Healthcare Cybersecurity

HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance

Posted by HIPAA Journal

HITRUST has announced it has partnered with the American Medical Association (AMA) for a new initiative that will help small healthcare providers with HIPAA compliance, cybersecurity, and cyber risk management.

Small healthcare providers can be particularly vulnerable to cyberattacks, as they typically lack the resources to devote to cybersecurity and do not tend to have the budgets available to hire skilled cybersecurity staff. This week has underscored the need for small practices to improve their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord.

Recent ransomware attacks have also shown that healthcare organizations of all sizes are likely to be attacked. Organizations of all sizes must practice good cyber hygiene and have the right defenses in place to improve resilience against ever changing cyber threats.

HITRUST and AMA will be hosting 2-hour workshops where physicians and other healthcare staff will be educated on key areas of risk management, HIPAA compliance, and cybersecurity, with the workshops specifically focused on small healthcare providers.

The initiative runs alongside HITRUST’s Community Extension Program that was launched earlier this year, with the workshops taking place in the two hours prior to the HITRUST Community Extension Program events, which are taking place in 50 cities across the United States.

HITRUST explained, “Many clinics, physician offices, and other small providers are looking for local, community-based resources to help guide them through the journey of establishing governance and risk management programs to avoid a cyber-related breach or event that would disrupt their organization and expose the confidential information of their patients or members.” One of the aims of the workshops is to make good cyber hygiene manageable for small healthcare providers.

These workshops will provide the information small healthcare providers need to make significant improvements to their cybersecurity posture and help them meet the requirements of the HIPAA Security Rule.

While many topics will be covered in the workshops, they will be primarily focused on teaching the fundamentals of good cyber hygiene, explaining the need for cyber and HIPAA risk assessments, and will cover cost-effective technologies that can be implemented to improve cyber security.

“Trying to determine the best way to secure my practice from cyber threats was a significant – and at times, overwhelming – undertaking,” said Dr. J. Stefan Walker, a practicing physician in a small practice in Corpus Christi, TX. “Many existing cybersecurity resources and education programs are geared toward larger health care organizations and are not practical for a practice with only a handful of employees.” These workshops will help small healthcare organizations by providing relevant, useful, and practical advice specific to practices of their size.

The first workshop is being hosted by Children’s Health in Dallas, TX and will take place on October 9. Details of further events will be posted on the HITRUST website.

The post HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance appeared first on HIPAA Journal.

The Benefits of Using Blockchain for Medical Records

Posted by HIPAA Journal

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security?

The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients.

Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems.

Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA covered entities and their business associates to implement technical safeguards to ensure the confidentiality, integrity, and availability of protected health information. However, each entity implements their own security controls.

The more entities have access to health data, the greater the potential for errors to be made that result in the data being exposed. As the Department of Health and Human Services’ Office for Civil Rights Breach portal clearly shows, HIPAA-covered entities and their business associates are not always as careful as they should be when storing and transmitting data, and even when they are, it is often not possible to prevent breaches. However, using blockchain for medical records could dramatically improve data security.

Blockchain, as the name suggests, is a chain of data blocks which contain details of transactions, each of which is encrypted to ensure privacy. Rather than store data in a single location, blockchain keeps data in an encrypted ledger, which is distributed across synchronized, replicated databases. Each block is linked to the previous block by a unique public key with access to data carefully controlled.

As has been shown with the massive Anthem and Equifax data breaches, single entities cannot be trusted to hold vast quantities of data and keep it secure in a centralized system. Storing data in a decentralized system could be a viable alternative.

With blockchain, each data block in the chain can be encrypted using public key cryptography which can be unlocked with the use of a private key or password, which could be held by a patient.

If blockchain is used for health data, rather than multiple healthcare providers storing their own copies of a patient’s data, the patient would grant each access to their data and provide them with a key.

Without access to the key, the data stored in blockchain would be inaccessible. It would not be possible to hack a single block of data, at least not without simultaneously hacking all the others in the chain’s chronology. It would also not possible for changes to the data blocks to be made and for those changes to be hidden.

With a cryptocurrency such as Bitcoin, blockchain is used for transactions – the buying and selling of the currency. With health records, the transactions would be consultations with physicians, X-ray images or blood test results, prescriptions, or surgical procedures. Each time data is added, it would need to be validated by a trusted entity who has been given an access key. Once validated, it would be added as a block in the chain in chronological order, with the blockchain comprising a patient’s entire medical history.

The use of blockchain for medical records could prove highly beneficial for providers and patients. Not only for keeping medical records secure, but pulling together fragmented medical records stored by multiple healthcare providers.

This would allow full medical records to be easily shared between providers. Medical records would not need to be transmitted electronically between providers, new providers would just be required to be told where to access the information and given the access key.

Blockchain has potential to make it far easier for patients to access their healthcare records. Rather than submitting a request for copies of their health data with several different healthcare providers, one request could be submitted and their full healthcare record could be accessed. Currently, that process can be complicated, time-consuming, and potentially costly for the patient, since each provider is permitted under HIPAA to charge a fee for providing copies of data.

When data is provided through patient portals, the process of piecing together health records can be even more complicated, as is sharing the information. Blockchain could also help sort out the issues that exist with multiple patient identifiers.

Blockchain clearly works for financial transactions but what about blockchain and medical records? Could it work in practice? Trials using Blockchain and medical data have shown very promising results.  One trial conducted by MIT Media Lab and Beth Israel Deaconess Medical Center has shown blockchain to work well for tracking test results, treatments, and prescriptions for inpatients and outpatients over 6 months. In that trial case, data exchange between two institutions was simulated using two different databases at Beth Israel. Plans are now underway to expand the pilot.

There are still issues that must be resolved. Blockchain is not anonymous but pseudonymous. There is also the problem of how to make certain records private, such as psychotherapy notes, to prevent patients accessing that information.

It would also be necessary for blockchain to be extensively tested with health data and healthcare organizations would need to be convinced to adopt blockchain medical records systems. Encouragingly, earlier this year, IBM conducted a survey on 200 healthcare organizations. 16% said they expected to have a commercial blockchain solution in place this year.

The post The Benefits of Using Blockchain for Medical Records appeared first on HIPAA Journal.

OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has conducted a review of Alabama’s Medicaid data and information systems to ascertain whether the state was in compliance with federal regulations. The review covered the Medicaid Management Information System (MMIS) and associated policies and procedures. OIG also conducted a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive data.

The audit revealed Alabama’s MMIS had multiple vulnerabilities that could potentially be exploited by hackers to gain access to its systems and Medicaid data.

Alabama had adopted a security program for its MMIS, although several vulnerabilities had been allowed to persist. OIG said in its report, the vulnerabilities were “collectively and, in some cases, individually significant.”

OIG did not uncover any evidence to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the vulnerabilities, unauthorized individuals could have gained access to the MMIS and viewed, altered, or stolen data. OIG concluded the state had not done enough to comply with federal regulations on data security.

Additionally, OIG auditors determined there was insufficient oversight of the state’s Medicaid fiscal agent, HP, to ensure that it had implemented appropriate security controls as was required by the terms of its contract.

Details of the vulnerabilities identified during the audit were not published, although Alabama was provided with a detailed report and was given several recommendations to improve data security. Alabama concurred with all the recommendations and has agreed to implement additional controls to better secure its information systems and Medicaid data and will address all of the identified vulnerabilities.

Alabama only objected to the title of the report – Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems – commenting, “Alabama has always, and will continue to always, strive to secure its Medicare data and information systems.”

Since OIG identified multiple, significant vulnerabilities that could have led to the MMIS being compromised, the title of the report was not changed.

The post OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System appeared first on HIPAA Journal.

PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks

Posted by HIPAA Journal

Organizations are struggling to prevent phishing attacks, according to a recently published survey by PhishMe.

The survey, conducted on 200 IT executives from a wide range of industries, revealed 90% of IT executives are most concerned about email-related threats, which is not surprising given the frequency and sophisticated nature of attacks. When attacks do occur, many organizations struggle to identify phishing emails promptly and are hampered by an inefficient phishing response.

When asked about how good their organization’s phishing response is, 43% of respondents rated it between totally ineffective and mediocre. Two thirds of respondents said they have had to deal with a security incident resulting from a deceptive email.

The survey highlighted several areas where organizations are struggling to prevent phishing attacks and respond quickly when phishing emails make it past their defenses.

PhishMe also notes that many first line IT support staff have not received insufficient training or lack the skills to identify phishing emails. Consequently, many fail to escalate threats or block access to malicious links through the firewall or web filter.

The biggest challenge was too many threats and too few responders, according to 50% of respondents. Approximately one third of respondents said they have to deal with more than 500 suspicious emails a week. 21% said they have more than 1,000 emails reported as suspicious each week.

Dealing with those emails and finding the real threats among the spam takes a considerable amount of time. When asked how the phishing response could be improved, number one on the wish list was a solution that could automatically analyze phishing emails to sort the real threats from spam.

Due to time pressures and a lack of human resources, potential phishing attacks are often not dealt with rapidly. Many organizations have an inefficient and ineffective phishing response which makes rapid mitigation difficult.

Part of the problem is how suspicious emails are reported. 55% of organizations have potentially suspicious emails routed to the helpdesk and do not have a dedicated inbox for phishing emails. Mixing reports of potential phishing attacks with other IT issues increases the probability of serious threats being overlooked and invariably leads to delays in implementing the phishing response.

The survey showed companies are heavily reliant on technology to prevent phishing attacks, although most have correctly chosen to implement layered defenses. That said, 42% of respondents said multiple layers of security solutions was a problem when managing phishing attempts.

The most common defense against phishing attacks is email gateway filtering, although 15% of organizations still do not use email filtering technology and 20% do not use an anti-malware solution. There are also clear gaps in employee training. 34% of organizations do not provide computer-based training for employees to improve awareness of phishing and teach employees how to identify phishing emails.

Technology can only go so far. Email gateway solutions are effective at blocking phishing threats, although they are not 100% effective. Malicious emails will make it past email filters so it is essential that staff are trained to identify threats.

PhishMe accepts there are limits to training. “Are all employees going to “get it?” every time? Probably not. But they don’t have to if the rest of the organization is ready to recognize and report suspicious emails. It only takes one to report it so the incident response team can substantially reduce the impact of phishing attacks.”

The post PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

Warning Issued About Vulnerabilities in Smiths Medical Medfusion 4000 Devices

Posted by HIPAA Journal

The U.S. Department of Homeland Security (DHS) has issued a warning about vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. The vulnerabilities could potentially be exploited by hackers to alter the performance of the devices.

Smiths Medical Medfusion 4000 devices are used to deliver small doses of medication and are used throughout the United States and around the world in acute care settings. Eight vulnerabilities have been identified in three versions of the wireless syringe infusion pumps (V1.1, v1.5 and v1.6), with CVSS v3 scores ranging from 3.7 to 8.1. The vulnerabilities could be exploited remotely, potentially causing harm to patients. Hackers could also exploit the vulnerabilities to gain access to other healthcare IT systems if the devices are not segmented on the network.

DHS says the impact to organizations depends on several factors, based on specific clinical usage and hospital’s operational environments. Six of the vulnerabilities relate to hard-coded passwords/credentials, certificate validation issues, and authentication gaps which could allow hackers to gain access to the devices. The other two vulnerabilities involve third-party components, although those vulnerabilities would be much harder to exploit.

Smiths Medical has reassured healthcare organizations that while the vulnerabilities could potentially be exploited, in a clinical setting this would be highly unlikely, explaining the exploit “requires a complex and an unlikely series of conditions.” Attackers would also require a high skill level to exploit the vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. ICS-CERT says there are no publicly known exploits targeting the vulnerabilities.

Smiths Medical has been working closely with DHS and will resolve the flaws, although the Plymouth, MN-based medical device manufacturer will not do so until the release of Medfusion 4000 v1.6.1 in January 2018.

In the meantime, healthcare organizations using vulnerable versions of the devices have been advised by Smiths Medical to take steps to reduce risk. Those steps include:

  • Assigning static IP addresses to the infusing pumps
  • Monitoring network activity for rogue DNS and DHCP servers
  • Ensuring network segments are installed and the devices are segregated from other parts of hospital networks. Hospitals have been advised to consider network micro segregation
  • Using network virtual local area networks (VLANs) for the segmentation
  • Adopting password best practices, such as setting strong passwords and not re-using passwords
  • Performing routine backups and evaluations.

ICS-CERT recommends disconnecting the devices from the network until the product fix is applied, although this would require the drug library to be updated manually on all devices.

ICS-CERT also recommends:

  • Closing Port 20/FTP, Port 21/FTP, and Port 23/Telnet if the devices need to be networked
  • Disabling the FTP server on the pumps
  • Closing all unused ports
  • Monitoring and logging all network traffic attempting to reach the affected products, including attempts on closed ports
  • Locating the devices behind firewalls
  • Using VPNs to connect to the devices if remote access is required, and to ensure the latest version of VPNs are installed.

The post Warning Issued About Vulnerabilities in Smiths Medical Medfusion 4000 Devices appeared first on HIPAA Journal.

NCCoE/NIST Release Draft Guidelines for Ransomware Recovery

Posted by HIPAA Journal

Draft guidelines for ransomware recovery have been issued by the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST). The guidelines – NIST Special Publication 1800-11 – apply to all forms of data integrity attacks.

SP 1800-11 is a detailed, standards-based guide that can be used by organizations of all sizes to develop recovery strategies to deal with data integrity attacks and establish best practices to minimize the damage caused and ensure a speedy recovery.

NIST says, “When data integrity events occur, organizations must be able to recover quickly from the events and trust that the recovered data is accurate, complete, and free of malware.”

NCCoE/NIST collaborated with cybersecurity vendors (GreenTec, HP, IBM, Tripwire, the MITRE Corporation and Veeam) to develop the guidelines, which will help organizations prepare for the worst and develop an effective strategy to recove from a cybersecurity event such as a ransomware attack. By adopting the best practices detailed in the guidelines, the recovery process should be smoother, critical business and revenue generating operations can be maintained, and enterprise risk can be effectively managed.

The NIST guidelines for ransomware recovery will help organizations prepare for an attack and develop strategies to allow them to restore data to the last known good configuration, identify the correct backup copies to use, and determine whether data have been altered or poisoned.

In the event of data alteration, organizations are shown how to identify the individual(s) who have altered data and determine the impact of data alteration on business processes. The guidelines also explain how businesses can ensure systems are free from malware during the recovery process.

The guidelines are split into three volumes: Volume A is an executive summary which is of particular relevance for business decision makers including CSOs and CISOs; Volume B outlines approach, architecture and security characteristics which will help technology and security program managers identify, understand, assess, and mitigate risk. Volume C includes how-to guides, including specific product installation, configuration, and integration instructions for a selection of software solutions and tools that can be used to help organizations recover from data integrity attacks.

The draft guidelines for ransomware recovery are open for comments and can be downloaded on this link.

The post NCCoE/NIST Release Draft Guidelines for Ransomware Recovery appeared first on HIPAA Journal.

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) is recommending all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks.

Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely.

While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products.

Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications.

There are between 450,000 and 500,000 vulnerable devices currently in use in the United States and a recall of this scale will almost certainly cause problems for healthcare providers. The FDA and Abbot Laboratories, which acquired St. Jude Medical last year, have suggested patients have the firmware upgrade applied at their next scheduled visit to their healthcare provider rather than make a separate visit.

The recall does not apply to implantable cardiac defibrillators or cardiac resynchronization ICDs, only to the following St. Jude Medical pacemakers:

  • Accent SR RF™
  • Accent MRI™
  • Assurity™
  • Assurity MRI™
  • Accent DR RF™
  • Anthem RF™
  • Allure RF™
  • Allure Quadra RF™
  • Quadra Allure MP RF™

The update will require any device attempting to communicate with the implanted pacemaker to be authenticated via the Merlin Programmer and Merlin@home Transmitter. All Abbott Laboratories devices manufactured after August 28, 2017 will include the updated firmware. The firmware update was released on August 29.

The FDA has not recommended devices be removed and replaced as the firmware update will make the devices secure. The update is a quick and simple process that takes just three minutes, although patients will be required to visit their providers to have the update applied. The update cannot be issued remotely as there is “a low risk [<0.023%] of update malfunction”.  During the update, the device will continue to function in backup mode and life-saving functionality will be maintained. The devices will return to normal settings after the update has been applied.

It has been more than a year since the report of the vulnerabilities was published, although during that time there have been no reported attacks or harm caused to patients. The Department of Homeland Security says exploiting the vulnerabilities would require “a highly complex set of circumstances.”

“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, Medical Devices at Abbot Laboratories. He explained, “[cybersecurity] isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

The post FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers appeared first on HIPAA Journal.