US Food and Drug Administration releases Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff

June 11, 2022

Privacy and cyber security in the health industry is both critical and critically inadequate in the main.  Health organisations are notoriously vulnerable to cyber attack and poor privacy privacy practices on a day to day in person basis.

The US Food and Drug Administration (“FDA”) is in the process of revising its guidance to deal with cyber threats. To that end it is released the draft Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and will be reviewing it in June and July.

The abstract provides:

The need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.

This guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

It is a very useful detailed and dense 49 page resource.  Impossible to summarise in a post.  For those interested in privacy law it is a great resource.

Some useful comments Read the rest of this entry »

National Institute of Standards and Technology releases Using Business Impact Analysis to Inform Risk Prioritization and Response

The National Institute of Standards and Technology (“NIST”) has released the draft Using Business Impact Analysis to Inform Risk Prioritization and Response the Abstract.

The NIST states:

Traditional business impact analyses (BIAs) have been successfully used for business continuity and disaster recovery (BC/DR) by triaging damaged infrastructure recovery actions that are primarily based on the duration and cost of system outages (i.e., availability compromise). However, BIA analyses can be easily expanded to consider other cyber-risk compromises and remedies.

This initial public draft of NIST IR 8286D provides comprehensive asset confidentiality and integrity impact analyses to accurately identify and manage asset risk propagation from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. This document adds expanded BIA protocols to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.

The Abstract provides:

Read the rest of this entry »

Forbes sets out alarming cyber statistics in an excellent article reviewing trends in cyber security in 2022. A generally sobering picture.

June 10, 2022

In Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know Forbes has undertaken a comprehensive review of developments in 202.  It is one of the best articles of the year to describe the current developments with cyber attacks,  the state of readiness to meet them and what needs to be done.  It is an excellent article. Depressingly it seems the preparedness in the United States is just as inadequate as it is in Australia. 

The other benefit of the article is that it links to other excellent articles.

The article Read the rest of this entry »

Monetary Authority of Singapore revises guidelines to strengthen resilience against cyber attacks and other problems

The  Monetary Authority of Singapore has  revised Guidelines on Business Continuity Management for financial institutions to strengthen resilience against service disruptions arising from a range of circumstances including cyber attacks, and physical threats. 

The media release provides:

The Monetary Authority of Singapore (MAS) today issued revised Guidelines on Business Continuity Management (BCM) for financial institutions (FIs), to help FIs strengthen their resilience against service disruptions arising from IT outages, pandemic outbreaks, cyber-attacks and physical threats. The revisions take into account learnings from the handling of the COVID-19 pandemic and increased digitalisation in the financial sector.

2 The revised Guidelines provide new insights on measures that FIs can take to better manage the increasingly complex operating environment and threat landscape to enable the continuous delivery of services to their customers.  Under the revised Guidelines, FIs should:

a)adopt a service-centric approach through timely recovery of critical business services facing customers;

b) identify end-to-end dependencies that support critical business services, and address any gaps that could hinder the effective recovery of such services; and

c) enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises. 

3 Mr Vincent Loy, Assistant Managing Director (Technology), MAS, said, “Against the backdrop of an increasingly volatile and complex environment, the new Guidelines will help financial institutions to take an agile and holistic approach in sustaining their critical business services when faced with threats and risk of disruption.” 

The guidelines are found here.

On a more sombre note Crikey reports that federal government departments have not fulfilled cybersecurity basics.  That Read the rest of this entry »

National Institute of Standards and Technology announces a review of the Secure Hash Standard (SHS)

The National Institute of Standards and Technology (“NIST”) has announced a review on FIPS 180-4, Secure Hash Standard (SHS)

In its media release the NIST states Read the rest of this entry »

Data breach of medical imaging provider compromises data of 2 million

June 9, 2022

The health industry is a prime target for cyber attack.  The volume of data collected by health services providers is enormous.  A person is required to provide a detailed history, including name, address, date of birth, health insurance details as well as information about one’s physical and mental condition.  A hacker’s nirvana. KordaMentha raised this point, which I have made for years, in Why healthcare is a red-hot cybercrime target.

Not surprising that it has been reported  in Hack of Medical Imaging Provider Affects Data of 2 Million that Shields Health Care Group in the Massachusetts has had a data breach involving access topersonal information of 2 million persons.  That makes it the biggest health data breach this year in the United States.

It Read the rest of this entry »

Cyber security statements from newly minted shadow minister.

A change of Federal government gives rise to a new opposition and some new shadows.  Senator James Paterson has been made Shadow Minister for Cyber Security

As part of that responsibility the good Senator in Cyber security needs ‘like-minded’ nations: Paterson has been reported as calling for more collaboration to combat transnational cyber security threats.  The report Read the rest of this entry »

National Institute of Standards and Technology releases draft guide on measuring vulnerabilities of information technology

The National Institute of Standards and Technology (“NIST”) has released Measuring the Common Vulnerability Scoring System Base Score Equation for comment.  It is a particularly useful document in that calculating the severity of information technology vulnerabilities permits prioritisation of remediation techniques.  It also helps to understand the risk of a vulnerability.

The abstract Read the rest of this entry »

Singapore Privacy Commissioner releases a Data Anonymisation Tool

June 8, 2022

The Singapore Privacy Commissioner has launched a free Data Anonymisation tool. Anonymisation is an important part of privacy protection, particularly in relation to the preparation of data sets.  It is also quite a contested issue. 

The statement provides:

The PDPC has launched a free Data Anonymisation tool to help organisations transform simple datasets by applying basic anonymisation techniques. An infographic that provides guidance on how to use the tool is also included.

and Read the rest of this entry »

When the cyber attacks shut down cities

Cyber attacks have grown from organisations to cities and even countries.  In May Greenland was hit by a cyber attack which crippled its health services.  Earlier this week the entire Italian City of Palermo shut down all systems to fend off a cyber attack. 

The story is reported Read the rest of this entry »