Welcome to the second edition of Dellfer Insights, a series curated by our VP of Channels, Shawn Lorenz. The series highlights notable industry news, key takeaways, and why it matters to combat the next cyberattack. This month we are focused on the first of a two-part series looking at the wild world of medical devices.
💡 Dellfer Insight #1: The FDA Gets Teeth.
Previously the Food and Drug Administration (FDA) only issued guidance on the cybersecurity of medical devices and could only recommend that manufacturers take steps to ensure that their devices are secure against potential cyber threats. This changed on December 29th, with the signing into law of the $1.7 trillion spending package, HR 2617, aka the Omnibus Appropriations legislation.
Specifically, the new law gives the FDA $5 million and the authority to ensure that all new medical devices brought to market are designed with security. That means, shortly, all medical device submissions must include a published Software Bill of Materials, and manufacturers must demonstrate that the device can be patched as new vulnerabilities are discovered.
Question: Is publishing a device Bill of Materials a ‘game changer’? Answer: Maybe. “Healthcare needs to be more collaborative about cybersecurity,” says Nick Sturgeon, executive director of information security at Indiana University Health. “If the bad actors are sharing their data and knowledge, we need to do so as well.”
Why It Matters:
These new software Bill of Materials will include open source, with transitive dependencies hiding exploits impossible to find. Endor Labs recently published research showing that the vast majority of all vulnerabilities, 95%, are indeed found in transitive dependencies. This is why they call it “Zero-Trust” Dellfer cures these vulnerabilities during device development and hardens devices for runtime use.
💡Dellfer Insight #2: The Impact of Ransomware Attacks on Patient Care.
As has been reported for several months, ransomware attacks can significantly impact patient care by disrupting the ability of healthcare organizations to access and share important patient information. This has led to delays in treatment, misdiagnosis, and other adverse outcomes, including fatalities. As has been the practice, people working in healthcare have been reluctant to say ransomware harms patients.
A recent study by the Ponemon Institute, a Washington, D.C., think tank, interviewed more than 600 information technology professionals across more than 100 healthcare facilities. Its findings are some of the most concrete evidence that the steady drumbeat of hackers attacking American medical centers leads to patients’ receiving worse care and being more likely to die.
Around 70 percent of the groups facing ransomware attacks said those disruptions led to longer hospital stays for patients and delayed tests or procedures. In addition, 36 percent said they saw more complications from medical procedures, and 22 percent said they had increased death rates.
In a separate Ponemen study, 61 percent of all healthcare security respondents were not confident, or had no confidence, in their ability to mitigate the risks of ransomware.
The problem is significant and growing. In 2021, cybersecurity attacks on healthcare providers reached an all-time high, with one study indicating that more than 45 million people were affected by such attacks in 2021 – a 32 percent increase over 2020. Ransomware attacks are killing patients.
Why It Matters:
At Dellfer, we see healthcare security as patient safety. Hackers sell patient data on the dark web at a higher price than personal financial data and do so without fear of retribution. Medical devices, left unsecured, offer unfettered access to all data within a hospital. Dellfer battens down access through hardening devices. Dellfer also can go on the offense and offer attackers a little pain in return.
To learn more about the wild world of medical devices, join us for a webinar co-hosted with Health-ISAC. You can register here