Tag

cybersecurity
A 2015 article providing a review of the factors that contribute to a potentially insecure environment, together with the identification of the vulnerabilities, and why these vulnerabilities persist and what the solution space should look like.
Read More
Today, the U.S. Food and Drug Administration (FDA) issued a safety communication to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. The wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication,...
Read More
Certainly everyone with any connection to information technology and networked devices is concerned with cybersecurity. However, often we just miss the basics – we do not practice good cyber hygiene. While not intended to be comprehensive or state-of-the-art, here are some security basics (or as some call it, “cyber hygiene”) that one should consider when developing...
Read More
October is National Cybersecurity Month; for more information from FDA click the link.
Read More
A draft of a new revision of the NIST Framework for Improving Critical Infrastructure Cybersecurity has been circulated for comment.  This draft (NIST_cybersecurity_framework-v1-1) revision refines, clarifies, and enhances Version 1.0 issued in February 2014.  This is a draft for comment. See copy of draft NIST Cybersecurity Framework v1-1
Read More
The EU has proposed a new regulation on cybersecurity.  While this regulation is not specific to the health sector, health is mentioned as critical infrastructure in the proposal. The proposal would provide a revised mandate, objectives, and tasks for ENISA, the “EU Cybersecurity Agency.”  The new tasks include: Facilitating the establishment and take-up of European...
Read More
The link provided is to the full text of the current Bill S.1656 in the US Congress titled “Medical Device Cybersecurity Act of 2017.” Note that bills may not pass into legislation or may be heavily modified prior to becoming law. S.1656
Read More
The FDA issued the final guidance entitled “Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices.” This guidance addresses medical devices that exchange information; whether wired or wireless, or through the internet. It includes unidirectional exchange, bidirectional, or command and control. The guidance focuses on data exchange not physical connection types. It includes a...
Read More
On August 29, 2017, the FDA issued “Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication.” The full document is at the link provided. Firmware Update to Address Cybersecurity Vulnerabilities in Abbott Pacemakers
Read More
UL 2900-1 Ed.1 2017 Standard for Software Cybersecurity Network-Connectable Products, Part 1: General Requirements was recognized by FDA on August 21, 2017. See at: FDA Modernization Act of 1997: Modifications to the List of Recognized Standards, Recognition List Number: 047.
Read More
A security company indicated the following: … many companies received emails from Amazon indicating that their AWS S3 bucket policies were left configured as “publicly accessible”. These publicly accessible policies allow potentially sensitive cloud data exposed to cybersecurity threats, and likely are not the intention of the Amazon customers. Amazon recommended that each “bucket” policy...
Read More
Here are some thoughts from a recent conversation between Sherman Eagles, Brian Pate, and Alan Kusinitz of SoftwareCPR®: Cybersecurity vulnerabilities can have unpredictable effects on safety.  Unpredictable effects … to those who have worked to reduce risks of software failures in medical device software, that phrase may be familiar.  That concept is explained in relation to...
Read More
Symantec Cybersecurity expert Axel Wirth provided an AAMI podcast presentation June 21, 2017 titled “Patch Management in Healthcare”.  The podcast is on the AAMI page at the link provided along with several other podcasts related to cybersecurity in the prior two episodes.
Read More
Cybersecurity firm Sophos published an article on Medical Device cybersecurity and David Overton of SoftwareCPR® suggested we post this as it may be of interest. David pointed out these statements: A significant percentage of medical devices are not secure. Most medical device manufacturers do not take serious steps to secure their devices for two reasons:...
Read More
FDA, together with the National Science Foundation (NSF) and the Department of Homeland Security Science, and Technology, held a public workshop May 18-19, 2017. Results of this workshop, including webcasts of the sessions, are at the FDA website. Public Workshop – Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, May 18-19, 2017
Read More
FDA issued a Final guidance entitled: “Postmarket Management of Cybersecurity in Medical Devices”. FDA held a free webinar on this guidance on Jan. 12,2017. Information information and presentation materials are at the link provided. SoftwareCPR can provide expert cybersecurity consulting services for regulatory compliance andrisk analysis, technical threat and vulnerability assessment as well as for...
Read More
FDA issued a safety notice: Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter.
Read More
AAMI TIR 57 on medical device cybersecurity risk management will be published in 2016.  Status: The TIR has been recognized by the FDA before it was even been made available for purchase by AAMI. The TIR is now available for purchase from AAMI.
Read More
National Law Review discusses a case before the EU Court of Justice to decide if medical software that provides support to healthcare professionals in prescribing medicinal products should be considered a medical device. The manufacturer prefers it to be considered a medical device to avoid more onerous requirements if it is not treated that way.
Read More
Sherman Eagles of SoftwareCPR® recently coauthored an article published by AAMI in the Jan/Feb 2016 BIT Journal entitled “Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality.”  You can read the article at this link: 2016 Jan-Feb BIT Cybersecurity Sherman is well known as an expert in medical device standards and has been involved in many...
Read More
On March 29, 2016, the US Department of Homeland Security issued an Advisory regarding the Carefusion Pyxis SupplyStation System Vulnerabilities that would only require an attacker with low skills.  Specific mitigations listed in the Advisory include: Isolate affected products from the Internet and untrusted systems; however, if additional connectivity is required, use a VPN solution....
Read More
The Final Draft International Standard was approved at the end of 2015 and will be submitted for publication. The standard is expected to be published by the end of March 2016.  A three year transition period has been proposed.
Read More
NOTE: This is for historical reference as a final guidance was issued Sept 2017 and is posted separately. FDA issued a new draft guidance entitled “Design Considerations and Pre- market Submission Recommendations for Interoperable Medical Devices”. This guidance addresses medical devices that exchange information whether wired or wireless including through the internet. It includes unidirectional...
Read More
FDA held a two day public cybersecurity workshop Jan 20-21,2016.   See the output, including links to the webcasts, from the workshop sessions.
Read More
Note:  This draft is OBSOLETE and included only for historical reference only.  Look for the final draft elsewhere on this site. To view the guidance click this link:  2016-01-FDA Post market Cybersecurity draft guidance This guidance references a number of Presidential Executive Orders related to critical infrastructure and cybersecurity as a driving force for FDA’s increased oversight...
Read More
FDA held a public workshop, “Collaborative Approaches for Medical Device and Healthcare Cybersecurity,” October 21-22, 2014, in partnership with the Department of Homeland Security. The program book issued by FDA after the workshop was held is at the link provided. It contains information on the sessions, objectives, and speaker biographies. Sherman Eagles of SoftwareCPR® was...
Read More
The U.S. FBI issued a Public Service Announcement on the Internet of Things that includes, “Criminals can also gain access to unprotected devices used in home health care, such as those used to collect and transmit personal monitoring data or time-dispense medicines. Once criminals have breached such devices, they have access to any personal or...
Read More
FDA maintains a webpage for its educational modules referred to as “CDRH Learn.”  Specialty Technical Topics provides a list with a section for IT and Software that includes three modules on Digital Health, Cybersecurity information in premarket submissions, and CDRH regulated software.
Read More
FDA issued a safety communication to health care facilities using the Hospira Symbiq Infusion System regarding cybersecurity vulnerabilities. FDA is advising facilities to seek alternative infusion systems. In the interim, it is recommended the systems be disconnected from networks and maintain the drug libraries by updating manually along with other recommendations. An article regarding the...
Read More
The National Institute of Science of Technology issued Version 1 of its framework for improving cybersecurity for critical infrastructure including health care. The full press release is at the link provided.
Read More
FDA issued a Medwatch alert for infusion pumps May 13, 2015, regarding security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems.  A researcher has shown that exploiting the vulnerabilities could allow an unauthorized user to remotely modify the dosage delivered.  Homeland security was previously working with Hospira about this vulnerability (we reported on...
Read More
Hospira Lifecare PCA infusion pump running “SW ver 412” does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.  The U.S. Department of Homeland Security has been working with Hospira to get this resolved and Hospira will be performing a recall to correct this.
Read More
The U.S. National Institue of Standards and Technology issued a document entitled “Framework for Improving Critical Infrastructure Cybersecurity” dated February 12, 2014. This document is now being used by FDA as a reference in its cybersecurity program.
Read More
Sherman Eagles of SoftwareCPR® provides the following summary of some key points from FDA’s webinar on their premarket cybersecurity guidance on October 29. In the webinar FDA noted that the Instructions for Use should include what cybersecurity controls are needed in the use environment, but stated that it is not sufficient for a device to...
Read More
The FDA held a two day public workshop on Collaborative Approaches for Medical Device and Healthcare Cybersecurity on October 21-22. Documentation on the workshop including the video recording of the workshop can be found at: http://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm412979.htm.
Read More
Brian Pate of SoftwareCPR® writes: In May 2014, FDA offered further guidance to manufacturers regarding premarket submission information identifying cyber-security risks and hazards associated with their medical devices, and the responsibility for engineering appropriate risk controls to address patient safety and assure proper device performance. FDA encouraged manufacturers to report any cyber-security incidents that may...
Read More
In a new draft guidance (for electrosurgical devices; but in our opinion representative of information needed for other devices) FDA stated that cybersecurity information including but not limited to the following should be provided: Confidentiality assures that no unauthorized users have access to the information. Integrity is the assurance that the information is correct –...
Read More
NIST received comments on the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity and is updating the framework. They have announced that the final version (Version 1.0) will be released on February 13. When it is released, the Final Framework will be posted at NIST.
Read More
FDA’s Device Center added a dedicated webpage on Cybersecurity for medical devices in its connected health section.
Read More
NIST was directed to prepare a cybersecurity framework for critical infrastructure in Presidential Executive Order 13636. Healthcare was identified as one of the areas with critical infrastructure. This draft for comment is only an outline of the framework. NIST_draft_outline_cybersecurity_framework
Read More
ICS-CERT is issuing this alert to provide early notice of a report of a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. The document can be viewed at the following link: ICS-CERT_alert_med_dev
Read More
An article on the QMED website reporting on hacking of Medtronic Infusion pumps using remote wireless capability that could allow patient harm.
Read More
On February 20, 2003, a final security rule 45 CFR Part 142 was issued. Subsequently HHS issued a series of educational documents regarding various aspects of the rule including administrative controls, physical controls, technical safeguards, risk management and others.  
Read More
The US Department of Homeland Security (DHS) released software security information via a webpage, initiatives, and various documents related to software security. Some of this information (such as the paper on Security in a Software Lifecycle) may aid medical device IT and device software developers in designing in appropriate security and privacy measures to ensure...
Read More
This content is only available to Premium Level and higher subscribers.  See our Subscribe page for information on subscriptions. At a 1-day current regulatory topics session by ASQ held in Needham, MA, on June 16, 2005, Alan Kusinitz, Managing Partner of SoftwareCPR®, gave a presentation on the recent FDA Cybersecurity Guidance and the new revised FDA "Guidance...
Read More
We hope you find this Regulatory Roadmap on HIPAA Privacy and Security useful.
Read More
On February 20, 2003, a final security rule 45 CFR Part 142 was issued. A copy is at this link: HIPAA Final Security Rule 2003-02. Medical Device manufacturers that produce devices that will maintain patient data should be aware of HIPAA privacy and security requirements to assure appropriate features are incorporated in their devices to...
Read More
On August 14, 2002, the HIPAA final privacy rule 45 CFR Parts 160 and 164 were modified to respond to comments and to reduce the administrative burden of the rule.  A copy of the new rule can be view here:  HIPAA Modified Final Privacy Rule 2002-08. Medical Device manufacturers that produce devices that will maintain patient...
Read More
A NEMA presentation on HIPAA medical device issues is available here:  NEMA HIPAA Med Dev Issues Presentation. SoftwareCPR® provides on-site and web based training in HIPAA privacy and security regulations, in addition to other regulatory consulting services. SoftwareCPR® also provides a HIPAA Roadmap with links to relevant educational documents to paid subscribers (See Post HIPAA Privacy and...
Read More
A NEMA paper on HIPAA medical device remote service issues is available here: NEMA HIPAA Med Dev Remote Services Paper. SoftwareCPR® provides on-site and web based training in HIPAA privacy and security regulations, in addition to other regulatory consulting services. SoftwareCPR® also provides a HIPAA Roadmap with links to relevant educational documents to paid subscribers (See...
Read More
1 2

CSV Training Course

Learn FDA expectations for software validation for computer systems, quality system software, manufacturing and production process software, and engineering tools. Email training@softwarecpr.com for more info.

Corporate Office

+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TN) and Italy.