News and information useful to Cleveland-Marshall College of Law students, faculty and staff.

Cyberattackers Increasingly Target Healthcare Sector

Image of criminal inside computer screenBloomberg Law recently summarized several reports on increasing cyberattacks in the healthcare sector.  The Cylance 2017 Threat Report examined “anonymized threat data collected between January 1, 2016 and December 31, 2017, and found 58% of ransomware attacks impacted healthcare industries in 2017, a dramatic increase from the 34% in 2016.  In 2018, the SamSam ransomware has been used in numerous cyberattacks.  A 10/30/18 Symantec blog post reported 24% of the SamSam attacks affected the healthcare sector.  The College of Healthcare Information Management Executives (CHIME) Healthcare’s Most Wired: National Trends 2018 report found only 29% of healthcare organizations have a comprehensive security program.  At least 90% of healthcare organizations have a dedicated chief information security officer as well as report security deficiencies and progress to their boards, but only 76% provide at least annual security updates and only 34% had a board-level committee responsible for security program oversight.  Perhaps most significantly, less than 1/3 of healthcare organizations participated with formal analysis organizations such as the Department of Homeland Security Cyber Information Sharing and Collaboration Program (CISCP) and National Cybersecurity & Communications Integration Center (NCCIC), and the Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3; formerly known as the Cybersecurity & Communications Integration Center or HCCIC).

FDA Draft Guidance on Cybersecurity in Medical Devices

FDA logoThe U.S. Food and Drug Administration (FDA) recently issued draft guidance on how medical device manufacturers should address cybersecurity threats (81 Fed. Reg. 3803, 1/22/16). The draft guidance proposes that manufacturers “implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.” Such programs should include applying the National Institute of Standards and Technology 2014 voluntary Framework for Improving Critical Infrastructure Cybersecurity program; monitoring cybersecurity information sources; detecting and assessing vulnerabilities; establishing processes for intake and handling of vulnerabilities; clearly defining “essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk”; adopting a coordinated vulnerability disclosure policy; and “deploying mitigations that address cybersecurity risk early and prior to exploitation.” Comment on the draft guidance will be received until April 21, 2016. For additional information, see the FDA press announcement and FDA Medical Devices – Guidance Documents page.

1/20-21/16 FDA Medical Device Cybersecurity Workshop

Infusion PumpsThe U.S. Food and Drug Administration (FDA) is conducting a Moving Forward: Collaborative Approaches to Medical Device Cybersecurity workshop, at the FDA White Oak campus in Silver Spring, MD, on 20-21 January 2016.  This free public workshop is being conducted in collaboration with the U.S. Department of Health and Human Services, U.S. Department of Homeland Security, and National Health Information Sharing Analysis Center (NH-ISAC) “to highlight past collaborative efforts, increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development, and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.”  The NH-ISAC is a nonprofit private health sector-led organization “advancing national healthcare and public health critical infrastructure resilience – all hazards (cyber and physical security intelligence situational awareness analysis and reporting, secure trusted two-way information sharing, countermeasure solutions, incident response, leading practice and education.”  Free registrations for the workshop will be taken on a first-come, first-served basis until 4pm, 1/13/16.  The workshop will also be webcast, and the webcast link will be made available after 1/13/16.  For additional information on FDA medical device cybersecurity activities, visit this page: