...
Read More
Company: Datascope Corp. Date of Enforcement Report: 5/5/2021 Class III PRODUCT Cardiosave Hybrid IABP – Product Usage: used to inflate and deflate intra-aortic balloons. It provides temporary support to the left ventricle via the principle of counterpulsation, Model Numbers 0998-00-0800-32, 0998-00-0800-33, 0998-00-0800-34, 0998-00-0800-35, 0998-00-0800-45, 0998-00-0800-52, 0998-00-0800-53, 0998-00-0800-55, 0998-00-0800-65 Recall Number: Z-1506-2021 REASON There are cybersecurity...
Read More
Having trouble keeping up with standards activity? You are not alone!  The pace of new and emerging standards creates a challenge for even the most organized and well staffed software and quality assurance teams.  Whether it is digital health, risk management, software process, usability, or the ever challenging cybersecurity, being aware and understanding upcoming changes...
Read More
Our internal cybersecurity expert Gwen contributed the following. The Use of LIS2 In Medical Devices LIS2-A2 is widely used in laboratory devices as a standard practice for Healthcare Delivery Organizations (HDOs). The LIS and LIS2 communication protocol standards published nearly two decades ago have often been used in medical device network systems due to their...
Read More
A German woman died with “ransomware attack” as a contributing factor in preventing her from receiving timely care. Media reports indicate that it may be the first death directly linked to a cyberattack on a hospital.  Apparently the closest hospital was under the ransomware attack and could not receive the emergency patient causing the first...
Read More
Company: Medtronic Inc., Cardiac Rhythm and Heart Failure (CRHF) Date of Enforcement Report: 3/25/2020 Class II PRODUCT Medtronic CareLink 2090 Programmer. Used to interrogate and program Medtronic and Vitatron implantable devices, such as pacemaker/ICD/CRT. Recall Number: Z-1524-2020 REASON Medtronic Conexus Telemetry has been determined to contain two primary cyber vulnerabilities: improper access control and the...
Read More
FDA is raising awareness among health care providers and facility staff that cybersecurity vulnerabilities in certain GE Healthcare Clinical Information Central Stations and Telemetry Servers may introduce risks to patients while being monitored.  Per the FDA notice: “A security firm has identified several vulnerabilities in certain GE Healthcare Clinical Information Center workstations and Telemetry Servers,...
Read More
Company: GE Healthcare, LLC Date of Enforcement Report: 1/1/2020 Class II PRODUCT ApexPro Telemetry System – Product Usage: The ApexPro Telemetry System is intended for use under the direct supervision of a licensed healthcare practitioner. The system is designed to acquire and monitor physiological data for ambulating patients within a defined coverage area. The system...
Read More
Company: GE Healthcare, LLC Date of Enforcement Report: 12/25/2019 Class II PRODUCT Aestiva MRI, Model Numbers: a) 1006-9310-000 b) 1006-9110-000 c) 1006-9023-000 d) 1006-9028-000 e) 1006-9310-000-305077 f) 1006-9310-000-015243 g) 1006-9310-000-017602 h) 1006-9310-000-103785 I) 1006-9310-000-025109 j) 1006-9310-000-009650 k) 1006-9310-000-015224 l) 1006-9310-000-031881 m) 1006-9310-000-031854 n) 1006-9310-000-026571 Recall Number: Z-0114-2020 REASON Certain Aespire and Aestiva Anesthesia Systems were...
Read More
URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Devices The U.S. Food and Drug Administration (FDA) is informing patients, health care providers and facility staff, and manufacturers about cybersecurity vulnerabilities that may introduce risks for certain medical devices and hospital networks. The FDA is not aware...
Read More
Today, the German Federal Institute for Drugs and Medical Devices (BfArM) identified critical vulnerabilities in the Wind River VxWorks real-time operating system. Affected versions of VxWorks are: VxWorks 6.5 to 6.9 (End-of-Life) VxWorks 7 (SR540 and SR610) VxWorks 653 MCE 3.x (may be affected) They pointed out that VxWorks is used in many medical devices....
Read More
Cybersecurity issues arise when medical devices are capable of connecting to the Internet or other medical devices. Since the FDA is concerned with regulating the safety and effectiveness of medical devices, manufacturers must ensure that the computer systems of medical devices are protected against security breaches. The link below provides the FDA Fact Sheet entitled,...
Read More
Health Canada released the full guidance document, Pre-market Requirements for Medical Device Cybersecurity. It can be viewed at:  https://www.canada.ca/en/health-canada/services/drugs-health-products/medical-devices/application-information/guidance-documents/cybersecurity.htm It includes requirements such as: “Risk management is required for all medical devices throughout their life-cycle. Manufacturers should incorporate cybersecurity into the risk management process for every device that consists of or contains software. Manufacturers are...
Read More
Patient Engagement Advisory Committee Meeting to Discuss Cybersecurity – September 10, 2019 On September 10, 2019 the FDA will hold a meeting of the Patient Engagement Advisory Committee. The committee provides advice to the FDA on complex issues relating to medical devices, the regulation of devices, and their use by patients. During the meeting the...
Read More
The FDA is warning patients and health care providers that certain Medtronic MiniMed™ insulin pumps have potential cybersecurity risks. Patients with diabetes using these models should switch their insulin pump to models that are better equipped to protect against these potential risks.
Read More
A 2015 article providing a review of the factors that contribute to a potentially insecure environment, together with the identification of the vulnerabilities, and why these vulnerabilities persist and what the solution space should look like.
Read More
Company: Draegar Medical Systems, Inc. Date of Enforcement Report: 4/13/2019 Class II: PRODUCT Infinity Delta Family patient monitors The Infinity Delta Series (Delta/Delta XL/Kappa) monitors are intended to be used on adult, pediatric, and neonatal populations, with the exception of the parameter Cardiac Output, ST Segment Analysis, and arrhythmia which are intended for use in...
Read More
Today, the U.S. Food and Drug Administration (FDA) issued a safety communication to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. The wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication,...
Read More
Certainly everyone with any connection to information technology and networked devices is concerned with cybersecurity. However, often we just miss the basics – we do not practice good cyber hygiene. While not intended to be comprehensive or state-of-the-art, here are some security basics (or as some call it, “cyber hygiene”) that one should consider when developing...
Read More
October is National Cybersecurity Month; for more information from FDA click the link.
Read More
A draft of a new revision of the NIST Framework for Improving Critical Infrastructure Cybersecurity has been circulated for comment.  This draft (NIST_cybersecurity_framework-v1-1) revision refines, clarifies, and enhances Version 1.0 issued in February 2014.  This is a draft for comment. See copy of draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1
Read More
The EU has proposed a new regulation on cybersecurity.  While this regulation is not specific to the health sector, health is mentioned as critical infrastructure in the proposal. The proposal would provide a revised mandate, objectives, and tasks for ENISA, the “EU Cybersecurity Agency.”  The new tasks include: Facilitating the establishment and take-up of European...
Read More
The link provided is to the full text of the current Bill S.1656 in the US Congress titled “Medical Device Cybersecurity Act of 2017.” Note that bills may not pass into legislation or may be heavily modified prior to becoming law. S.1656
Read More
The FDA issued the final guidance entitled “Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices.” This guidance addresses medical devices that exchange information; whether wired or wireless, or through the internet. It includes unidirectional exchange, bidirectional, or command and control. The guidance focuses on data exchange not physical connection types. It includes a...
Read More
On August 29, 2017, the FDA issued “Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication.” The full document is at the link provided. Firmware Update to Address Cybersecurity Vulnerabilities in Abbott Pacemakers
Read More
UL 2900-1 Ed.1 2017 Standard for Software Cybersecurity Network-Connectable Products, Part 1: General Requirements was recognized by FDA on August 21, 2017. See at: FDA Modernization Act of 1997: Modifications to the List of Recognized Standards, Recognition List Number: 047.
Read More
A security company indicated the following: … many companies received emails from Amazon indicating that their AWS S3 bucket policies were left configured as “publicly accessible”. These publicly accessible policies allow potentially sensitive cloud data exposed to cybersecurity threats, and likely are not the intention of the Amazon customers. Amazon recommended that each “bucket” policy...
Read More
Here are some thoughts from a recent conversation between Sherman Eagles, Brian Pate, and Alan Kusinitz of SoftwareCPR®: Cybersecurity vulnerabilities can have unpredictable effects on safety.  Unpredictable effects … to those who have worked to reduce risks of software failures in medical device software, that phrase may be familiar.  That concept is explained in relation to...
Read More
Symantec Cybersecurity expert Axel Wirth provided an AAMI podcast presentation June 21, 2017 titled “Patch Management in Healthcare”.  The podcast is on the AAMI page at the link provided along with several other podcasts related to cybersecurity in the prior two episodes.
Read More
Cybersecurity firm Sophos published an article on Medical Device cybersecurity and David Overton of SoftwareCPR® suggested we post this as it may be of interest. David pointed out these statements: A significant percentage of medical devices are not secure. Most medical device manufacturers do not take serious steps to secure their devices for two reasons:...
Read More
FDA, together with the National Science Foundation (NSF) and the Department of Homeland Security Science, and Technology, held a public workshop May 18-19, 2017. Results of this workshop, including webcasts of the sessions, are at the FDA website. Public Workshop – Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, May 18-19, 2017
Read More
FDA issued a Final guidance entitled: “Postmarket Management of Cybersecurity in Medical Devices”. FDA held a free webinar on this guidance on Jan. 12,2017. Information information and presentation materials are at the link provided. SoftwareCPR can provide expert cybersecurity consulting services for regulatory compliance andrisk analysis, technical threat and vulnerability assessment as well as for...
Read More
FDA issued a safety notice: Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter.
Read More
1 2

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.