Healthcare Data Security

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

Posted by HIPAA Journal

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents.

The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks.

The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document.

The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been conducted on medical devices to cause patients harm, the number of cyberattacks on healthcare organizations has increased significantly in recent years and concerns have been raised with the FDA about the potential for cybercriminals to attack patient medical devices.

“The playbook supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents,” said MITRE. “The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.”

In addition to releasing the guidance for HDOs, the FDA has developed its own internal playbook to ensure that it can respond rapidly to any medical device cybersecurity incident. “Our internal playbook establishes an effective and appropriate incident plan that’s flexible and clear. It aims to help the agency respond in a timely manner to medical device cybersecurity attacks – mitigating impacts to devices, healthcare systems and ultimately, patients,” said Scott Gottlieb, MD, Commissioner of the FDA.

The Playbook includes several recommendations for healthcare delivery organizations, although it may not be possible for all recommendations to be executed by healthcare delivery organizations due to operational constraints. However, the document does serve as a starting point for developing a response plan for medical device security incidents and will include recommendations that could be incorporated into existing disaster recovery plans.

The FDA has also announced it has signed two memoranda of understanding which will establish information sharing analysis organizations (ISAOs) that will be tasked with gathering, analyzing, and distributing important information about new cyber threats to medical device security. Through the sharing of timely information it is hoped that device manufacturers will be able to address security issues more rapidly before they can be exploited.

The FDA is also working closely with the Department of Homeland Security and is holding joint cybersecurity exercises to simulate attacks on medical devices with a view to improving medical device security. The FDA has also made significant updates to its premarket guidance for medical device manufacturers which is expected to be released in the next few weeks.

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook can be downloaded from MITRE on this link (PDF – 543.73 KB)

The post FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook appeared first on HIPAA Journal.

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

Posted by HIPAA Journal

Phishing is one of the leading causes of healthcare data breaches. The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information.

In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August.

Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively.

Cofense Research Shows Healthcare Industry Lags Behind Other Industries in Resiliency to Phishing

The anti-phishing solution provider Cofense (Formerly PhishMe) recently published an Industry Brief which explored the problem of phishing in the healthcare industry.

The report, entitled ‘Say “Ah!” – A Closer Look at Phishing in the Healthcare Industry’, confirmed the extent to which the healthcare industry is targeted by cybercriminals. The healthcare industry accounts for 1/3 of all data breaches, which have resulted in the exposure or theft of more than 175 million records.

It is no surprise that the healthcare industry is targeted by hackers as healthcare organizations store vast amounts of extremely valuable data: Health information, insurance information, Social Security numbers, dates of birth, contact information, and financial data. Information that can easily be sold to identity thieves and fraudsters.

Further, the healthcare industry has historically underinvested in cybersecurity with security budgets typically much lower than in other industry sectors such as finance.

Cofense data shows that healthcare organizations fare worse than other industries in terms of susceptibility and resiliency to phishing attacks. To measure susceptibility, Cofense used data from its phishing simulation platform – Susceptibility being the percentage of healthcare employees that were fooled by a phishing simulation. Resiliency to phishing attacks is the ratio of users who reported a phishing attempt through the Cofense Reporter email add-on versus those that did not.

Across all industries, the susceptibility rate was 11.9% and the resiliency rate was 1.79. For healthcare, susceptibility was 12.4% and resiliency was 1.34. The insurance industry had a resiliency rate of 3.03 while the energy sector had a resiliency rate of 4.01.

The past few years have seen cybersecurity budgets increase and a greater emphasis placed on security and risk management. The extra funding for anti-phishing defenses is having a positive effect, although there is considerable room for improvement.

Source: Cofense

How Are Healthcare Employees Being Fooled by Phishers?

An analysis of the phishing email simulations that most commonly fooled healthcare employees reveals a mix of social and business emails. The type of email most likely to fool a healthcare employee was a requested invoice, followed by a manager evaluation, package delivery notification, and a Halloween eCard alert, all of which had a click rate above 21%. Emails about holiday eCard alerts, HSA customer service emails, and employee raffles also commonly fooled employees.

Data from Cofense Intelligence shows invoice requests to be one of the most common active threats, often used to deliver ransomware. 32.5% of healthcare employees were fooled by those emails in simulations and only 7.2% reported the emails as suspicious.

The Cofense report includes further information on the most commonly clicked phishing emails and advice for healthcare companies to help reduce susceptibility to phishing attacks. The Cofense Healthcare Industry Brief can be downloaded on this link (PDF).

The post Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency appeared first on HIPAA Journal.

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce.

The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail.

“IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST.

In the guidance document, NIST identifies three high-level considerations that can affect the management of risks that IoT devices can introduce. First, IoT devices tend to interact with the physical world in ways that conventional IT devices do not. Second, IoT devices cannot typically be accessed, managed, and monitored in the same way as conventional IT devices. Third, the availability, efficiency and effectiveness of cybersecurity and privacy controls are different for IoT devices than conventional IT devices.

Cybersecurity and privacy risks need to be addressed for the entire lifecycle of IoT devices and can be considered in terms of three high-level mitigation goals:

  • Preventing IoT devices from being used to conduct attacks
  • Protecting the confidentiality, integrity, and availability of data stored on the devices
  • Protecting the privacy of individuals

The guidance document suggests various ways that the above goals can be met and the challenges that organizations may face achieving those goals. However, since IoT devices are so diverse, it is difficult for recommendations to be made that can be applied for all use cases, levels of risk and device types.

NIST is seeking public comments on the document and will be accepting feedback until October 24, 2018. The draft document can be downloaded on this link (PDF).

The post NIST Releases Guidance on Managing IoT Cybersecurity and Privacy appeared first on HIPAA Journal.

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

Posted by HIPAA Journal

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health.

The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017.

“While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study.

Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 176.4 million healthcare records. 75% of those records were exposed or stolen as a result of hacking or IT incidents.

While the number of hacking and IT incidents continues to increase each year, the number of theft incidents has declined by two thirds since 2010 when it was the leading cause of healthcare data breaches. This is due to healthcare organizations transitioning to electronic health records and encrypting health data stored on portable electronic devices.

In 2010, the most common location of breached health data was laptop computers followed by paper records and films. In 2017, the most common locations of breached health data were network servers and email, both of which are targeted by hackers.

The study covered healthcare providers, health plans and business associates of HIPAA covered entities. Healthcare providers experienced the most breaches (70%) over the period of study, which stands to reason given that there are many more healthcare providers than health plans in the United States. However, while there were fewer health plan data breaches – 13% of the total – they resulted in the exposure of more records – 63% of all breached records between 2010 and 2017.

“More breaches happen—for the sake of argument—in doctor’s offices, quote-on-quote ‘healthcare providers,’ but more records get lost by big insurance companies,” said McCoy.

The high number of records exposed by health plan data breaches is largely due to three health plan data breaches which resulted in the theft of 99.8 million records: The 78.8 million record breach at Anthem Inc., the 11 million record breach at Premera Blue Cross, and the 10 million record breach at Excellus Blue Cross Blue Shield. Those three breaches accounted for more than half of all exposed health records between 2010 and 2017.

The most serious healthcare data breaches involve records stored on network servers. There were 410 data breaches involving network servers over the period of study and they impacted almost 140 million patients, compared to 510 breaches involving paper/films which impacted 3.4 million patients.

“For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly,” said Roy Perlis, MD, MSc, director of the Center for Quantitative Health, and co-author of the study.

The post Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017 appeared first on HIPAA Journal.

HIPAA Quiz Launched by Compliancy Group

Posted by HIPAA Journal

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.  

Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted.

OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166.

State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve HIPAA violations. The average settlement amount is $514,563 in 2018 and was $718,800 in 2017.

To help healthcare organizations comply with HIPAA Rules and avoid financial penalties, the Compliancy Group, a team of HIPAA compliance experts that help healthcare organizations meet HIPAA requirements, has released a free HIPAA Quiz that allows healthcare organizations to conduct a quick assessment to determine whether they are meeting the basic requirements of HIPAA. The quiz consists of yes/no questions that have been designed to get a baseline reading of HIPAA compliance against the fundamental elements of HIPAA.

“We designed the Compliancy Group HIPAA Quiz to empower health care professionals,” said Joe Bilello, Vice President of Compliancy Group. “Too often we see misconceptions around HIPAA compliance in the health care market. We hope the HIPAA Quiz will give users the chance to find out what’s really required for HIPAA compliance, rather than relying on hearsay and outdated information. Compliancy Group is always here to help address HIPAA concerns for anyone from single-doctor practices, to large-scale technology providers.”

The HIPAA compliance assessment tool can be accessed on this link.

The post HIPAA Quiz Launched by Compliancy Group appeared first on HIPAA Journal.

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Posted by HIPAA Journal

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents.

A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information.

In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names.

It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security laws, the Consumer Protection Act, and the Health Insurance Portability and Accountability Act.

UMass Memorial Health Care cooperated fully with the state attorney general’s investigation into the data breaches and agreed to settle the resulting lawsuit. In addition to paying the $230,000 fine, UMass Memorial Health Care will ensure that employee background checks are conducted prior to hiring new staff, all employees will receive further training on the correct handling of PHI, employee access to patient health information will be limited, risk analyses will be conducted to identify potential security issues, and any issues that are found will be subjected to a HIPAA-compliant risk management process. UMass Memorial Health Care will also ensure proper employee discipline and any suspected cases of improper accessing of ePHI will be investigated promptly.

Both UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., are also required to hire an independent firm to conduct a thorough review of data security policies and procedures and must report back to the Mass attorney general’s office on the findings of those reviews.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said Maura Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

“In the four years since [these breaches] took place we have taken steps aimed at further strengthening our privacy and information security program,” said a UMass Memorial Health Care spokesperson in a written statement. “This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures.”

State Attorneys General Pick Up the Slack in HIPAA Enforcement

After two years of increased enforcement of HIPAA Rules the HHS’ Office for Civil Rights has eased up on settlements and civil monetary penalties to resolve HIPAA violations, with only five settlements reached in 2018 and one civil monetary penalty issued. While OCR has eased up on financial penalties for HIPAA violations, state attorneys general fines are on track to make 2018 a record year for HIPAA enforcement.

UMass Memorial Health Care is the fifth healthcare organization to settle a HIPAA violation case with a state attorney general in 2018, joining The Arc of Erie County ($200,000), EmblemHealth ($575,000), and Aetna ($1,150,000) which have all been fined by the New York AG this year, and Virtua Medical Group which settled HIPAA violations with the New Jersey AG for $417,816 in April.

The post UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations appeared first on HIPAA Journal.

August 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches.

Healthcare Data Breaches by Month

There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached.

HEalthcare Records Exposed by Month

Causes of Healthcare Data Breaches in August 2018

Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks.

Causes of Healthcare Data Breaches in August 2018

Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare records – 2.96% of the monthly total.

There were two breaches involving the loss of PHI, one case of lost physical records and one lost portable electronic device containing electronic protected health information. The two theft incidents in August involved paper records.

Largest Healthcare Data Breaches in August 2018

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
AU Medical Center, INC Healthcare Provider 417000 Hacking/IT Incident
Fetal Diagnostic Institute of the Pacific Healthcare Provider 40800 Hacking/IT Incident
Legacy Health Healthcare Provider 38000 Hacking/IT Incident
Acadiana Computer Systems, Inc. Business Associate 31151 Hacking/IT Incident
Carpenters Benefit Funds of Philadelphia Health Plan 20015 Hacking/IT Incident
University Medical Center Physicians Healthcare Provider 18500 Hacking/IT Incident
Simon Orthodontics Healthcare Provider 15129 Hacking/IT Incident
Wells Pharmacy Network Healthcare Provider 10000 Unauthorized Access/Disclosure
St. Joseph’s Medical Center Healthcare Provider 4984 Loss
Central Colorado Dermatology, PC Healthcare Provider 4065 Hacking/IT Incident

Location of Breached PHI

Email-related data breaches continue to dominate the healthcare data breach reports. A further 14 email-related data breaches were reported in August, the majority of which saw email accounts accessed by unauthorized individuals as a result of healthcare employees falling for phishing emails. Phishing attacks on healthcare providers are being reported regularly, highlighting just how important it is for healthcare organizations to provide ongoing security awareness training for employees to teach them the skills they need to identify phishing attempts.
There were six incidents involving PHI stored on network servers in August, including two confirmed ransomware attacks. There were five breaches involving paper records.
Location of Breached PHI in August 2018 Healthcare Data Breaches

August Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of data breaches in August with 21 reported breaches. There were two health plan breaches and business associates of HIPAA-covered entities reported 5 breaches, with one further breach having some business associate involvement.

 

August Healthcare Data Breaches by State

Healthcare organizations based in 19 states experienced data breaches in August. While California and Texas usually top the list for data breaches due to the number of healthcare organizations based in those states, atypically, in August Oregon was the worst affected state with four breaches reported.

California and Florida each had three breaches reported, Colorado and Texas had two, and there was one breach reported in Arizona, Georgia, Hawaii, Illinois, Indiana. Louisiana, Maryland, Michigan, Nevada, New York, Ohio, Pennsylvania, Tennessee, and Virginia.

HIPAA Enforcement Actions in August

In 2016 and 2017, the HHS’ Office for Civil Rights took a hard line on enforcement of HIPAA Rules and agreed 21 settlements with HIPAA-covered entities and issued two civil monetary penalties. There have only been three financial settlements reached between OCR and HIPAA-covered entities in 2018 and no further fines or settlements were announced in August.  While OCR enforcement activity appears to have slowed, that is not the case with state attorneys general, in particular New York. The New York attorney general’s office has agreed two settlements with HIPAA-covered entities in 2018 with a third agreed in August.

The Arc of Erie County resolved violations of HIPAA Rules and state laws by paying a penalty of $200,000 to the New York attorney general’s office following the exposure of 3,751 individual’s PHI. The PHI had been uploaded to a website and could be accessed without authentication.

The post August 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

Posted by HIPAA Journal

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers.

CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR).

The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold.

The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law which they consider unworkable and several technical issues that are likely to have negative and unintended consequences.

The CCPA is not due to take effect until January 1, 2020, which gives Californian lawmakers plenty of time to make amendments. There are likely to be several amendments made before the law comes into effect, the first of which have just been passed.

On August 31, 2018, the legislature passed SB 1121 which includes several technical edits to the CCPA and a notable change to the implementation of the CCPA. The compliance date has remained the same, although SB 1121 clarifies that the CCPA will go into effect as soon as it is signed into law. This is seen as an effort to ensure that California localities will not be able to pass conflicting laws before January 1, 2020.

Entities covered by the CCPA will be given additional time to ensure compliance, as SB 1121 changed the date by which the California Attorney General must publish its implementation regulations. The final date for publication of the implementation regulations is now July 1, 2020. Further, the Attorney General will not be permitted to bring CCPA enforcement actions against any company found not to be in compliance with CCPA until six months after the publication of the implementation guidelines.

In contrast to HIPAA, the CCPA includes a private right of action which allows California residents to take legal action against companies that have experienced data breaches as a result of a failure to implement appropriate security measures. In its previous form, any consumer that chose to take legal action for the exposure of their personal data was required to notify the attorney general within 30 days of filing a legal action. That notification requirement has now been dropped.

SB 1121 has also clarified exemptions for data already covered by other legislative acts, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GBLA), and the Driver’s Privacy Protection Act (DPPA).

All data handled pursuant to HIPAA, GBLA and the DPPA are exempt from the CCPA. Further, SB 1121 has confirmed that the CCPA will not apply to HIPAA-covered entities and neither to information collected by a HIPAA-covered entity or business associate that is part of a clinical trial.

SB 1121 has been passed, although the state governor has until September 30, 2018 to sign the amendment.

The post California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt appeared first on HIPAA Journal.

FDA to Increase Scrutiny of Medical Device Cybersecurity

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has released a report which recommends the Food and Drug Administration (FDA) should scrutinize medical device cybersecurity controls more closely and more fully integrate cybersecurity into the premarket review process for medical devices.

Currently, the FDA reviews cybersecurity documentation in premarket submissions to ensure medical devices have appropriate cybersecurity controls before approval is given for the devices to be marketed. FDA reviewers use 2014 FDA cybersecurity guidance as general principles when conducting reviews of new medical devices and has taken steps to ensure that devices are assessed against new and emerging threats.

The FDA considers cybersecurity risks and threats that affect specific devices and applies that knowledge to all other devices with similar risk profiles. For example, if there is a known threat to a specific cardiac device from one manufacturer, all other manufacturers’ cardiac devices will be assessed against the same threat.

Reviews of cybersecurity controls includes assessments of a hazard analysis, matrices describing the device’s security risks and the controls that have been implemented by the manufacturer to reduce those risks to an acceptable level. Plans for updating software are assessed, software supply chain controls are reviewed, and the manufacturers’ device instructions and recommended cybersecurity controls are evaluated.

In cases where the cybersecurity documentation submitted by manufacturers is insufficient, the FDA requests further information from the manufacturer and seeks clarification on cybersecurity controls when there is any doubt about the level of protection provided. OIG notes that no medical device has been rejected due to cybersecurity issues. In cases where cybersecurity has been a concern, it has been resolved by manufacturers supplying further cybersecurity information.

Overall, the FDA’s assessments of medical device cybersecurity are good, although OIG identified three areas where improvements could be made: The FDA should change internal processes to ensure questions about cybersecurity are asked earlier in the approval process, presubmission meetings should address cybersecurity-related issues, and the FDA’s Refuse-to-Accept checklist should have cybersecurity included in the Smart template. Currently the Smart template does not prompt FDA reviewers to ask specific cybersecurity questions and there is no section where the results of a cybersecurity review can be recorded.

According to OIG, the FDA has welcomed the feedback and has agreed to all three of OIGs recommendations. Two of the recommendations have already been implemented, with only the Refuse-to-Accept checklist outstanding. With respect to the latter, the FDA has accepted that this change could improve efficiency as it will ensure that the file contains all the necessary information prior to review. This will mean that it should not be necessary for FDA reviewers to have to contact the manufacturer to ask for further information on cybersecurity.

The FDA has explained that its review process is not static and is constantly evolving and takes into account the changing threat landscape. The FDA is also considering updating rules on network-capable medical devices to ensure that cybersecurity controls are incorporated at the earliest stages of the design process.

The post FDA to Increase Scrutiny of Medical Device Cybersecurity appeared first on HIPAA Journal.