Medical Device Industry Update October 2022  

Key Stories
                      • FBI issues alert on unpatched and outdated medical devices 
                      • Pen Testing Analysis Highlights Gaps in Healthcare Cybersecurity 
                      • White House issues a memorandum on software supply chain security 
                      • The European Union is advancing legislation to strengthen security requirements for all digital hardware and software products 
                      • Breaking Down the SBOM Myths vs Facts 
                      • Upcoming Medical Device Events in October and November 

FBI issues alert on unpatched and outdated medical devices 

On Sept. 12, the FBI issued an industry alert regarding unpatched and outdated medical devices. In the private industry notification entitled ‘Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities’, the FBI spoke of how a growing number of vulnerabilities are caused by unpatched medical devices that run on outdated software and devices that lack adequate security features. Read document in full here. 

Within the four-page document, the FBI outlined the legacy threat and provided five recommendations for medical device security. The list of recommended security strategies and technologies for healthcare cybersecurity leaders to adopt included: 

                      • Endpoint protection: Encrypt medical device data, use antivirus protection where able in medical devices, and monitor for cyber threats to the hospital network. 
                      • Identity and access management: Use complex passwords and limit the number of users with accessibility to medical device credentials. If possible, change medical device passwords on a regular basis. 
                      • Asset management: Maintain an inventory of all medical devices and track their software lifecycle to replace devices when necessary. 
                      • Vulnerability management: Scan devices for vulnerabilities and work with medical device manufacturers to update software. 
                      • Employee cybersecurity awareness training: Training should target insider threat prevention and social engineering attack mitigation. 

In a previous post we explored vulnerabilities in legacy devices and what is being done to protect legacy medical devices against new cyber threats. We also looked at some of the steps that FDA has taken to protect legacy devices. Read more here 

What is a 510(k)?

Pen Testing Analysis Highlights Gaps in Healthcare Cybersecurity 

In a related story, security firm Coalfire found that while healthcare is slowly moving away from its reliance on legacy systems, unpatched and out-of-date software continues to cause security issues. This verdict was offered after the company analyzed the results of 3,100 pen tests conducted on behalf of its clients to draw insights about top cybersecurity risks.  

Penetration or ‘pen’ testing is a systematic process of probing for vulnerabilities in your networks and applications. In all sectors, Coalfire found that security misconfigurations topped the list of leading application vulnerabilities. In terms of attack vectors, researchers noted the prevalence of unassuming internal threats.  

“For most organizations, their external network is hard on the outside, but underneath is a vulnerable attack surface that faces a tapestry of open-source tools and applications, unintentionally exposed code, more sophisticated and motivated cybercriminals, and nation-state threats,” the report stated. 

Based on Coalfire’s findings, the firm recommended that healthcare organizations conduct real-time pen testing and strive for continuous compliance monitoring, even within legacy systems. 

White House issues a memorandum on software supply chain security 

In September, The White House issued a memorandum to ensure that federal agencies use software that meets minimum security standards. This is part of a larger effort by the Biden administration to strengthen the security of the software supply chain. The memorandum was intended for the heads of executive departments and agencies, and focused on enhancing the security of the software supply chain through secure software development practices.  

The memorandum calls on firms selling software to the federal government to use software that complies with National Institute of Standards and Technology (NIST) guidelines. The memorandum instructs agencies to obtain a self-attestation from software providers that their products are in line with NIST’s security guidelines.

Chris DeRusha, federal CISO and deputy national cyber director, outlined the new guidelines in a statement released on the White House website.  

“The Biden-Harris Administration is committed to delivering a government that works for all Americans – and technology powers our ability to do so. In order for Federal agencies to provide critical services, information, and products to the American people, they need access to secure and reliable software that manages everything from tax returns to veteran’s health records. That’s why today, building on the President’s Executive Order on Improving the Nation’s Cybersecurity, the Office of Management and Budget is issuing guidance to ensure Federal agencies utilize software that has been built following common cybersecurity practices.” 

The White House memo does not require software publishers to use SBOMs to validate their attestation. However, the language in the memo makes clear that SBOMs are the preferred method for demonstrating conformance with the NIST secure software development practices. See Section II: Actions. Part 2.

“A Software Bill of Materials (SBOMs) may be required by the agency in solicitation requirements, based on the criticality of the software as defined in M21-30, or as determined by the agency. If required, the SBOM shall be retained by the agency, unless the software producer posts it publicly and provides a link to that posting to the agency.” 

The European Union is advancing legislation to strengthen security requirements for all digital hardware and software products 

Lawmakers are seeking to strengthen cybersecurity requirements across the European Union, advancing new legislation to bolster security requirements for all digital hardware and software products. The proposal, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products. The legislation seeks to establish common cybersecurity rules for digital products and associated services within the EU market. 

The Cyber Resilience Act is a direct response to rising cybercrime figures, which is estimated to have cost the global economy €5.5 trillion in 2021.  

The proposed legislation, which was unveiled by the European Commission in September, mandates that products are designed, developed and produced in ways that mitigate cybersecurity risks. This includes, for example, requirements to sell products in a secure default configuration, to maintain a thorough product identification system and to ensure that exploitable vulnerabilities can be addressed through security updates, among other cybercrime disclosure rules. 

Breaking Down the SBOM Myths vs Facts  

The healthcare industry is currently undergoing a complete re-examination of its cybersecurity processes, protocols and the regulatory landscape in general. Amongst other things, the use of SBOMs (software bill of materials) has been earmarked as a way to increase the safety and security of software supply chains.  

While organizations have become a lot more familiar with SBOMs in recent years there are still a lot of common misconceptions. In a recent post, published on our blog, we broke down some of the myths vs facts.  

We dispel six myths in total including:  

                      • Myth 1 – The transparency offered through using SBOMs will make it easier for hackers to attack. 
                      • Myth 2 – An SBOM alone provides no useful or actionable information. 
                      • Myth 3 An SBOM increases exposure to licensing violations. 
                      • Myth 4 – An SBOM needs to be made public. 
                      • Myth 5 – SBOMs are not scalable. 
                      • Myth 6 – SBOMs expose business secrets.

Check out the article in full here 

Upcoming Medical Device Events in October and November 

1/ American Medical Device Summit – Chicago, IL, Oct 18-19 

Setting the standard on how the industry should connect and exchange ideas, the American Medical Device Summit provides insights and strategies to enhance the professional development of executives involved in the design, product development, innovation, technology and quality/regulatory aspects of medical devices.  

2/ DeviceTalks West – Santa Clara, CA, Oct 19-20 

DeviceTalks West will explore the new technologies changing how MedTech is delivered. Held at the Santa Clara Convention Center, the conference helps attendees to better understand how medical device manufacturers, suppliers and innovators are finding success in a challenging economic market.

3/ The MedTech Conference – Boston, MA, Oct 24-26 

The MedTech Conference will bring together the world’s top MedTech executives and innovators for three days of programs, networking and business development opportunities.

4/ The MedTech Innovation Forum – Irvine, CA, Oct 27-28 

MedTech Innovation Forum guides attendees through the wide-ranging impact of innovations and what they mean for your MedTech business. MedTech Innovation Forum will feature industry experts, strategics, physicians, and entrepreneurs who have made major headway and continue to make massive strides towards an accelerated future.

5/ MD&M Minneapolis – Minneapolis, MN, Nov 2-3 

MD&M Minneapolis is a part of the five-in-one manufacturing expo at Advanced Manufacturing Minneapolis. Billed as the Midwest’s largest MedTech event, Medical Design & Manufacturing (MD&M) Minneapolis empowers its attendees to access expertise across the supply chain. 

That’s all from this month’s Nova Leah Industry Update.

Check out our blog for more news and updates related to the medical device industry