FDA Tightens Cybersecurity Requirements for Medical Devices

good morning! I’m David, a Cybersecurity 202 researcher. I switched places with Tim today. Because he wanted to be called “Key Master”. I also hope he will stop calling me “little newsletter helper boy”. Send news tips and health advice to david.dimolfetta@washpost.com.

Are you reading this online? Sign up for The Cybersecurity 202 and get the scoops and incisive analysis delivered to your inbox every morning.

Below: Montana enacts TikTok ban after fertility app settles with FTC for allegedly sharing data with China-based company. beginning:

FDA tightens requirements for medical devices as cyber threats increase

Medical devices still face serious cybersecurity threats, federal officials warned this week.

Brian Mazanek The deputy director of the Department of Health’s Office of Preparedness told a House committee that nearly every hospital the Department of Health has investigated has some devices running end-of-life operating systems and software with known vulnerabilities. said to have found

Tighter laws against device manufacturers are now in force. President Biden We signed the omnibus package for 2023 late last year. Device makers are required to provide critical cybersecurity information to the Food and Drug Administration (FDA) before placing them on the market.

However, the FDA is currently not strict about cybersecurity requirements for devices. The agency has decided not to outright reject new device applications yet. They are offering device sponsorships until October to resolve the discrepancy.

This demonstrates the willingness of the regulator to work with industry on the approval approach.a senior government official told Cybersecurity202, speaking candidly about the Biden administration’s efforts in this area, on condition of anonymity.

  • The effort to seek increased device protection is part of a broader government effort to protect critical infrastructure such as pipelines and power grids, the official added.
  • “Looking at the ongoing ransomware attacks on hospitals, we see that many important companies have not implemented the basics of cybersecurity,” the official said, adding that attackers could compromise devices and medical systems. said it made it difficult to infringe.

The FDA defines a medical device as any instrument, machine, or implant designed to treat, prevent, or diagnose disease. They range from something as simple as an electronic thermometer to MRI machines and heart monitors.

The diversity of medical devices and their prevalence make them a unique area for cybersecurity.

Medical devices may face greater cyber threats as devices become more complex. Jessica WilkersonFDA’s Center for Devices and Radiation Health’s Senior Cyber ​​Policy Advisor and Medical Device Cybersecurity Team Leader told me. She cited a tongue depressor, a popsicle stick-like device that pushes the tongue down to examine the throat, as a basic example of a medical device without cyber concerns.

But it’s a different story when it comes to devices that deliver treatments to patients, she says. Doctors may remotely assess dosages, or devices may be connected to software running on another device or in the cloud. “This kind of remote capability creates the potential for that remote capability to be interrupted,” she said.

The connectivity and interoperability of medical devices in hospitals and other healthcare settings means that if one system goes down, another is likely to go down, he said. Michelle JumpCEO of MedSec, a medical device cybersecurity solution company.

  • The 2017 North Korea-linked WannaCry ransomware attack that affected NHS hospital operations in the UK was a wake-up call for the device industry, he said.
  • “Ransomware is a big problem that cripples hospitals once it gets into the system because everything is connected. she said.

Additional Permissions

The FDA previously issued guidance on pre- and post-marketing approval of devices. However, those guidelines were not legally binding.New wording of the Omnibus Act FDA’s requirements for medical device companies into law And give the FDA $5 million in grants to hire people to enforce these regulations.

The rule went into effect in late March, but federal officials say they won’t necessarily outright reject applications for new devices. Instead, they will work with the submission sponsor until October 1 to address any deficiencies.

  • It’s a massive effort between industry and regulators, and Wilkerson said the FDA is currently Work on hiring and training new staff You will be able to check the cyber security information of medical devices. We are also working on the development of programs that can respond to vulnerabilities in medical devices.
  • Comprehensive guidance on how to design and maintain medical device security features across the product lifecycle is expected to be released by the end of September, he added.
  • There was no public comment period for this rule as in the past. At least one industry group has expressed views on this guidance. As Politico reported in March, “The Medical Imaging Technology Alliance said it welcomed the FDA’s flexibility in implementing cybersecurity provisions.”

The revised regulations focus on: Allow manufacturers to demonstrate that they have plans to address cybersecurity vulnerabilities that surface after product releasesending patches to devices on a regular basis and being able to update critical vulnerabilities on devices as needed, etc.

Manufacturers are also required to provide regulators with software bills of materials, such as ingredient lists for the code, tools, processes and other components that make up their software. It should also require outside researchers to test devices for vulnerabilities and publish any vulnerabilities found.

“Based on what we have seen so far, we believe it would be in the interest of the industry as a whole to have these additional authorities to really highlight how important cybersecurity is to patient safety. I thought,” Wilkerson said.

As with any regulation, implementing these practices is also a challenge.

While the basic requirements for resilient medical devices can be easily outlined, “it really needs the industry to take the next step and design and implement these systems,” he said. Kevin HuProfessor of Computer Science at Northeastern University and Acting First Director of Medical Device Cybersecurity for the FDA.

  • “The good news is that much of the science and engineering from cybersecurity and medical device design [device] But it’s not yet universal or even widely deployed,” he said.
  • For example, some devices have original passwords, making it easy for malicious hackers to break in.

Hu said the process of installing additional device protection features can be highly technical, and it’s not practical for the device’s end-user to assume responsibility for them. Manufacturers may also struggle with the level of detail needed to prove their products are ready for market use, MedSec’s Jump said.

However, the situation is met with sympathy. “[The FDA] We’re trying to future proof now, but that’s only natural,” she said. “If we remove these devices today, we know that some of them will be in use for the next 20 years.”

Fertility app settles confidential data-sharing allegations with Attorney General’s FTC

Easy Healthcare, owner of fertility app Premom, has been sued by the Federal Trade Commission and three attorneys general for allegedly sharing sensitive user data without consent with two China-based companies. It was settled in dollars, colleague Tatum Hunter reported.

The two China-based companies are known for “suspected privacy practices,” according to the Washington, D.C. Attorney General. Connecticut and Oregon attorneys general also worked with the FTC to reach a settlement. Easy Healthcare has agreed to stop sharing information.

when the Supreme Court overturned Law vs. Wadeunleashed privacy concerns over digital privacy and fertility apps.

  • This is the third time this year that the FTC has taken notable action against a digital health company for allegedly sharing user information.
  • A Washington Post study last year found privacy flaws in popular digital health apps.

Meta set to face biggest privacy fine in EU history

Record privacy fines looming in Meta in European Union, according to Bloomberg News Stephanie Bodoni.

“Ireland’s Data Protection Commission said the social network giant failed to heed a Supreme Court warning aimed at protecting against prying eyes of U.S. security services after user data was transmitted across the Atlantic to its servers. will be punished,” Bodoni wrote.

  • Bloomberg News reported that the fine would exceed the record fine of more than $800 million levied on Amazon in 2021 (Amazon founder Jeff Bezos is the owner of The Washington Post). ).
  • The Bloomberg News article did not disclose the exact amount of fines Meta is imposing.

Meta has warned that a ban on data transfers in the US could lead to the suspension of Facebook services in Europe. Mehta declined to comment to Bloomberg News.

Montana enacts first total ban on TikTok in the country

Governor of Montana Greg Jeanforte As our colleague Erica Werner reported, (Republicans) signed a full TikTok ban on Wednesday, becoming the first state to ban it.

“Today, the state of Montana will take more decisive steps than any other state to protect the personal data and sensitive personal information of Montana residents from being collected by the Chinese Communist Party,” Gianforte said in a statement.

China-based ByteDance, the owner of TikTok, opposed the bill, as did the American Civil Liberties Union. ByteDance said it has never provided information on U.S. citizens to the Chinese government. Both the ACLU and TikTok say the ban raises concerns about free speech. Legal challenges are expected.

  • Some U.S. states, the Department of Defense, and other countries have banned TikTok on government devices, and in some cases on all devices used by employees. Montana was already among them.
  • The ban, signed by Gianforte on Wednesday, fines TikTok and the app store $10,000 for making TikTok available in Montana.
  • Montana’s ban is set to go into effect on January 1, provided the court doesn’t ban it.

“This law will almost certainly be revoked as unconstitutional because Montana cannot demonstrate that the ban is necessary or aligned with legitimate interests,” he said. Jameel JafarExecutive Director of the Knight First Amendment Institute at Columbia University.

Neuberger Tasks Communications Security Commission to Make Recommendations on Impact of Risk-Buy Incentives (Inside Cybersecurity)

Homeland Security Uses AI Tools to Analyze Social Media of US Citizens and Refugees (Motherboard)

Congress seeks to expand CISA’s role, adding responsibility for satellites and open source software (CyberScoop)

House Hearings Details Energy, Water, Healthcare Cyber ​​Resilience Efforts (Cybersecurity Dive)

NSTAC Officials Opinion on Upcoming Labeling Program for Internet of Things Devices (Inside Cybersecurity)

Cybersecurity leaders suffer burnout as job pressure mounts (Wall Street Journal)

Leak suspect shared secrets with foreigners, prosecutors say (Devlin Barrett)

Zoom executives knew key elements of plan to censor Chinese activists (Cyberscoop)

Less reason to blame Clinton in Russia probe (Philip Bump)

FBI: Investigators who were to testify about abuse allegations had their permission revoked over safety concerns (Jacqueline Alemany)

Russian scientist, expert in hypersonic technology, arrested for treason (Francesca Eber)

French Supreme Court upholds AI-equipped surveillance cameras for Paris Olympics (Politico Europe)

Russian Computers Hacked Subway System Amid Security Concerns, Report Says (by Justin George and Ian Duncan)

Philadelphia Inquirer hit by apparent cyberattack during election coverage (Kailh Melnick, Adela Suliman, Kim Belware)

Congressional employee arrested for violating transportation benefit program (The Hill)

Researchers Infiltrate Qilin Ransomware Group, Discover High Affiliate Payments (The Record)

  • Institute for Strategic and International Studies Holds Report Release Event on Cyber ​​Operations at 10am

thank you for reading. see you tomorrow.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *