Public companies registered with the U.S. SEC will soon have to disclose material cybersecurity incidents and annually report material information regarding their cybersecurity risk management, strategy and governance.
Public companies registered with the U.S. SEC will soon have to disclose material cybersecurity incidents and annually report material information regarding their cybersecurity risk management, strategy and governance.
The U.S. FDA has released a final guidance for the agency’s refuse-to-accept (RTA) policy for cybersecurity measures in medical devices, a policy document that was required by Congress via the Consolidated Appropriations Act for the 2023 federal fiscal budget.
The Medical Device Innovation Consortium (MDIC) has played a key role in fostering a stronger industrial appreciation for the need for robust cybersecurity, but a recent MDIC report noted that many device makers are deficient in pushing cybersecurity considerations into the domain of design controls. However, the most critical element in cybersecurity may be whether a company has a chief product security officer (CPSO), the presence of absence of which seems to correlate strongly and uniformly with all aspects of cybersecurity in a manufacturer’s products.
Cybersecurity has become one of the core concerns for med tech in this part of the 21st Century, and a collaboration between the FDA and the Mitre Corp., has yielded a new playbook that calls for a regional response to issues such as ransomware. However, this new document calls on medical device manufacturers to take part in cybersecurity exercises along with health care delivery organizations, an exercise that some manufacturers might not be prepared to undertake.
The U.S. Department of Health and Human Services (HHS) has issued a bulletin in connection with the Venus ransomware, the latest in a running series of such malware to hit computer systems across the globe.
Israeli technology startup foundry Team8 Labs Ltd. has established a new digital health arm aimed at building and scaling digital health companies. The company plans to create six to eight digital health care companies over the next five years, infusing each with $5 million to $10 million in seed money plus additional resources and services.
The U.S. FBI is not typically seen as playing a meaningful role in medical device cybersecurity, but the agency recently released a report regarding unpatched and outdated medical devices, nonetheless. The report includes five recommendations to deal with these devices, but the agency gives no indication as to whether the report signals an interest in enforcement activities related to medical device cybersecurity.
The U.S. FDA posted notice recently regarding a vulnerability seen in the Minimed 600 series of insulin pumps made by Dublin-based Medtronic plc, which exposes the user to the risk of unauthorized access to the pump’s software. The vulnerability could be exploited to interfere with the system’s ability to deliver only the desired amount of insulin, although the FDA acknowledged that no adverse events or complaints have been reported.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) said the Synapsys microbiology informatics software platform has an access vulnerability due to an inadequate session expiration mechanism. Becton, Dickinson & Co. (BD), the publisher of the Synapsys system, said three versions of the software are vulnerable, but this vulnerability can be exploited only by those with direct access to the workstations, making this a lower risk than some other recently reported vulnerabilities.
