Health-ISAC Hacking Healthcare 4-14-2023

This week, Hacking Healthcare provides an update on the FDA’s implementation of cybersecurity requirements for medical devices that were outlined in the 2023 Consolidated Appropriations Act. Next, we take another look at supply chain security as another significant incident pushes the issue back into the headlines.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:
TLP WHITE - 4.14.2023 -- Hacking Healthcare

 

Text Version:

Welcome back to Hacking Healthcare.

FDA Provides Medical Device Cybersecurity Guidance 

On March 30th, the Food and Drug Administration (FDA) published a notice on the availability of final guidance entitled, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act).” As the name suggests, this guidance addresses the FD&C Act amendments that were made toward the end of last year. So, what does the notice mean for medical device manufacturers?

As a reminder, the 2023 Consolidated Appropriations Act contained requirements for “cyber devices” that are included in premarket submissions. These included:[i]

• – Submitting a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures
• – Designing, developing, and maintaining processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure
• – Providing to the Secretary of HHS a software bill of materials (SBoM), including commercial, open-source, and off-the-shelf software components

It also granted explicit authorities for the FDA to implement “other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.”[ii] The text of the Appropriations Act outlined that these requirements would take effect 90 days after the Act’s enactment, roughly the end of March, but this new notice effectively creates an additional transitionary timeframe.

Referencing the requirements listed above, the FDA is using this notice to highlight that they generally do NOT intend to issue “refuse to accept” (RTA) “decisions for premarket submissions submitted for cyber devices based solely on information required by section 524B of the FD&C Act before October 1, 2023.”[iii]^, [iv] The FDA instead intends to “work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.”[v] Past that date, the FDA believes that entities will have had enough time to adapt and that RTAs are more likely.

Given the relatively short time frame that FDA was given by the Consolidate Appropriations Act text, the FDA determined that it was not feasible to implement a formal public comment period on this decision. However, the FDA makes clear that despite the lack of a formal comment period, they “will consider all comments received and revise the guidance document as appropriate.”[vi]

The FDA has helpfully created an accessible quick reference FAQ on this matter, which members are encouraged to review.[vii]

 Action & Analysis
**Included with Health-ISAC Membership**

Supply Chain Cyberattacks Hit the Headlines Again

Supply chain attacks arguably broke into the national consciousness during the 2020 SolarWinds attack, an incident that had the potential to directly impact 18,000 organizations.[x] However, supply chain attacks have long predated SolarWinds and they appear to be picking up in frequency, including a recent attack on 3CX products.[xi].

3CX is a company that markets itself as a complete business communications platform, supplying solutions for millions of customers worldwide, including major companies like, Toyota, Coca Cola, and the UK’s National Health System (NHS).[xii] 3CX was recently the victim of a supply chain attack in which hackers altered their communication installation software to steal credentials and other relevant information from the large companies using 3CX’s software, with a specific focus on the cryptocurrency industry. This type of supply chain cyberattack is what’s known as an “enabler operation” in which the hackers infiltrate a system and steal information to be used and leveraged later on.[xiii]

Researchers from Crowdstrike have attributed this incident to a group called “Labyrinth Chollima,” which is a part of the larger “Lazarus Group,” known for its North Korean directed malicious cyber activity.[xiv] 3CX Chief Information Security Officer, Pierre Jourdan, posted a blog to the company website listing the app versions affected and noted that the majority of the domains used in the hacking campaign have been taken down, mitigating the threat.[xv] Jourdan did, however, state that “…this appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored.”[xvi]

 Action & Analysis
**Included with Health-ISAC Membership**

 

Congress

Tuesday, April 11th:

– No relevant hearings

Wednesday, April 12th:

– No relevant meetings

Thursday, April 13th:

– No relevant hearings

International Hearings/Meetings

– No relevant meetings

EU –

– No relevant meetings