On August 17, 2017, Blackberry disclosed that its QNX Real Time Operating System (RTOS) is vulnerable to BadAlloc, which can cause a denial-of-service or execute arbitrary code on affected devices. An alert about the vulnerability was issued by the Cybersecurity & Infrastructure Security Agency (CISA), part of the Department of Homeland Security. CISA is not aware of incidents where the vulnerability was exploited, but encourages organizations using affected QNX-based systems to patch affected products as soon as possible. BlackBerry programs which depend on the C runtime library are affected by the vulnerability, including QNX Neutrino RTOS for Medical Devices.
- Published: 17 August 2021 17 August 2021
Wisconsin has enacted its version of the Insurance Data Security Model Law developed by the National Association of Insurance Commissioners. The law requires licensees of the Insurance Commissioner to develop an information security program meeting standards set forth in the law. The law contains an exception for licensees that are subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Standards, which applies to health plans. However, health plans are still required to report any cybersecurity event to the Insurance Commissioner.
- Published: 12 August 2021 12 August 2021
On July 14, 2021, the U.S. Department of Homeland Security (DHS) launched a website intended to serve as a one-stop hub for ransomware resources. DHS stated that ransomware is a growing national security threat: $350 million in ransom was paid in 2020, and there have already been notable ransomware attacks in 2021. The intent of the new website is to collect resources from all federal agencies to assist organizations in protecting themselves against ransomware attacks and respond to incidents.
For the health care sector, the site links to several updates and resources, including resources compiled by the Cybersecurity Act of 2015, Section 405(d) Task Group. The task group created a publication in 2018 entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, two technical volumes on cybersecurity practices for small health care organizations and for medium to large health care organizations, and a volume of resources and templates. The Task Group identified the ten most effective actions to mitigate common threats to the health care system: email protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.
- Published: 25 July 2021 25 July 2021
The Health Sector Cybersecurity Coordination Center (HC3) warns that many Picture Archiving Communication Systems (PACS) continue to have unpatched cybersecurity vulnerabilities, even though researchers identified vulnerabilities in these systems in 2019. PACS systems use the Digital Imaging and Communications in Medicine (DICOM) format, which was developed three decades ago. PACS systems can include security vulnerabilities such as known default passwords, hardcoded credentials and lack of authentication within third party software. Vulnerable PACS servers can cause patient information to be exposed and malware to be introduced into connected clinical networks. The HC3 report lists 23 vulnerable PACS devices, noting that the list is not all-inclusive.
To mitigate PACS vulnerabilities, HC3 suggests the following:
- validate connections to ensure access is limited to only authorized users
- enable secure connections (HTTPS) for internet connected systems
- place PACS systems behind a firewall and require access via a virtual private network (VPN).
- Published: 18 July 2021 18 July 2021
The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued a report dated June 2021 on oversight by the Centers for Medicare and Medicaid (CMS) of hospitals' cybersecurity controls for networked medical devices. The OIG concluded that consistent oversight was lacking. CMS's survey protocols do not explicitly address cybersecurity, nor do audit practices of the accreditation organizations (AOs). The OIG points out that hospitals have increasingly become targets of ransomware attacks. While most such attacks have affected electronic health record (EHR) systems, there was a ransomware attack in 2017 that infected radiology equipment. Because many radiology, laboratory and other systems connect to the EHR, malignant code introduced into networked devices can affect the entire EHR system.
Direct responsibility for hospital surveys rests with the AOs as well as the state survey agencies (typically, the state department of health). State survey agencies follow guidelines in CMS's State Operations Manual, including Appendix A applicable to hospital surveys, which includes the Medicare Conditions of Participation (CoPs) for hospitals and the Interpretive Guidelines, which provide more detailed instructions on application of the CoPs. The AOs establish their own audit guidelines, which are required to be at least as stringent as those contained in the State Operations Manual.
- Published: 26 June 2021 26 June 2021
The Food and Drug Administration (FDA) published a response to the National Institute of Standards and Technology (NIST) call for position papers on enhancing software supply chain security, on May 26, 2021. The FDA's response cited to numerous examples of its own guidance and industry best practices in answering the NIST's questions. The FDA noted that cybersecurity is crucial for medical device safety and effectiveness, especially as critical functions shift from on-premises software to remote infrastructure, including cloud services. Recent ransomware incidents affecting health care include disruption of the Irish Healthcare Service and hospitals, and cloud services necessary for critical function of cancer radiation therapy. The FDA urged NIST and the National Telecommunications and Information Administration (NTIA) to continue development of standards and guidelines for Operational Technology (OT) security by leveraging experts from the public and private sectors.
- Published: 17 June 2021 17 June 2021
The Food and Drug Administration (FDA) has published a discussion paper on strengthening cybersecurity practices associated with servicing of medical devices. The paper is not regulatory guidance but rather requests industry comment on the role of companies servicing medical devices in maintaining effective cybersecurity practices. The paper focuses on the role of servicing entities other than the original equipment manufacturer (OEM), such as independent service organizations or healthcare providers.
The FDA defines cybersecurity as the process of preventing unauthorized access, modification, misuse or denial of use, or unauthorized use of information that is stored, accessed or transferred from a medical device to an external recipient. The FDA's published guidance has incorporated a total product lifecycle (TPLC) approach to maintaining cybersecurity throughout the device's product life cycle. The discussion paper highlights cybersecurity challenges in several areas. First, devices should be designed to limit access only to privileged device users. The ability to grant certain entities privileged access can be designed into the device by the OEM, so that the device may be serviced by the healthcare provider or a service entity. The FDA suggests that service entities may have an important role in identifying cybersecurity vulnerabilities and sharing postmarket data so that mitigations can be developed to reduce cybersecurity risk. Entities that service medical devices also are well-positioned to ensure that the device has received software updates needed to maintain cybersecurity. Finally, the FDA notes special concerns related to legacy devices. Healthcare organizations may have reasons, including financial concerns, for continuing to use devices that are no longer supported by the OEM but continue to meet clinical performance standards. In that scenario, users must understand the nature of cybersecurity risks they are taking and develop strategies to address such risks.
- Published: 21 June 2021 21 June 2021