Posts

Week Ten

Hello! Welcome to this week's Ryan Report. Today, I will discuss the recently passed c ybersecurity law in California regulating Internet of Things (IoT) devices. In the security community IoT has been a significant cybersecurity concern for a long time. The explosion of network-connected devices has posed cybersecurity risk because of the frequent lack of security capabilities. There have been large scale distributed denial of service attacks carried out by botnets of IoT devices. These types of attacks on and using IoT devices are possible because of vulnerabilities like weak or hard-coded passwords. California is hoping to address the cybersecurity vulnerabilities that IoT devices introduce by enacting this legislation, which goes into effect January 1, 2020. It applies to manufacturers of connected devices sold or offered for sale in California, and requires them to equip such devices with reasonable security features that are appropriate to the nature and function of such...
Post a Comment
Read more

Week Nine

Hello! Welcome to this week's Ryan Report. Today, I will discuss Dave Muoio's article on securing legacy medical devices. As he states in the title, securing the current install base (AKA legacy) of medical devices at a healthcare delivery organization is a daunting, but not optional challenge. New devices hitting the market are generally "better" at security than devices that have been around for years. Some healthcare devices such as imaging systems are run-to-fail and have been in use at a hospital for perhaps 20 years or longer. These systems were not designed for the modern cybersecurity threat landscape and present vulnerabilities that healthcare organizations must manage.  Muoio interviewed several industry experts on this topic, and there was a consensus on how to start managing the risks that legacy medical devices pose: identification of network-connected medical devices. This seems obvious, but is a challenge that every healthcare organization faces. Mo...
Post a Comment
Read more

Week Eight

Hello! Welcome to this week's Ryan Report. Today, I will profile the FDA press release on their new draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This is an update to the FDA's 2014 premarket guidance, which provides recommendations to industry on cybersecurity considerations for device design, labeling and documentation that the FDA recommends to be included in premarket submissions for medical devices with cybersecurity risk. The guidance is meant for manufacturers in order to facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market. New recommendations include a cybersecurity bill of materials and the introduction of two tiers of devices: those that present high and standard cybersecurity risk. The bill of materials concept is one that is familiar in other industries, and its purpose is to hel...
Post a Comment
Read more

Week Seven

Hello! Welcome to this week's Ryan Report. Today, I will discuss the safety alert released this week by the FDA for Medtronic implantable cardiac device programmers. Interestingly, this is only the thirteenth safety alert issued by the FDA in 2018 for medical devices, and the first as a result of cybersecurity considerations. The relative lack of cybersecurity capabilities of medical devices is well known in the healthcare security community, but perhaps this is the first instance of the year in which cyber vulnerabilities pose a realistic patient safety risk. The Medtronic programmers are used during implantation and regular follow-up visits for Medtronic implantable electrophysiology devices (CIEDs). CIEDs include pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. Physicians use the programmers to obtain device performance data, check battery status, and adjust device settings. Updates for the programmer are downloaded...
Post a Comment
Read more

Week Six

Hello! Welcome to this week's Ryan Report. Today, I will discuss the press release from the FDA describing the agency's efforts to strengthen their medical device cybersecurity program. Scott Gottlieb, the FDA commissioner, begins the statement with the sobering and very true proclamation that cyber threats pose a realistic danger to medical devices. The agency isn't aware of any attacks directly affecting a patient-connected medical device, but the risk is certainly there. Gottlieb announces the launch of a cybersecurity playbook for healthcare delivery organizations (HDOs, i.e. hospitals) that is focused on promoting cybersecurity readiness. Also, he announces the signing of two memoranda of understanding that provide for increased information sharing. Both the playbook and MOU are significant advancements to improve the cybersecurity of medical devices. HDOs have in recent years sought guidance from the FDA regarding the agency's position on securing computeri...
Post a Comment
Read more

Week Five

Hello! Welcome to this week's Ryan Report. Today, I will profile and discuss NIST's newly-released internal report: Considerations for Managing IoT Cybersecurity and Privacy Risks . IoT devices are becoming more and more common in today's world as networking and computing technology has evolved and become more powerful and affordable. It is quite simple to embed a computer in nearly everything and there are certainly benefits to doing so. The data collected from these devices can be very valuable. However, these devices are frequently not designed with security in mind. The NIST report seeks to describe these security and privacy considerations in more detail. NIST documentation is aimed at US federal agencies, but their standards and other documentation can be adapted and applied to nearly every sector and private organization. This particular report is an initial draft, and NIST is actively seeking feedback. Further, they state that this is the introductory document t...
Post a Comment
Read more

Week Four

Hello! Welcome to this week's Ryan Report. Today, I will profile Stephanie Domas' piece that discusses cybersecurity patches for medical devices. Domas describes a well-known concept in the security and information technology industry: applying updates and patches. However, there are significant differences between applying patches to a traditional IT system and a medical device that is providing life-sustaining care to an individual. Namely, there aren't literally lives on the line when applying patches to a Windows server. Medical device updates are applied either by a healthcare clinical engineer or clinical security team, or by the patient themselves. Domas talks about Class II versus Class III medical devices, and suggests that the higher-risk Class III device patches should only be applied by a professional. This leads in to her next point, the cost associated with updating medical devices. To date, there isn't a medical billing code for "cybersecurity...
Post a Comment
Read more