The Ryan Report

Hello! Welcome to this week's Ryan Report. Today, I will profile and discuss NIST's newly-released internal report: Considerations for Managing IoT Cybersecurity and Privacy Risks . IoT devices are becoming more and more common in today's world as networking and computing technology has evolved and become more powerful and affordable. It is quite simple to embed a computer in nearly everything and there are certainly benefits to doing so. The data collected from these devices can be very valuable. However, these devices are frequently not designed with security in mind. The NIST report seeks to describe these security and privacy considerations in more detail. NIST documentation is aimed at US federal agencies, but their standards and other documentation can be adapted and applied to nearly every sector and private organization. This particular report is an initial draft, and NIST is actively seeking feedback. Further, they state that this is the introductory document t...

Hello! Welcome to this week's Ryan Report. Today, I will profile Stephanie Domas' piece that discusses cybersecurity patches for medical devices. Domas describes a well-known concept in the security and information technology industry: applying updates and patches. However, there are significant differences between applying patches to a traditional IT system and a medical device that is providing life-sustaining care to an individual. Namely, there aren't literally lives on the line when applying patches to a Windows server. Medical device updates are applied either by a healthcare clinical engineer or clinical security team, or by the patient themselves. Domas talks about Class II versus Class III medical devices, and suggests that the higher-risk Class III device patches should only be applied by a professional. This leads in to her next point, the cost associated with updating medical devices. To date, there isn't a medical billing code for "cybersecurity...

Hello! Welcome to this week's Ryan Report. Today, I will review the key points of the just-released OIG report on FDA's approach to medical device premarket cybersecurity evaluations. FDA is the US federal agency tasked with regulating medical devices. As part of the clearance or approval process for a device, FDA may consider the cybersecurity risks and controls in its assessment of a device's safety and effectiveness. In 2014, FDA released its premarket submissions guide for management of cybersecurity in medical devices. This guide is intended for medical device manufacturers (MDM), and describes the information MDMs should provide to FDA during the premarket submission process. To evaluate the effectiveness of the process four years after it's creation, the OIG interviewed FDA reviewers, reviewed FDA policy, procedures, and guidelines, and examined a sample of submissions and FDA reviewed notes. The OIG concluded that FDA could further integrate cybersecurit...

Hello! Welcome to this week's Ryan Report. Today, I will provide an overview of DHS' Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and discuss a recent ICS vulnerability disclosure. The fundamental purpose of a CERT is security incident response. At the organizational level, this is usually an interdisciplinary group made up of individuals from departments such as IT, cybersecurity, compliance, and legal. The CERT operates in accordance with the organization's incident response procedure. The DHS ICS-CERT is a division of the National Cybersecurity and Communications Integration Center (NCCIC) that collaborates with international and private sector organizations to share control systems-related incidents and mitigation measures. In addition to ICS systems, ICS-CERT also disseminates information about medical devices and non-traditional operational technology like building automation systems, for example. These alerts and advisories are quite helpf...

Hello! Welcome to this week's Ryan Report. Today, I take a look at the patient monitoring system attack that was demonstrated during DEFCON 26. This was my first DEFCON, and it did not disappoint. There was security talks, workshops and otherwise interesting stuff galore. As a healthcare cybersecurity professional, I was particularly interested in the BioHacking Village and the healthcare-focused presentations in other tracks. Douglas McKee from McAfee and Shaun Nordeck, MD co-presented on this research that demonstrated just how easy it is for a skilled hacker to compromise the data flow and send false information to a central patient monitoring system.  This exploit has not been observed in a real-world situation affecting patient care; however, it serves as a lesson to healthcare organizations and medical device manufacturers alike to take care and make an effort to secure patient-connected medical devices. For me, the significant takeaway from McKee and Nordeck's rese...