TLP White: This week, Hacking Healthcare begins with news that the U.S. Food and Drug Administration (FDA) looks set to appoint an Acting Director of Medical Device Cybersecurity, a significant step in ensuring medical device cybersecurity keeps pace with evolving threats. Next, we detail how two multi-national law enforcement efforts that derailed major cybercrime operations bodes well for international cooperation in 2021. Finally, we break down a GDPR compliance risk that may be overlooked by those working remotely and could open organizations up to increased risk of regulatory penalties.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)


Welcome back to Hacking Healthcare.


1. FDA Appoints Acting Director of Medical Device Cybersecurity

In late breaking news, The University of Michigan announced on February 1st that Associate Professor Kevin Fu “has been appointed as an expert in residence, in the capacity of Acting Director of Medical Device Cybersecurity at the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH).”[1] According to the university, “[t]his new leadership position is in CDRH’s Office of Strategic Partnership & Technology Innovation,” and “[the role] will further advance FDA’s strategic direction to strengthen the cybersecurity of the medical device ecosystem.”[2]


While the FDA has yet to make an official announcement, Fu’s background certainly makes him an ideal candidate for such a role. Michigan’s post highlighted his work training engineers for medical device manufacturers, serving on the NIST Information Security and Privacy Advisory Board, and regularly testifying “in US House and Senate hearings on matters of cybersecurity and medical devices.” [3]  More details on the position’s responsibilities will likely be available after the FDA makes a formal announcement.


Action & Analysis
**Membership required**



2. U.S. and EU Coordinate Emotet and NetWalker Takedowns

2021 will undoubtedly be another challenging year for cybersecurity across the board, but last week provided some good news as U.S. and European law enforcement agencies announced major collaborative actions against the notorious botnet Emotet and the NetWalker cybercrime group. The news comes months after another major coordinated effort disrupted the TrickBot botnet.


Europol proudly announced action against “one of the most significant botnets of the past decade” last Wednesday in a press release that credited the “collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.”[4]


Touting the success of coordinating between so many legal jurisdictions and with so many law enforcement agencies, Europol stated that “law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” and noted that “infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.”[5] They allege that this is a unique and new approach to disrupting cybercrime.


On the same day, US law enforcement dropped a press release describing a coordinated operation by U.S. and Bulgarian authorities against the NetWalker cybercrime group. The release specifically noted NetWalker’s targeting of the healthcare sector during the COVID-19 pandemic.[6] The action resulted in charges against a Canadian national, the seizure of nearly $455,000 in cryptocurrency, and the “disablement of a dark web hidden resource used to communicate with NetWalker ransomware victims.”[7] The department of justice noted the substantial assistance provided by the Bulgarian National Investigation Service and General Directorate Combating Organized Crime.


Action & Analysis
**Membership required**


3. GDPR Headaches for Remote Workers

For most people, working remotely from home or elsewhere has required significant adjustments to their daily routine. Normal workflows and processes have needed to be revised for online environments, and the line between personal and professional life has become more blurred. However, according to UK shredding and records management company Go Shred, GDPR compliance may not be something that individuals and organizations are actively thinking about as much as they should.

According to Go Shred, individuals may unknowingly be running afoul of GDPR by printing, storing, and improperly disposing documents containing sensitive information. As Go Shred’s post elaborates, “Under the terms of GDPR, organisations have to ensure that personal data is gathered legally and under strict conditions,” and “[t]hose who collect and manage it are also obliged to protect it from misuse and exploitation.”[8]

Organizations often implement processes and procedures to ensure this occurs, such as creating designated locations where sensitive documentation can be dropped off for proper disposal or by maintaining printing locations containing additional security controls. However, many of these processes and procedures are not top of mind and don’t necessarily translate well to remote environments.

To highlight the issue, Go Shred surveyed 1,001 adults in the UK who work from home and represent a number of industry sectors to determine how widespread this issue may be.

Some of their findings include:[9]
  • – 66% of workers had printed work-related documents at home.
  • – 20% of workers had printed documents containing confidential employee information.
  • – 24% of workers had not disposed of any documents since working at home.
  • – 24% of workers had used their own shredding and disposal method.
  • – 8% of workers replied that they have no plans to dispose of documents printed at home.
  • – 7% of workers replied they didn’t know how to dispose of documents.
  • – 41% of workers admitted they were aware of GDPR compliance issues related to printing work related documents at home, but believe they have no choice but to do so.
  • – 12% of workers admitted to having no knowledge of GDPR compliance issues related to printing work related documents at home.

Action & Analysis
**Membership required**





Tuesday, February 2nd:

– No relevant hearings


Wednesday, February 3rd:

– House of Representatives – Committee on Energy and Commerce – Subcommittee on Health: “Road to Recovery: Ramping Up COVID-19 Vaccines, Testing, and Medical Supply Chain”



Thursday, February 4th:

– No relevant hearings



International Hearings/Meetings


– No relevant hearings



EU –


– No relevant hearings




Sundries –


Biden administration prepares for a different kind of Iranian cyberthreat

30% of “SolarWinds hack” victims didn’t actually use SolarWinds




Conferences, Webinars, and Summits –     


Contact us: follow @HealthISAC, and email at











Translate »