Tag

cybersecurity
URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Devices The U.S. Food and Drug Administration (FDA) is informing patients, health care providers and facility staff, and manufacturers about cybersecurity vulnerabilities that may introduce risks for certain medical devices and hospital networks. The FDA is not aware...
Read More
Today, the German Federal Institute for Drugs and Medical Devices (BfArM) identified critical vulnerabilities in the Wind River VxWorks real-time operating system. Affected versions of VxWorks are: VxWorks 6.5 to 6.9 (End-of-Life) VxWorks 7 (SR540 and SR610) VxWorks 653 MCE 3.x (may be affected) They pointed out that VxWorks is used in many medical devices....
Read More
Cybersecurity issues arise when medical devices are capable of connecting to the Internet or other medical devices. Since the FDA is concerned with regulating the safety and effectiveness of medical devices, manufacturers must ensure that the computer systems of medical devices are protected against security breaches. The link below provides the FDA Fact Sheet entitled,...
Read More
Health Canada released the full guidance document, Pre-market Requirements for Medical Device Cybersecurity. It can be viewed at:  https://www.canada.ca/en/health-canada/services/drugs-health-products/medical-devices/application-information/guidance-documents/cybersecurity.htm It includes requirements such as: “Risk management is required for all medical devices throughout their life-cycle. Manufacturers should incorporate cybersecurity into the risk management process for every device that consists of or contains software. Manufacturers are...
Read More
Patient Engagement Advisory Committee Meeting to Discuss Cybersecurity – September 10, 2019 On September 10, 2019 the FDA will hold a meeting of the Patient Engagement Advisory Committee. The committee provides advice to the FDA on complex issues relating to medical devices, the regulation of devices, and their use by patients. During the meeting the...
Read More
The FDA is warning patients and health care providers that certain Medtronic MiniMed™ insulin pumps have potential cybersecurity risks. Patients with diabetes using these models should switch their insulin pump to models that are better equipped to protect against these potential risks.
Read More
A 2015 article providing a review of the factors that contribute to a potentially insecure environment, together with the identification of the vulnerabilities, and why these vulnerabilities persist and what the solution space should look like.
Read More
Company: Draegar Medical Systems, Inc. Date of Enforcement Report: 4/13/2019 Class II: PRODUCT Infinity Delta Family patient monitors The Infinity Delta Series (Delta/Delta XL/Kappa) monitors are intended to be used on adult, pediatric, and neonatal populations, with the exception of the parameter Cardiac Output, ST Segment Analysis, and arrhythmia which are intended for use in...
Read More
Today, the U.S. Food and Drug Administration (FDA) issued a safety communication to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. The wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication,...
Read More
Certainly everyone with any connection to information technology and networked devices is concerned with cybersecurity. However, often we just miss the basics – we do not practice good cyber hygiene. While not intended to be comprehensive or state-of-the-art, here are some security basics (or as some call it, “cyber hygiene”) that one should consider when developing...
Read More
October is National Cybersecurity Month; for more information from FDA click the link.
Read More
A draft of a new revision of the NIST Framework for Improving Critical Infrastructure Cybersecurity has been circulated for comment.  This draft (NIST_cybersecurity_framework-v1-1) revision refines, clarifies, and enhances Version 1.0 issued in February 2014.  This is a draft for comment. See copy of draft NIST Cybersecurity Framework v1-1
Read More
The EU has proposed a new regulation on cybersecurity.  While this regulation is not specific to the health sector, health is mentioned as critical infrastructure in the proposal. The proposal would provide a revised mandate, objectives, and tasks for ENISA, the “EU Cybersecurity Agency.”  The new tasks include: Facilitating the establishment and take-up of European...
Read More
The link provided is to the full text of the current Bill S.1656 in the US Congress titled “Medical Device Cybersecurity Act of 2017.” Note that bills may not pass into legislation or may be heavily modified prior to becoming law. S.1656
Read More
The FDA issued the final guidance entitled “Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices.” This guidance addresses medical devices that exchange information; whether wired or wireless, or through the internet. It includes unidirectional exchange, bidirectional, or command and control. The guidance focuses on data exchange not physical connection types. It includes a...
Read More
On August 29, 2017, the FDA issued “Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication.” The full document is at the link provided. Firmware Update to Address Cybersecurity Vulnerabilities in Abbott Pacemakers
Read More
UL 2900-1 Ed.1 2017 Standard for Software Cybersecurity Network-Connectable Products, Part 1: General Requirements was recognized by FDA on August 21, 2017. See at: FDA Modernization Act of 1997: Modifications to the List of Recognized Standards, Recognition List Number: 047.
Read More
A security company indicated the following: … many companies received emails from Amazon indicating that their AWS S3 bucket policies were left configured as “publicly accessible”. These publicly accessible policies allow potentially sensitive cloud data exposed to cybersecurity threats, and likely are not the intention of the Amazon customers. Amazon recommended that each “bucket” policy...
Read More
Here are some thoughts from a recent conversation between Sherman Eagles, Brian Pate, and Alan Kusinitz of SoftwareCPR®: Cybersecurity vulnerabilities can have unpredictable effects on safety.  Unpredictable effects … to those who have worked to reduce risks of software failures in medical device software, that phrase may be familiar.  That concept is explained in relation to...
Read More
Symantec Cybersecurity expert Axel Wirth provided an AAMI podcast presentation June 21, 2017 titled “Patch Management in Healthcare”.  The podcast is on the AAMI page at the link provided along with several other podcasts related to cybersecurity in the prior two episodes.
Read More
Cybersecurity firm Sophos published an article on Medical Device cybersecurity and David Overton of SoftwareCPR® suggested we post this as it may be of interest. David pointed out these statements: A significant percentage of medical devices are not secure. Most medical device manufacturers do not take serious steps to secure their devices for two reasons:...
Read More
FDA, together with the National Science Foundation (NSF) and the Department of Homeland Security Science, and Technology, held a public workshop May 18-19, 2017. Results of this workshop, including webcasts of the sessions, are at the FDA website. Public Workshop – Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, May 18-19, 2017
Read More
FDA issued a Final guidance entitled: “Postmarket Management of Cybersecurity in Medical Devices”. FDA held a free webinar on this guidance on Jan. 12,2017. Information information and presentation materials are at the link provided. SoftwareCPR can provide expert cybersecurity consulting services for regulatory compliance andrisk analysis, technical threat and vulnerability assessment as well as for...
Read More
FDA issued a safety notice: Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter.
Read More
AAMI TIR 57 on medical device cybersecurity risk management will be published in 2016.  Status: The TIR has been recognized by the FDA before it was even been made available for purchase by AAMI. The TIR is now available for purchase from AAMI.
Read More
National Law Review discusses a case before the EU Court of Justice to decide if medical software that provides support to healthcare professionals in prescribing medicinal products should be considered a medical device. The manufacturer prefers it to be considered a medical device to avoid more onerous requirements if it is not treated that way.
Read More
Sherman Eagles of SoftwareCPR® recently coauthored an article published by AAMI in the Jan/Feb 2016 BIT Journal entitled “Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality.”  You can read the article at this link: 2016 Jan-Feb BIT Cybersecurity Sherman is well known as an expert in medical device standards and has been involved in many...
Read More
On March 29, 2016, the US Department of Homeland Security issued an Advisory regarding the Carefusion Pyxis SupplyStation System Vulnerabilities that would only require an attacker with low skills.  Specific mitigations listed in the Advisory include: Isolate affected products from the Internet and untrusted systems; however, if additional connectivity is required, use a VPN solution....
Read More
The Final Draft International Standard was approved at the end of 2015 and will be submitted for publication. The standard is expected to be published by the end of March 2016.  A three year transition period has been proposed.
Read More
NOTE: This is for historical reference as a final guidance was issued Sept 2017 and is posted separately. FDA issued a new draft guidance entitled “Design Considerations and Pre- market Submission Recommendations for Interoperable Medical Devices”. This guidance addresses medical devices that exchange information whether wired or wireless including through the internet. It includes unidirectional...
Read More
FDA held a two day public cybersecurity workshop Jan 20-21,2016.   See the output, including links to the webcasts, from the workshop sessions.
Read More
Note:  This draft is OBSOLETE and included only for historical reference only.  Look for the final draft elsewhere on this site. To view the guidance click this link:  2016-01-FDA Post market Cybersecurity draft guidance This guidance references a number of Presidential Executive Orders related to critical infrastructure and cybersecurity as a driving force for FDA’s increased oversight...
Read More
FDA held a public workshop, “Collaborative Approaches for Medical Device and Healthcare Cybersecurity,” October 21-22, 2014, in partnership with the Department of Homeland Security. The program book issued by FDA after the workshop was held is at the link provided. It contains information on the sessions, objectives, and speaker biographies. Sherman Eagles of SoftwareCPR® was...
Read More
The U.S. FBI issued a Public Service Announcement on the Internet of Things that includes, “Criminals can also gain access to unprotected devices used in home health care, such as those used to collect and transmit personal monitoring data or time-dispense medicines. Once criminals have breached such devices, they have access to any personal or...
Read More
FDA maintains a webpage for its educational modules referred to as “CDRH Learn.”  Specialty Technical Topics provides a list with a section for IT and Software that includes three modules on Digital Health, Cybersecurity information in premarket submissions, and CDRH regulated software.
Read More
FDA issued a safety communication to health care facilities using the Hospira Symbiq Infusion System regarding cybersecurity vulnerabilities. FDA is advising facilities to seek alternative infusion systems. In the interim, it is recommended the systems be disconnected from networks and maintain the drug libraries by updating manually along with other recommendations. An article regarding the...
Read More
The National Institute of Science of Technology issued Version 1 of its framework for improving cybersecurity for critical infrastructure including health care. The full press release is at the link provided.
Read More
FDA issued a Medwatch alert for infusion pumps May 13, 2015, regarding security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems.  A researcher has shown that exploiting the vulnerabilities could allow an unauthorized user to remotely modify the dosage delivered.  Homeland security was previously working with Hospira about this vulnerability (we reported on...
Read More
Hospira Lifecare PCA infusion pump running “SW ver 412” does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.  The U.S. Department of Homeland Security has been working with Hospira to get this resolved and Hospira will be performing a recall to correct this.
Read More
The U.S. National Institue of Standards and Technology issued a document entitled “Framework for Improving Critical Infrastructure Cybersecurity” dated February 12, 2014. This document is now being used by FDA as a reference in its cybersecurity program.
Read More
Sherman Eagles of SoftwareCPR® provides the following summary of some key points from FDA’s webinar on their premarket cybersecurity guidance on October 29. In the webinar FDA noted that the Instructions for Use should include what cybersecurity controls are needed in the use environment, but stated that it is not sufficient for a device to...
Read More
The FDA held a two day public workshop on Collaborative Approaches for Medical Device and Healthcare Cybersecurity on October 21-22. Documentation on the workshop including the video recording of the workshop can be found at: http://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm412979.htm.
Read More
Brian Pate of SoftwareCPR® writes: In May 2014, FDA offered further guidance to manufacturers regarding premarket submission information identifying cyber-security risks and hazards associated with their medical devices, and the responsibility for engineering appropriate risk controls to address patient safety and assure proper device performance. FDA encouraged manufacturers to report any cyber-security incidents that may...
Read More
In a new draft guidance (for electrosurgical devices; but in our opinion representative of information needed for other devices) FDA stated that cybersecurity information including but not limited to the following should be provided: Confidentiality assures that no unauthorized users have access to the information. Integrity is the assurance that the information is correct –...
Read More
NIST received comments on the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity and is updating the framework. They have announced that the final version (Version 1.0) will be released on February 13. When it is released, the Final Framework will be posted at NIST.
Read More
FDA’s Device Center added a dedicated webpage on Cybersecurity for medical devices in its connected health section.
Read More
NIST was directed to prepare a cybersecurity framework for critical infrastructure in Presidential Executive Order 13636. Healthcare was identified as one of the areas with critical infrastructure. This draft for comment is only an outline of the framework. NIST_draft_outline_cybersecurity_framework
Read More
ICS-CERT is issuing this alert to provide early notice of a report of a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. The document can be viewed at the following link: ICS-CERT_alert_med_dev
Read More
An article on the QMED website reporting on hacking of Medtronic Infusion pumps using remote wireless capability that could allow patient harm.
Read More
On February 20, 2003, a final security rule 45 CFR Part 142 was issued. Subsequently HHS issued a series of educational documents regarding various aspects of the rule including administrative controls, physical controls, technical safeguards, risk management and others.  
Read More
1 2

Upcoming Training

62304, FDA, and Emerging Standards for Medical Device and HealthIT
Instructors:  Brian Pate, John F. Murray, Jr
Location: Sunnyvale, CA, USA
Dates:  February 4-6, 2020
Registration Link

Receive $300 discount with Premium-Individual subscription purchase (or $333 per person for Premium-Company subscription)!  Email training@softwarecpr.com
to receive discount

QSS Software Validation
Planned Instructors:  Brian Pate, John F. Murray, Jr
Location: Boston, MA, USA
Dates:  June 2-4, 2020
For info on this course, email training@softwarecpr.com

Corporate Office

15148 Springview St
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN) and Italy.