Yesterday, the FDA published new guidelines strengthening the cybersecurity levels of products used by healthcare providers that are connected to the internet. This comes after years of concerns that these devices could be hit by attacks endangering lives, which was highlighted by a September 2022 report by Proofpoint’s Ponemon Institute that linked a 20% increase in mortality rates due to cyber-attacks targeting healthcare organizations.
According to a guidance, applicants seeking approval for new medical devices must:
- Submit a plan designed to address possible cybersecurity issues
- Outline a process to provide regular security updates and patches
- Provide “a software bill of materials,” including commercial, open-source and off-the-shelf software components
The new FDA guidelines come a couple of months after security experts at Sonar found three vulnerabilities in OpenEMR, and more recently, KillNet was observed targeting healthcare applications hosted using the Microsoft Azure infrastructure.
George McGregor, VP, Approov had this to say:
“This is a major step forward in strengthening cybersecurity defenses in healthcare in the USA (something that we have been campaigning for as a leading provider of mobile security solutions) A key element of the guidelines for medical devices is that companies must have a plan in place for “postmarket” runtime protection.
“Another welcome aspect of the requirements is that they explicitly state that cyber defenses must be able to be updated rapidly if and when required. This requires security administration to be a key element of the operational plan, including the ability to update policies as new vulnerabilities are uncovered and rotate secrets and keys quickly in the event that they are stolen. “
I am glad to see that the FDA is taking this step as attacks on healthcare are are thing as evidenced by the attack on Sick Kids hospital last year. Because sooner or later one of these attacks will affect patient care in a severe way if nothing is done.
Like this:
Like Loading...
Related
This entry was posted on April 1, 2023 at 9:15 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The FDA Now Requires Stronger Cyber Security In Medical Devices
Yesterday, the FDA published new guidelines strengthening the cybersecurity levels of products used by healthcare providers that are connected to the internet. This comes after years of concerns that these devices could be hit by attacks endangering lives, which was highlighted by a September 2022 report by Proofpoint’s Ponemon Institute that linked a 20% increase in mortality rates due to cyber-attacks targeting healthcare organizations.
According to a guidance, applicants seeking approval for new medical devices must:
The new FDA guidelines come a couple of months after security experts at Sonar found three vulnerabilities in OpenEMR, and more recently, KillNet was observed targeting healthcare applications hosted using the Microsoft Azure infrastructure.
George McGregor, VP, Approov had this to say:
“This is a major step forward in strengthening cybersecurity defenses in healthcare in the USA (something that we have been campaigning for as a leading provider of mobile security solutions) A key element of the guidelines for medical devices is that companies must have a plan in place for “postmarket” runtime protection.
“Another welcome aspect of the requirements is that they explicitly state that cyber defenses must be able to be updated rapidly if and when required. This requires security administration to be a key element of the operational plan, including the ability to update policies as new vulnerabilities are uncovered and rotate secrets and keys quickly in the event that they are stolen. “
I am glad to see that the FDA is taking this step as attacks on healthcare are are thing as evidenced by the attack on Sick Kids hospital last year. Because sooner or later one of these attacks will affect patient care in a severe way if nothing is done.
Share this:
Like this:
Related
This entry was posted on April 1, 2023 at 9:15 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.