Medical device cybersecurity: It’s time to get real

Medical device makers, regulators and healthcare delivery organizations are increasingly working together to strengthen cybersecurity. But are they doing enough?

[Original image courtesy of]

[Original image courtesy of]

Almost no one in the medtech industry disputes the vulnerability posed by cyberattacks. How to go about boosting security is another matter – one on which those stakeholders have recently stepped up their collaboration.

One group, the Healthcare & Public Sector Coordinating Council, thinks it has a solution: Health providers and other customers buying a connected medical device should be able to remotely access a cybersecurity bill of materials (CBOM) that would list all commercial, open-source and custom-code software. Available via remote access for customers, the CBOM would also include commercial hardware such as processers, network cards, sound cards, graphic cards and memory.

The council’s recently issued joint security plan calls for more vulnerability disclosures, notices of breaches, software and hardware upgrades and security patch availability. Companies would also need to notify customers before they end technical support for older devices.

“It’s this voluntary framework that establishes best practice for cybersecurity at a medical technology company,” council member Rob Suarez, director of product security at Becton Dickinson, told Medical Design & Outsourcing. “This joint security plan establishes the common ground which many medical device manufacturers, health IT vendors and healthcare providers agreed on.”

Some manufacturers have grumbled about providing hardware information in a CBOM, but an increasing number have pledged to publicly share vulnerability information should hackers breach one of their devices, including industry giants BD, Abbott, Siemens, Philips, Medtronic, Johnson & Johnson, Boston Scientific and Stryker.

Get the full story on our sister site Medical Design & Outsourcing. 

The post Medical device cybersecurity: It’s time to get real appeared first on MassDevice.

Medical device cybersecurity firm Medigate raises $15m in Series A


Medical device security firm Medigate said today that it raised $15 million in a Series A financing round to support its medical device security and asset management platform.

The round was led by newly invested U.S. Venture Partners and joined by previous investors YL Ventures and Blumberg Capital, the New York-based company said.

“Medigate’s unique technology platform, strategic partnerships with industry-leading security vendors and traction over the last year in the healthcare market made the company an attractive investment,” USVP partner Jacques Benkoski, who is slated to join Medigate’s board, said in a prepared statement.

“Medigate’s technology and focus make it the logical choice for healthcare organizations entrusted with securing the medical devices on their clinical networks,” Blumberg Capital managing director Bruce Taragin said in a prepared release.

Funds from the round will be used to support continued growth and to expand the company’s workforce triplefold over the next 18 months, Medigate said.

The company developed and supports a medical device security and asset management platform designed to identify, tag and fingerprint individual medical devices beyond their IP address. Tags for devices are based on type, vendor and model, and allow for better visibility into types, vendors, protocols and operations systems, Medigate said.

“U.S. Venture Partners, with its investment focus encompassing both cybersecurity and IT-enabled healthcare is uniquely qualified to understand the complex and pressing security issues that Medigate addresses for both device manufacturers and the healthcare networks that deploy these life-saving devices. Working with USVP and our initial investors, YL Ventures and Blumberg Capital, we are poised for rapid expansion by helping our customers confront the unique security risks and management challenges associated with connecting medical devices to clinical networks,” CEO Jonathan Langer said in a press release.

The post Medical device cybersecurity firm Medigate raises $15m in Series A appeared first on MassDevice.

Hospitals to medtech: Clean up your cybersecurity act


[Image courtesy of Blogtrepreneur on Flickr, per Creative Commons 2.0 license]

A consortium of hospital associations wants the medical device industry to up its game when it comes to interoperability and data sharing, especially concerning cybersecurity.

The group issued a report this month to make recommendations for all stakeholders in the U.S. hospital care system, including providers, patients, physicians, insurers and industry. The Jan. 18 report, “Sharing Data, Saving Lives: The Hospital Agenda for Interoperability,” in part urged medtech makers to clean up their act regarding the security of patient data in the Internet era.

“Medical device manufacturers must do more to confront the privacy challenges that unsecurable devices may pose to hospitals and health systems,” the authors wrote. “Hospitals and health systems, clinicians and patients must be able to trust that the data being shared is accurate, secure and being used in accordance with best practices and patient expectations. Security and privacy requirements must be embedded into every layer of the infrastructure. This includes mechanisms to validate the practices and standards of third-party apps and APIs that allow more flexible sharing of data. The infrastructure also must include a mechanism for health care providers to verify that a request for information is authorized, and each entity with access to individuals’ data must be responsible for appropriately securing and using that data.”

Specifically, the AHA wants medtech to expand the “plug and play” approach in the design and function of its devices, enhance the security of data collected and transmitted by those devices and add lifecycle support for them.

More generally, the report identified six key issues “as the surest pathways to full interoperability,” including security and privacy; efficient, usable solutions; cost-effective, enhanced infrastructure; “standards that work;” connecting beyond electronic health records; and shared best practices.

“The ability to communicate vital health data is necessary to realize the full potential of our nation’s system of health care. This joint statement from seven leading associations representing America’s hospitals and health systems, and the physicians and care team members who practice within these systems, sets forth our agenda in support of the urgent need for continued momentum on improving interoperability among health information technology (IT) systems—a goal that holds great promise for lasting improvement in patient care. Together, we seek to enlist and expand public and private stakeholder support around this goal to benefit all individuals, their families and caregivers,” according to the report.

The hospital consortium that created the report includes America’s Essential Hospitals, the American Hospital Assn., the Assn. of American Medical Colleges, the Catholic Health Assn. of the United States, the Children’s Hospital Assn., the Federation of American Hospitals and the National Assn. for Behavioral Healthcare.

The post Hospitals to medtech: Clean up your cybersecurity act appeared first on MassDevice.

Medical IoT and the security challenges for healthcare: What you need to know

What do healthcare providers want from medical device manufacturers concerning network and device security?

Martin Nappi, Green Hills Software

healthcare IoT medical device medical device cybersecurity

[Image from Shutterstock]

The advent of the Internet of Things (IoT) has created enormous opportunity and profound challenges for any business looking to take on the digital transformation. But no industry faces more of a test to make this change than healthcare.

Organizations that want to embrace IoT can struggle for many years in the pursuit of “going digital” and still fail. Hospitals and other healthcare providers have all the operational complexities of other businesses with the added responsibilities of keeping their patients safe, ensuring patient health records are secure and keeping their facilities operational 24/7. Plus, the healthcare industry is a primary target of increasingly sophisticated cybercriminals looking to install ransomware to steal patient health records or harm patients with connected medical devices such as insulin pumps or pacemakers.

Get the full story on our sister site Medical Design & Outsourcing. 

The post Medical IoT and the security challenges for healthcare: What you need to know appeared first on MassDevice.

HHS inspector general flags FDA on cybersecurity

Dept. of Health and Human ServicesThe U.S. Health & Human Services Dept.’s inspector general last month flagged the FDA for its “deficient” plans and processes to ensure medical device cybersecurity, saying the federal safety watchdog’s policies and procedures are “insufficient for handling post-market medical device cybersecurity events.”

“FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in 2 of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats,” according to the OIG’s October report. “These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA’s mission, as part of an enterprise risk management process. We shared our preliminary findings with FDA in advance of issuing our draft report. Before we issued our draft report, FDA implemented some of our recommendations. Accordingly, we kept our original findings in the report, but, in some instances, removed our recommendations.”

The report comes after a steady cadence of FDA releases this year about its cybersecurity initiatives, including the announcement last month of a memorandum of agreement with the U.S. Dept. of Homeland Security to implement a new framework that will improve coordination and cooperation between the two bodies.

The OIG’s report recommended that the FDA ink a more formal deal with DHS’s Industrial Control Systems Cyber Emergency Response Team, “establishing roles and responsibilities as well as the support those agencies will provide to further FDA’s mission related to medical device cybersecurity.”

The FDA should also put established procedures in place for the secure handling of information about cybersecurity breaches with “key stakeholders who have a ‘need to know,’” according to the OIG report, and make sure its procedures for handling recalls stemming from cybersecurity issues.

“[The] FDA agreed with our recommendations and said it had already implemented many of them during the audit and would continue working to implement the recommendations in the report. However, [the] FDA disagreed with our conclusions that it had not assessed medical device cybersecurity at an enterprise or component level and that its preexisting policies and procedures were insufficient. We appreciate the efforts FDA has taken and plans to take in response to our findings and recommendations, but we maintain that our findings and recommendations are valid,” the OIG’s office said in the report.

The post HHS inspector general flags FDA on cybersecurity appeared first on MassDevice.

Report: Medtronic shuts down pacer programmer updates on hacking risk

Medtronic (NYSE:MDT) has disabled internet updates for approximately 34,000 CareLink devices designed for accessing and programming implanted pacemakers due to cybersecurity vulnerabilities with the systems, according to a Reuters report.

The vulnerability, revealed this summer by cybersecurity firm researchers, could allow an outside agent to plant malware on the pacers that would allow them to control or disable the delivery of life-saving shocks to the heart.

The Fridley, Minn.-based company said that it knows of no cases in which hackers have exploited the vulnerability in real world environments, according to the report.

Medtronic sent letters to physicians this week to notify them of the vulnerability, labeling the communications as an “urgent medical device corrections,” according to Reuters.

A total of 34,000 CareLink 2090 and CareLink Encore 29901 programmers are affected by the vulnerability, which Medtronic said it will “further address” with security updates which will be “implemented pending regulatory agency approvals,” according to the report.

The programming device can still be updated through a direct USB connection, according to Reuters.

In August, the US Dept. of Homeland Security’s Industrial Control Systems Computer Emergency Response Team flagged two Medtronic devices for cybersecurity vulnerabilities that could allow attackers to obtain sensitive information.

The post Report: Medtronic shuts down pacer programmer updates on hacking risk appeared first on MassDevice.

FDA to revamp medtech cybersecurity — with your help

[Image courtesy of Blogtrepreneur on Flickr, per Creative Commons 2.0 license]

FDA recently announced that it is taking additional steps to boost medtech cybersecurity, and it’s seeking outside help to do.

The agency will soon release a new draft of its premarket guidance document to combat the growing threat of cyber attacks. In addition, the agency announced multiple partnerships with manufacturers, hospitals and more — as well as the release of a cybersecurity playbook, and the possibility of a new center dedicated to cybersecurity.

The clear message from the agency is that a multi-pronged approach, with buy-in from all involved, is critical to staying ahead of bad actors.

Get the full story on our sister site Medical Design & Outsourcing. 

The post FDA to revamp medtech cybersecurity — with your help appeared first on MassDevice.

Medtech cybersecurity group MedCrypt raises $2m in seed round

Medical device cybersecurity group MedCrypt said today it raised $1.9 million in a seed round of financing to help support its medtech-specific embedded cybersecurity software.

The round was led by Eniac Ventures and joined by Sway Ventures, Nex, Cubed, Oronoco Investments and Friedman BioVentures, the Encinitas, Calif.-based company said.

“Cyber threats are an exponentially increasing problem that is threatening businesses, governments, households and, in healthcare, even lives. MedCrypt has already set itself apart with a seasoned technical team and proprietary technology that is helping the largest medical device makers in the world protect their devices and the underlying users. Our team is excited to support Mike Kijewski and Eric Pancostin continuing to build out MedCrypt as the most comprehensive security layer for healthcare IT,” Eniac Ventures founding general partner Tim Young said in a press release.

MedCrypt is developing cryptographically embedded security software intended to help vendors protect their products from outside assault and monitor the behavior of the devices after they’ve been deployed.

“The FDA is cracking down on medical device cybersecurity by releasing more robust regulations by which medical device vendors and healthcare delivery organizations are required to abide. Our solution lets these organizations protect their devices – and patients – with just a few lines of code. We’re thrilled to gain additional funding and support to help accelerate our technology,” co-founder & CEO Mike Kijewski said in a prepared statement.

The financing brings the total the company has raised to date up to $3 million, MedCrypt said.

The post Medtech cybersecurity group MedCrypt raises $2m in seed round appeared first on MassDevice.

DHS warns of cybersecurity weakness in Medtronic N’Vision neurostim programmer

The Department of Homeland Security this week released a report warning of cybersecurity vulnerabilities in Medtronic‘s (NYSE:MDT) N’Vision clinician programmer designed for use with neurostimulation devices that could allow outside agents to access personal health data.

The DHS said that the vulnerability was originally reported by Whitescope LLC, and requires an individual gain physical access to N’Vision’s 8870 Compact Flash Therapy Application card.

Once access is achieved, extracting personal health information or personal identifying information requires a low skill level, according to the DHS report.

The vulnerability was given a medium-severity classification by the agency, which said that Medtronic has not yet developed an update to address the issue. The DHS said that Medtronic was taking steps to reinforce security reminders and help reduce the risk of the vulnerability.

Medtronic recommended that operators of such devices take extra steps to maintain the security of them, including strict physical control of the Compact Flash card, only using legitimately maintained 8870 cards and returning the cards when they are no longer in use.

Last month, FDA Commissioner Scott Gottlieb released a statement laying out the federal watchdog’s plans for improving medical device regulation, including plans to improve cybersecurity and monitor the total product life cycles of devices.

The post DHS warns of cybersecurity weakness in Medtronic N’Vision neurostim programmer appeared first on MassDevice.

Attivo Networks receives validation from BD for BOTsink cybersecurity solution


[Image courtesy of Blogtrepreneur on Flickr, per Creative Commons 2.0 license]

Attivo Networks recently announced that it has received validation through a BD Product Security Partner Program for its BOTsink cybersecurity deception solution when used with BD devices. The company recently expanded its IOT portfolio and the BD collaboration will allow for improved detection capabilities against cyber threats that impact medical devices.

The deception-based threat detection in the BOTsink features decoys and lures that misdirect potential attackers from production assets. Through the collaboration, BOTsink decoys will provide software on certain BD products that will create mirror-match decoy authenticity. This will create an illusion where a potential attacker will not be able to tell what is real and fake. It will also show what an attacker is doing as they scan systems or try to download malware onto medical devices.

Get the full story on our sister site, Medical Design & Outsourcing.