Healthcare Cybersecurity

HC3 Warns of DNS NXDOMAIN DDoS Attacks on the Healthcare Sector

The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about a threat actor that is conducting targeted distributed denial of service (DDoS) attacks on the U.S. healthcare sector. The attacks involve flooding networks and servers with fake Domain Name Server (DNS) requests for non-existent domains (NXDOMAINs), which overloads DNS servers and prevents legitimate DNS requests. These attacks have been conducted since at least November 2022.

DNS servers are used to locate web resources and identify the IP addresses of the requested resources to allow a connection to be made. A DNS Proxy Server will contact the DNS Authoritative Server when a request is received, and if the IP address of that resource is identified, it will be relayed back allowing a connection to be made. In a DNS NXDOMAIN flood DDoS attack, the DNS Proxy Server will be flooded with requests for non-existent domains and the server’s resources will be consumed querying the NXDOMAIN requests with the DNS Authoritative server, and the DNS Authoritative Server will use its resources dealing with the queries.

These requests are usually sent to the DNS Proxy server by a botnet – an army of malware-infected devices under the control of the attacker. Depending on the scale of the attack, legitimate DNS requests will be slowed down or may even be completely prevented, thus stopping legitimate users from accessing a website or web application.

These attacks tend to be relatively short-lived, lasting several hours to a few days. During an attack on a healthcare provider’s domain, patients may be prevented from accessing appointment scheduling applications and patient portals, and a healthcare provider’s website may be rendered inaccessible. Staff may also be prevented from accessing web applications.

These attacks are typified by large amounts of DNS queries for non-existent hostnames under legitimate domains, UDP packets encapsulated in IPv4 and IPv6, widely distributed source IPs, potentially spoofed source IPs, and DNS servers generating lots of NXDOMAIN errors.

Blocking these attacks is difficult as the devices that are part of the botnet are often widely distributed and the botnet may consist of several thousand devices. While it may not be possible to block an attack in progress, there are mitigations that can limit the impact of these attacks. These include blackhole routing/ filtering out suspected domains and servers, implementing DNS Response Rate Limiting, blocking further requests from the client’s IP address for a limited period, ensuring cache refresh takes place, reducing the timeout for recursive name lookup to free up resources in the DNS resolver, increasing the time-to-live (TTL) on existing records, and applying rate limiting on traffic to overwhelmed servers.

While HC3 did not confirm the source of these attacks, the healthcare sector is being targeted by the hacktivist group, Killnet, in response to U.S. Congress’ support for Ukraine. Killnet has been active since at least January 2022, and has stepped up its attacks on the U.S healthcare sector in recent months.

The post HC3 Warns of DNS NXDOMAIN DDoS Attacks on the Healthcare Sector appeared first on HIPAA Journal.

Security Teams Pressured into Keeping Quiet About Security Breaches

Ransomware and phishing attacks on organizations have increased over the past 12 months as have the costs associated with the attacks. In 2022, the average cost of a data breach increased to $4.35 million and $10.1 million for healthcare data breaches (IBM Security).

Due to the high costs and reputational damage caused by data breaches, cybersecurity teams are being pressured into keeping cyberattacks and data breaches quiet, even though there are often legal requirements for reporting data breaches. The recently published Bitdefender 2023 Cybersecurity Assessment has revealed the extent to which cybersecurity teams are being pressured into staying silent about data breaches. In the United States, 74.7% of respondents said they had experienced a data breach or data leak in the past 12 months and 70.7% of those respondents said they had been told to keep a security breach confidential when it should have been reported. 54.7% of respondents said they did keep a security breach confidential when they knew it should be reported.

Bitdefender’s survey suggests healthcare organizations are failing to report data breaches. 28.6% of healthcare respondents said they were told not to report a security incident that should have been reported and did not report the breach. In the United States, 78.7% of respondents said they are worried that their company will face legal action due to the incorrect handling of a security breach.

Bitdefender also asked IT professionals about the biggest threats that they now face. In the United States, the biggest perceived threats were software vulnerabilities/zero days (80%), supply chain attacks (73.3%) phishing/social engineering (58.7%), insider threats (50.7%), and ransomware (45.3%), with the human factor the biggest concern for business leaders. The biggest security challenges faced by U.S. organizations were extending security capabilities across multiple environments (49.3%), complexity (49.3%), incompatibility with other security solutions (32.1%), and reporting capabilities (40%).

Respondents were also asked about the biggest security myths that they would love to see busted. The biggest bugbear was that the organization is not a target for cybercriminals (42.7%), closely followed by using non-corporate approved apps is not a big deal (40%), that security is the sole responsibility of the IT department (36%), and emails that are delivered to inboxes are always safe to click/open (36%).

Given the increase in cyberattacks on U.S. organizations, it is reassuring that 78.7% of respondents said they are planning to increase their security budgets. 49.3% of respondents said they were planning to cut back on new cybersecurity tech purchases and 38.7% said they were cutting back on new cybersecurity hires, as organizations look to security vendors to provide assistance. 95% of respondents said they are planning on increasing the number of security vendors, and 90% said they are looking for holistic, all-in-one security solutions to ease the burden and avoid compatibility issues.

The survey for the report was conducted by Censuswide on 400 IT professionals from junior IT managers to CISOs, in organizations with 1000+ employees in the USA, UK, Germany, France, Italy, and Spain.

The post Security Teams Pressured into Keeping Quiet About Security Breaches appeared first on HIPAA Journal.

94% of Organizations Experienced a Cyberattack in 2022

Almost all organizations experienced at least one cyberattack in the past 12 months, according to new research published by Sophos in its State of Cybersecurity 2023 Report. The findings come from an independent study of 3,000 leaders with responsibility for cybersecurity across 14 countries, including the United States. 94% of respondents said they had to deal with at least one cyberattack on their organization in the past 12 months.

Malicious actors are increasingly using automation and cybercrime-as-a-service offerings to conduct sophisticated cyberattacks at scale, and network defenders are finding it increasingly difficult to defend against these threats. The problem has been compounded by a shortage of expertise due to the global lack of cybersecurity professionals.

The extent to which IT teams are having to investigate and respond to potential intrusions is limiting their ability to complete other IT projects and dedicate time to strategic projects, and IT teams are overworked and overwhelmed. The survey confirmed that IT teams feel they are constantly on the back foot and that they are unable to get ahead and proactively improve their defenses and reduce their workload. It is no surprise that 93% of respondents admitted that executing essential security operations was challenging.

The workload of security teams has become so great that there is simply not enough time to investigate all security alerts. 93% of respondents admitted to only investigating fewer than half of all security alerts that are generated about potential malicious activity, and 71% of organizations said they struggle to identify and prioritize the alerts and events to investigate. The time that must be devoted to investigating high-priority security alerts is considerable, with the full detection, investigation, and response process typically taking 9 hours for organizations with up to 3,000 employees and up to 15 hours for larger organizations. More than half of surveyed IT professionals think cyberthreats are now so sophisticated that they are unable to deal with the threats on their own, with 64% of small businesses feeling that way. Data exfiltration, phishing, ransomware, extortion, and DDoS attacks were the biggest security concerns for 2023, with the biggest security risk perceived to be security tool misconfiguration.

It can be a struggle to get one step ahead of malicious actors, but the researchers suggest this is possible with a comprehensive, but straightforward approach that is focused on optimizing prevention, reducing exposure, and disrupting adversaries to buy defenders time to respond. Sophos recommends creating a scalable incident response process, minimizing the attack surface as far as possible, improving prioritization of the alerts that need to be investigated, and using specialist services to optimize the response time. The researchers recommend implementing adaptive defenses that are able to slow down adversaries to give network defenders time to respond. The last step is to “set up a virtuous cycle that combines technology and human expertise to turbo-charge defenses, enabling an increase in speed, efficacy, and impact.  Together they accelerate the defender flywheel, enabling them to pull ahead.”

The post 94% of Organizations Experienced a Cyberattack in 2022 appeared first on HIPAA Journal.

Hackers Increasingly Targeting Cloud Apps for Distributing Malware

Hackers are increasingly using cloud apps for malware delivery, according to the latest Netskope Threat Labs Report. Historically, malicious actors have relived on email and malicious URLs for malware delivery and security solutions have been developed to protect against these attack vectors. Secure email gateways can detect and block malicious email attachments and URL filtering blocks access to malicious websites and as defenses against these vectors have improved, threat actors have had to look for alternative ways to deliver their malicious payloads and many are now taking advantage of the increasing popularity of enterprise cloud apps.

As is the case with other industries, cloud apps have proven popular in healthcare for improving productivity and supporting a remote workforce. The average enterprise healthcare user interacts with 22 cloud apps a month, with 94% of enterprise healthcare users downloading data from cloud apps each month. The most popular cloud apps in healthcare are OneDrive, Microsoft Teams, SharePoint, and Google Drive, with OneDrive used by 36% of enterprise healthcare users each day.

These cloud apps are being increasingly used by malicious actors for malware delivery, according to Netskope. Cloud apps were leveraged in 38% of malware infections in March 2022, and 42% of malware infections in February 2023. By utilizing cloud apps for malware delivery, malicious actors are able to bypass standard security solutions such as spam and URL filters, which do not inspect cloud traffic.

OneDrive is the most popular cloud app in healthcare, and it is the one that is most frequently abused by malicious actors for malware delivery, followed by the free web hosting service, Weebly, and the cloud-based content management, file sharing, and collaboration app, Box. Malware infections through Box were 6.6% higher in healthcare than in other industries and accounted for 12% of malware infections.

The malware most commonly delivered through web apps over the past 12 months is Trojans, which provide threat actors with an initial foothold in a network. Trojans are delivered by initial access brokers who sell that access to other cybercriminal groups or use that foothold to deliver other malware or legitimate tools that allow them to move laterally and achieve a much more extensive compromise. Downloaders are also commonly distributed via cloud apps, followed by file-based exploits for exploiting known unpatched vulnerabilities, information stealers, and backdoors.

As cloud apps become more popular and data uploads and downloads from cloud apps increase, abuse of these apps is only likely to increase and they are a potential weak point in security. It is important to inspect all HTTP and HTTPS downloads, including those from cloud apps, and to subject all risky file types – such as executable files – to static and dynamic analysis before they are downloaded. Consider restricting access to or blocking downloads from cloud apps that you do not specifically authorize for use, and block uploads to those apps to limit the potential for data exposure. Netskope also recommends implementing an intrusion prevention system that is capable of identifying and blocking malicious traffic patterns.

The post Hackers Increasingly Targeting Cloud Apps for Distributing Malware appeared first on HIPAA Journal.

KillNet Hacktivist Group Continues to Target U.S. Healthcare Organizations

The pro-Russian hacktivist group KillNet has continued with its attacks on healthcare organizations in the United States in retaliation for U.S. Congress’s support for Ukraine, and on January 28, 2023, the group launched its biggest wave of Distributed Denial of Service (DDoS) attacks to date – a coordinated attack on more than 90 healthcare organizations in 48 U.S. states. 55% of the targets were healthcare systems with at least one hospital and lone hospitals with Level I trauma centers.

The increase in activity has prompted the Health Sector Cybersecurity Coordination Center (HC3) to issue a new Analyst Note about the group, which describes its latest activities, the tactics, techniques, and procedures observed in the recent attacks on the healthcare and public health (HPH) sector, and provides recommended mitigations to defend against and reduce the severity of the group’s attacks.

The group has been active since at least January 2022 and has been actively targeting countries that have pledged support for Ukraine following the Russian invasion, especially NATO countries. In December 2022, KillNet embarked upon a campaign of DDoS attacks on organizations in the HPH sector. The group conducts DDOS attacks that last several hours to a few days causing service outages. While these attacks do not typically cause any major damage, the systems they target suffer outages that threaten critical day-to-day operations at HPH organizations.

While the DDoS attacks appear to have slowed in March, further attacks can be expected. Microsoft has also reported that the group has been targeting healthcare applications on Azure infrastructure for the past 3 months. 31% of the attacks were on pharmaceutical and life sciences firms, 26% on hospitals, 16% on health insurance providers, and 16% on health services and care. While DDOS attacks in 2022 mostly involved Transmission Control Protocol (TCP) as the main attack vector, 53% of the attacks on healthcare were User Datagram Protocol (UDP) floods, and 44% involved TCP.

The group recruits affiliates to assist with the attacks and sends open invitations to the cybercriminal community to help the group achieve its aims, and KillNet has attracted considerable support and respect from the cybercriminal community. While the group does not appear to have engaged in significant data theft to date, KillMilk, the founder and leader of the group, claimed to have stolen the credit card details of 2.5 million Americans and threatened to sell the data. In a recent post, KillMilk claims to have left KillNet to set up a new group called Black Skills, which is allegedly a highly organized military hacking company. The new KillNet leader operates under the name Blackside, and claims to have experience in ransomware, phishing, and crypto theft attacks.

It is currently unclear if the restructuring will see a change in tactics but what is clear is the group plans to continue with its hacktivist campaigns in countries that are considered to be anti-Russia or pro-Ukraine, and the group is considered to continue to pose a significant threat to the HPH sector.

The post KillNet Hacktivist Group Continues to Target U.S. Healthcare Organizations appeared first on HIPAA Journal.

Healthcare CISOs Undervalue Dark Web Intelligence

The dark web is extensively utilized by cybercriminals and is therefore a rich source of information… information that can be leveraged by organizations to improve their cyber defenses. The dark web is used by cybercriminals to buy and sell malware, leak sensitive data, and share vulnerabilities and techniques, techniques and procedures that can be used in cyberattacks, and utilizing that data can help organizations to gain an understanding of the threat actors that are targeting their organization, and how attacks are likely to occur.

Dark web intelligence is used by organizations in many industries, but the healthcare industry lags behind other sectors in the use of dark web intelligence. According to a recent survey conducted for Searchlight Cyber, 80% of large enterprises across all industry sectors utilize dark web intelligence as part of their security strategy, with the finance sector leading in the adoption of dark web intelligence with 85% of financial organizations gathering data from the dark web.

Yet only 57% of healthcare organizations use dark web intelligence to learn about their adversaries and improve their defenses against cyberattacks. It is therefore no surprise that just 60% of healthcare CISOs said they were confident about understanding the profile of their adversaries. CISOs in the oil and gas industry were also less likely than average to use dark web intelligence, and they also were not confident that they could understand the profiles of their adversaries. Searchlight Cyber says there is a direct correlation between gathering more dark web intelligence and a stronger security posture, as using dark web data allows organizations to gain a better understanding of the adversaries that are targeting their organization and their industry and also increases the chances of spotting an attack.

“There are a number of possible explanations as to why oil and gas companies and healthcare organizations are behind in the adoption of pre-attack intelligence,”  said Ben Jones, CEO and co-founder of Searchlight Cyber. “Both of these industries have large, complex, and legacy infrastructure, which means they may be prioritizing other security challenges such as vulnerability patching. It is also likely that, unlike enterprises in the finance sector, health and energy organizations may not have historically considered themselves the primary target for financially-motivated cyberattacks emanating from the dark web.”

The survey was conducted on 1,008 Chief Information Security Officers (CISOs) at large enterprises ($200 million+ revenues and 2,000+ employees) between November 2022 and January 2023. The survey found that almost all CISOs – 93% – are concerned about dark web threats, and 72% of surveyed CISOs said they think dark web intelligence is critical to defending their organization.  CISOs in healthcare were much less likely to appreciate the importance of understanding dark web threats than other industries. The survey revealed only 50% of healthcare CISOs believe criminal activity on the dark web had an impact on their company, compared to the average of 64%, and only 53% of healthcare CISOs believe intelligence on cybercriminals is critical to defending their organization.

“As recent incidents have shown us, [hackers] are increasingly targeting enterprises in industries such as healthcare, oil and gas, and manufacturing to leverage the critical nature of these companies, and extort ransoms. This makes it an imperative for these organizations to begin monitoring the dark web, to spot the early warning signs of attack, and improve their security posture based on a better understanding of their adversaries.”

While the value of dark web intelligence is generally appreciated, Searchlight Cyber believes dark web data is being underutilized. While 71% of respondents said they would like to see whether their suppliers are being targeted on the dark web, only 32% of those CISOs are gathering dark web data to monitor attacks against their supply chain. Only 50% of healthcare CISOs said they were interested in seeing if their suppliers are being targeted on the dark web, which suggests there is a lack of understanding about where cyberattacks against their enterprises are originating.

Jim Simpson, Director of Threat Intelligence at Searchlight Cyber, said most sources of threat intelligence tell organizations where attacks have happened in the past, but dark web intelligence provides clues as to what is most likely to happen next and provides visibility into cybercriminal reconnaissance which gives organizations the best chance of spotting attacks before they hit the network.

The post Healthcare CISOs Undervalue Dark Web Intelligence appeared first on HIPAA Journal.

Microsoft Will Block Dangerous File Types in OneNote Documents

Last year, Microsoft started blocking macros by default in Office files delivered via the Internet to make it harder for malicious actors to use macros for delivering malware. In response, threat actors have been looking for alternative methods for malware delivery, such as OneNote files.

OneNote is a digital note-taking application that is part of the Microsoft Office suite and it has been proving popular for malware distribution because executable files can be embedded in OneNote documents. These files are usually hidden behind design elements in the documents, such as buttons instructing users to click to view the content. The user is informed that they need to double-click the button, but doing so executes the hidden embedded executable file behind the button. If executed, the hidden executable file downloads a malicious payload from a remote server. In recent weeks, several campaigns have been detected that use OneNote attachments for distributing malware, including AsyncRat, Emotet, and QBot.

In response to the increasing misuse of OneNote files in phishing campaigns, Microsoft announced last month that it would be augmenting security for OneNote. OneNote currently generates a warning that opening attachments in OneNote files is potentially dangerous; however, these dialog boxes can be closed, allowing the embedded attachments to be opened.

Microsoft provided an update this month on the security update and confirmed that users will no longer be able to close the dialog box and open the embedded files. When the update is applied, 120 dangerous file types will be blocked in OneNote. The blocked file types will be the same as those that are currently blocked by Word, Excel, PowerPoint, and Outlook. If a user attempts to open one of these dangerous file types, a dialog window will be generated that warns the user that “Your administrator has blocked your ability to open this file type in OneNote.”

Dangerous file types will be blocked in OneNote documents from April 2023.

Microsoft will be rolling out the security updates later this month starting with OneNote Version 2304, which will protect users of OneNote for Microsoft 365 on Windows devices. The update will also be applied to the retail versions of Office 2021, Office 2019, and Office 2016 (Current Channel), followed by Version 2304 for the Enterprise Channel in June 2023. The update will be applied to Version 2308 for the Semi-Annual Enterprise Channel (Preview) in September 2023, and the Semi-Annual Enterprise Channel in January 2024. Microsoft said the update will not affect OneNote on the web, OneNote for Windows 10, OneNote for MacOS, or OneNote for Android or iOS devices.

The post Microsoft Will Block Dangerous File Types in OneNote Documents appeared first on HIPAA Journal.

Health-ISAC Report Explores Current and Emerging Cyber Threats to the Healthcare Sector

Ransomware and phishing continue to be the biggest cybersecurity concerns for healthcare organizations according to the February 2023 Current and Emerging Healthcare Cyber Threat Landscape report from Health-ISAC. The report, a collaboration between Health-ISAC and Booz Allen Hamilton Cyber Threat Intelligence (CTI), identified the key threats to the healthcare sector and is based on responses to a November 2022 survey of executives across Health-ISAC, CHIME, and the Health Sector Coordinating Council.

Biggest Cybersecurity Concerns in Healthcare

Survey participants were asked to rank the biggest cybersecurity concerns for their organizations retroactively for 2022 and looking forward for the remainder of the year. Ransomware was the biggest concern for 2022 and 2023 with phishing and spear phishing in second. Third-party/partner breaches, data breaches, and social engineering rounded out the top 5, with social engineering now replacing insider threats as the 5th biggest concern, compared to 2022 when the report was last published.

Ransomware is expected to be the biggest threat for years to come, as while more is now being done to disrupt ransomware gangs and bring threat actors to justice, the returns for cybercriminal gangs from conducting attacks far outweigh the costs. Attacks will continue to be conducted for as long as they are profitable, although with fewer victims paying ransoms cybercriminal groups are starting to diversify their income streams. Phishing is also likely to continue to be a major threat for years due to the low cost and effectiveness of these attacks for gaining initial access to healthcare networks.

Medical device cybersecurity is of significant concern as the number of devices used by hospitals continues to increase. Medical devices often have multiple vulnerabilities and run on outdated operating systems and provide an easy access point into healthcare networks. Healthcare organizations with a higher percentage of connected medical devices experience more cyberattacks and are more likely to experience multiple attacks. Healthcare organizations need to improve medical device security and the best place to start is by ensuring risk assessments are regularly conducted, patches and updates are applied promptly, and devices with weak or default credentials are identified and updated.

The report draws attention to threats related to geopolitical activity such as the Russia-Ukraine war, which has seen increasing numbers of cyberattacks on organizations with links to Ukraine. In addition to attacks on the Ukraine government, Russian hackers have been targeting companies that are perceived to be supporting Ukraine, conducting business in the country, and even targeting companies that have withdrawn operations from Russia. Chinese hackers are conducting attacks on behalf of the Communist Party of China (CPC) to obtain intellectual property aligned with Chin’s 5-Year Plan, and North Korean hackers have been targeting U.S. healthcare organizations for financial gain – through ransomware attacks – and for espionage purposes.

Emerging Threats to the Healthcare Sector

The report highlights two emerging risks that are expected to plague the healthcare industry in 2023 and beyond – product abuse and synthetic accounts. Internet-facing products such as web login portals and APIs are easy targets for threat actors using compromised credentials, and billions of credentials that have been captured through malware, phishing, and data breaches are freely available on criminal forums. These credentials are being used to gain access to healthcare networks for ransomware attacks and obtain patient data for financial gain.

Synthetic accounts have been a problem in several sectors for many years but there is growing evidence that synthetic accounts are being used for healthcare fraud. Synthetic accounts can be created using the huge amount of PII available on dark web forums and are typically strengthened over months or years to increase the success rate of attacks. These accounts are used to fraudulently obtain loans and make large purchases but are also being used for paying for medical billing and other health-related activity. Cybercriminals are creating fake medical providers and other business accounts to bill insurers and the government for services that are never received and this form of fraud is likely to increase throughout 2023.

“Customer-facing products are routinely targeted by attacks designed to extract data with crimeware that threat actors have customized to look and feel like a legitimate customer—whether a consumer, industry practitioner, or third party,” said Health-ISAC in the report. “Preparing for these attacks require properly aligned controls at the network, application, authentication, and risk layers to protect organizational data and reduce the risk of credential stuffing, account takeovers, carding attacks, and unhealthy account creation.”

Health-ISAC members can download the TLP: Green report for more detailed information and a TLP: White summary has also been released, both of which can be downloaded on this link.

The post Health-ISAC Report Explores Current and Emerging Cyber Threats to the Healthcare Sector appeared first on HIPAA Journal.

FDA Cybersecurity Requirements for Medical Devices Now in Effect

Ensuring medical devices are cybersecure is one of the biggest security challenges in healthcare. Medical devices often have unpatched vulnerabilities, run on outdated software that has reached end-of-life, and lack appropriate security features. As such, they are a security weak point that can be exploited by malicious actors to gain access to healthcare networks and sensitive patient data.

According to the FBI, more than half of all medical devices used by hospitals have critical vulnerabilities that have not been addressed and, on average, medical devices have more than 6 vulnerabilities that could potentially be exploited by malicious actors. More than 40% of medical devices are at end-of-life and have little to no opportunities for security patches or upgrades.

Steps are being taken to improve the cybersecurity of medical devices. Device manufacturers will soon be required to incorporate adequate cybersecurity measures and will need to develop and implement a plan for addressing vulnerabilities throughout the lifecycle of the devices otherwise the U.S. Food and Drug Administration (FDA) will not authorize their use.

On Wednesday, March 29, 2023, the medical device cybersecurity requirements of the $1.7 trillion omnibus spending bill – The Consolidated Appropriations Act, 2023 – took effect and the FDA now requires all regulatory submissions for medical devices to include information about the cybersecurity measures that have been implemented for the devices. Section 3305 of the Omnibus bill — Ensuring Cybersecurity of Medical Devices — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This requirement took effect 90 days after the enactment of the Act on December 29, 2022, which means premarket submissions submitted to the FDA after March 29, 2023, require information to be included about the cybersecurity of medical devices.

In a guidance document for FDA staff, the FDA said it does not intend to issue refuse to accept (RTA) decisions for premarket submissions that fail to include the required information on cybersecurity until after October 1, 2023. This will give sponsors of medical devices sufficient time to prepare the necessary information; however, after that date, the FDA will no longer accept applications and submissions that lack the required cybersecurity elements.  In the meantime, the FDA will work with applicants to fix any defects in their documentation.

The sponsor of an application or submission must confirm compliance with four core cybersecurity requirements:

  1. A plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
  2. Processes and procedures that ensure devices are cybersecure, which includes issuing updates and patches promptly when the devices are on the market to address known unacceptable vulnerabilities and critical vulnerabilities that could cause uncontrolled risks.
  3. A software bill of materials, including commercial, open-source, and off-the-shelf software components.
  4. Comply with such other requirements that may be added through regulation to demonstrate reasonable assurances that devices and related systems are cybersecure.

The FDA will work with the Cybersecurity and Infrastructure Security Agency (CISA) to update its guidance on cybersecurity for medical devices within the next two years and will update its online resources within 6 months, and then at least annually, on how healthcare providers and device makers can identify and address vulnerabilities and work with the FDA and other government agencies to strengthen the security of medical devices.

The post FDA Cybersecurity Requirements for Medical Devices Now in Effect appeared first on HIPAA Journal.