Latest
Industry News

Universal Health Services (UHS) Hit by Ransomware Attack

| vigilantops |

Early on the morning of Sunday, September 27, 2020, end users at a United Health Services (UHS) hospital were greeted with locked phones and computer screens hijacked by ransomware. The giant hospital system has reverted back to paper forms, with no electronic access to online patient data, including lab results and historical information. Healthcare workers at the hospitals were told that it would take days to get the systems back online. UHS serves millions of patients through 400 facilities in the U.S. and the U.K.

 Authorities have not yet identified the source of the UHS attack, however, there are patterns emerging suggesting Ryuk ransomware, which encrypts the targeted system’s data and demands a ransom to be paid to have the data restored. The Ryuk ransom demands have ranged from around $100K to $500K.

The Ryuk ransomware is not new, and actually first surfaced in 2018. Since then, it has been unleashed mainly on various large organizations, known as “big game hunting”. The Ryuk ransomware can infect the targeted systems in various ways including through phishing emails or vulnerabilities in third -party components or services, such as Remote Desktop Protocol (RDP).

At this time, there is no indication that there has been any compromise to patient safety at the hospital system, but there could very well be an impact as the crisis unfolds. This is a grim reminder of the very recent Dusseldorf University Hospital incident, which we summarized in our report “Ransomware Attack Leads to Fatality”, where ransomware forced patient redirection from the impacted facility, which resulted in a fatality due to a delay in care.

While healthcare organizations are focusing on the global pandemic, they continue to be prime targets for hackers and bad actors. According to various studies, third-party software component vulnerabilities play a big role in enabling these breaches and are nearly invisible to healthcare providers, since they don’t know which components are running in which of their deployed devices.

Healthcare industry stakeholders generally agree that requiring a Software Bill of Materials (SBOM), which is a monitored list of software components utilized in a medical device, will help mitigate these security issues with third-party components. Agreement among stakeholders, however, does not necessarily translate into immediate adoption. Some of this delayed adoption is due to costs associated with generating, maintaining and sharing SBOMs and the lack of tools to help automate the process. We’re hoping to change that at Vigilant Ops, by offering our InSight Platform to enable medical device manufacturers to automatically generate, maintain and share SBOMs with their healthcare customers.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Vigilant Ops Announces Availability of InSight Platform V1 for HDOs

| vigilantops | ,

Healthcare Delivery Organizations Gain Visibility into Risk Profile of Deployed Medical Devices. Today, Vigilant Ops, an innovator in medical device cybersecurity, announced the immediate availability of InSight Platform V1 for Healthcare Delivery Organizations, providing HDOs with an automated solution for monitoring the health of their deployed medical devices.  The InSight Platform V1 for Medical Device Manufacturers (MDMs) was released on May 11 and provided MDMs an automated solution for generating and maintaining device software bills of materials (SBoMs).  With the release of the HDO functionality, these generated SBoMs can be shared with authorized HDOs directly and securely through the platform.

“The Vigilant Ops InSight Platform V1 is the only solution of its kind that brings together both the producer and the consumer of the SBoM on the same platform,” said Ken Zalevsky, CEO at Vigilant Ops and former Head of Medical Device Cybersecurity at Bayer. “Medical device manufacturers generate device SBOMs, and via secure connection, share them with authorized HDOs through the InSight Platform.”

The InSight Platform uses advanced techniques to interrogate medical devices and automatically generate bills of materials. Using artificial intelligence and machine learning, the InSight Platform continuously monitors for vulnerabilities in discovered device components. Thus enabling HDOs and MDMs to gain visibility into risk profile of medical devices and respond proactively to the latest discovered threats.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

Ransomware Attack Leads to Fatality

| vigilantops |

Third-party software component vulnerability exploit causes treatment delay, leading to patient death. Healthcare providers have long been a favorite target for bad actors launching cyberattacks, which usually resulted in the loss of sensitive patient data. A recent cyberattack, however, has resulted in the loss of a patient’s life. On September 10, 2020, Dusseldorf University Hospital reported the first death resulting from a cyberattack.  An exploit of a third-party software component vulnerability led to the death of a patient at the hospital.

 Dusseldorf University Hospital’s clinical servers were hijacked by a large-scale ransomware attack, causing patients to be moved to other facilities for treatment. A critically ill woman, among those patients being relocated, died before she could be treated.

“The Dusseldorf University Clinic’s systems have been disrupted for a week. The hospital said investigators have found that the source of the problem was a hacker attack on a weak spot in ‘widely used commercial add-on software’, which it didn’t identify.”​1​

This troubling report illustrates the critical condition of today’s healthcare security infrastructure, given the heavy reliance on third-party commercial software in medical systems. With no real visibility into the lifecycle of these third-party components, the risk profile of the medical systems is not easily known. The end result is that hospitals are deploying systems as “black boxes”, most of which are connected to networks and some of which come into direct contact with patients. Not knowing what is inside the systems, hospitals are at a disadvantage when it comes to reacting to vulnerability threats, and they end up spending valuable response time chasing down information from manufacturers and public data sources.

Recent developments are looking to address this visibility issue, including the introduction of a Software Bill of Materials, or SBOM.  An SBOM is a list of the software components utilized in a finished product, such as a medical device. By providing this transparency, medical device manufacturers are providing a way for hospitals to respond more quickly to reported vulnerabilities.

Some hospitals have begun requesting SBOMs from device manufacturers, and there are various regulatory developments that could speed adoption. In the United States, the Food and Drug Administration (FDA) has drafted guidance recommending the utilization of an SBOM. In addition, other regulatory bodies around the globe have included reference to the SBOM in recently released documentation.

Healthcare industry stakeholders generally agree that requiring a Software Bill of Materials (SBOM) will help mitigate security issues with third-party components. From a medical device manufacturer’s perspective, the extra effort it takes to generate and maintain SBOMs for their devices can be seen as an investment in brand reputation down the road. As for hospitals, one can easily imagine purchasing processes and decisions reliant on a deeper understanding of device security and SBOM documentation being critical to that decision making.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

  1. 1.
    German hospital hacked, patient taken to another city dies. ABC News. https://abcnews.go.com/International/wireStory/german-hospital-hacked-patient-city-dies-73069416

Cyberspace Solarium Commission – A Public-Private Brainstorming Initiative

| vigilantops |

The United States Cybersecurity Solarium Commission (CSC) was formed in 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.”

The CSC published their report to the public on March 11, 2020. The report consists of more than 80 recommendations and more than 50 legislative proposals. Vigilant Ops recently sponsored a webinar during which a summary of the report and potential impacts on the medical device industry was presented. The summary from that webinar can be found here.

The CSC report has been making an impact, with several cybersecurity proposals from the report advancing in both the US House of Representatives and Senate.  Some experts are optimistic that most of these legislative proposals will make it into the National Defense Authorization Act (NDAA), which sets the budget and expenditures for US military.

Since the publishing of the final report, the Cybersecurity Solarium Commission has released other material, including a white paper titled “Cybersecurity Lessons from the Pandemic.” The white paper reinforces the recommendations from the final report and adds a few new recommendations as well. Vigilant Ops has drafted a summary of that CSC white paper, which can be found here.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

What medical device manufacturers need to know about the Cyberspace Solarium Commission’s Final Report and the reference to Software Bill Of Materials (SBOM)

Are you prepared for US cybersecurity legislation that could result in lawsuits and fines if not implemented according to prescription? Did you know that the 2019 National Defense Authorization Act chartered the US Cyberspace Solarium Commission (CSC) to define such cybersecurity policies and legislation? As a stakeholder in the healthcare industry, you should be aware of the CSC final report and the possible implications. This overview provides a brief summary of the report’s discussion of Software Bill of Materials (SBOMs) and the specific responsibilities of medical device manufacturers.

The final report from the CSC was made publicly available on March 11, 2020. The report is 182 pages in length and offers more than 80 recommendations to implement a “…strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”

The Cyberspace Solarium Commission was tasked by the President and Congress to answer two questions:

  1. What strategic approach will defend the United States against cyberattacks of significant consequence?
  2. What policies and legislation are required to implement that strategy?

The Cyberspace Solarium Commission advocated layered cyber deterrence to be achieved by:

  1. Working with allies and partners to promote responsible cyber behavior
  2. Working with the private sector to increase security of ecosystem
  3. Imposing costs as a deterrent and motivator

Implementation of the layered cyber deterrence strategy is built upon six (6) policy pillars and more than eighty (80) recommendations. This summary will provide in-depth analysis of the specific pillar to enhance the security in the cyber ecosystem, which calls out the work being done with the Software Bill of Materials (SBOM). Here is a list of the pillars presented in the document, but please refer to the final report for details on all pillars and recommendations.​1​

6 Pillars of the CSC final report

  1. Reform the US government’s structure and organization for cyberspace
  2. Strengthen norms and non-military tools
  3. Promote national resilience
  4. Reshape the cyber ecosystem (focus of this summary)
  5. Operationalize cybersecurity collaboration with the private sector
  6. Preserve and employ the military instrument of national power

Pillar 4 –  Reshape the Cyber Ecosystem Toward Greater Security

“This pillar attempts to drive down vulnerability across the ecosystem by shifting the burden of security away from end users to owners, developers, and manufacturers who can more efficiently implement security solutions at the appropriate scale.”

Five Strategic Objectives of Pillar 4

  1. Promote the creation of more secure technology by
    • Incentivizing product manufacturers to adopt a “secure to market” strategy
    • Ensuring product manufacturers have access to trusted suppliers
  2. Encourage more secure practices through incentives and disincentives
  3. Leverage large-scale information and communications technology
  4. Reduce key supply chain risk
  5. Protect sensitive data

Strategic Objective #1 – Incentivizing Greater Security in the Markets for Technology

Key Recommendations – 4.1, 4.2 and 4.7 are detailed below

4.1 Congress should establish and fund a National Cybersecurity Certification and Labeling Authority empowered to establish and manage a program for voluntary security certifications and labeling of information and communications technology products.

4.2 Congress should pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.

4.3 Congress should establish a Bureau of Cyber Statistics charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policymaking and government programs.

4.4 Congress should resource and direct the Department of Homeland Security to resource a federally funded research and development center to work with state-level regulators in developing certifications for cybersecurity insurance products.

4.5 The National Cybersecurity Certification and Labeling Authority, in consultation with the National Institute of Standards and Technology, the Office of Management and Budget, and the Department of Homeland Security, should develop a cloud security certification.

4.6 Congress should direct the US government to develop and implement an information and communications technology industrial base strategy to ensure more trusted supply chains and the availability of critical information and communications technologies.

4.7 Congress should pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention, and sharing of user data.

4.1 Congress should establish and fund a National Cybersecurity Certification and Labeling Authority empowered to establish and manage a program for voluntary security certifications and labeling of information and communications technology products.

Security standards and best practices can be employed more effectively, and certifications and labels can be used as a product differentiator for developers. The following are recommended:

  • Product Certification & Attestation – certify products meeting cybersecurity standards
  • Accredited Certifying Agents – accredit organizations to certify classes of products
  • Comparative Security Scoring – revise NIST scoring include product type, environment
  • Update Federal Procurement Regulations – require product certification and labeling
  • Integrate with Ongoing Efforts – build upon existing efforts at Department of Commerce to develop the SBOM (Software Bill of Materials)
  • Partnership on Product Labeling –  provide transparent information on the characteristics and constituent components (SBOM) of a software or hardware product, including those that contribute to the security of a product or service.

Product component lists, like the SBOM mentioned above, are being adopted as an industry security document in healthcare because they provide transparency into deployed device risk. For a more detailed discussion of Software Bill Of Materials, and how they support responsive patching programs, please see our article – The Impact of COVID-19 on Medical Device Cybersecurity.

4.1.1 Enabling Recommendation – Create or Designate Critical Technology Security Centers

Provide the US government with the capacity to test the security of critical technologies and, when appropriate, assist in identifying vulnerabilities, developing mitigation techniques with relevant original equipment manufacturers

4.1.2 Enabling Recommendation – Expand and Support the National Institute of Standards and Technology (NIST) Security Work

Congress should increase funding in support of NIST’s work on cybersecurity. Specifically, NIST should be appropriately resourced to:

  • Maintain cybersecurity frameworks and standards
  • Develop technology development standards
  • Develop standards for vulnerability and patch management
  • Support National Vulnerability Database (NVD)
  • Support Common Vulnerabilities and Exposures (CVE) program
  • Support Cybersecurity and Infrastructure Security Agency (CISA)

4.2 Congress should pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.

Definitions

Final Goods Assembler – the entity that is most responsible for the placement of a product or service into the stream of commerce. In the case of medical devices, this could be assumed to be the medical device manufacturer.

Known Vulnerability – vulnerabilities disclosed through public sources such as the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) program, reported to the hardware/software developer by a third party, and discovered by the hardware/software developer themselves.

Vulnerability Disclosure and Retention – final goods assemblers, as well as software and hardware component developers, establish a process for vulnerability reporting, retain records documenting when a vulnerability was made known or discovered by the company, and maintain a vulnerability disclosure and patching policy that conforms to the requirements set out under this regulation.

4.2.1 Establish Liability for Final Goods Assemblers – Legislative Summary

Private Right of Action

  • End users may bring action against final goods assemblers not meeting standard of care
  • Damages up to 15% of annual revenue of preceding year of final goods assemblers

Standard of Care – final goods assembler

  • Meet the standard of care if, within 18 months of the enactment of this Act
    • Makes security patches available within 90 days of a vulnerability 

4.7 Congress should pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention, and sharing of user data.

  • Preempts the existing state, district, and territorial data breach notification laws
  • Establishes threshold for a covered breach
  • Requires notification and transmission of forensic data to cyber authorities
  • Sets standards and timelines for notifying victims
  • Sets criteria that determine when victims should receive free credit monitoring
  • Deconflicts with existing federal regulation for private-sector and other non-federal entities

Conclusion

The CSC final report is a call to action to the US government. Through the various strategic recommendations, the Commission is urging the United States Congress to act quickly and pass supportive legislative measures enabling private rights of action by end users harmed in cyber incidents. For medical device manufacturers, the CSC final report is also a call to action. It’s clear that the demands to provide concise, transparent information and timely responses to cyber incidents will continue to increase. Providing security documentation such as the SBOM (Software Bill of Materials) will be an expectation, and product insecurity will not be tolerated. Medical device manufacturers would be wise to begin preparing now for these sweeping reforms.

The InSight Platform uses advanced techniques to interrogate medical devices and automatically generate bills of materials. Using artificial intelligence and machine learning, the InSight Platform continuously monitors for vulnerabilities in discovered device components, enabling device manufacturers to respond proactively to the latest discovered threats.

Ken Zalevsky
CEO, Vigilant Ops
Former Head of Medical Device Cybersecurity, Bayer

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

  1. 1.
    The final report, along with additional information about the CSC can be found at . Cyberspace Solarium Commission. https://www.solarium.gov

Vigilant Ops Announces Availability of InSight Platform V1

| vigilantops |

On May 11 2020, Vigilant Ops, an innovator in medical device cybersecurity, announced the immediate availability of InSight Platform V1, enabling medical device manufacturers to begin automatically generating, updating, and monitoring device software bills of materials (SBOMs). FDA’s draft version of their premarket guidance refers to these as CBOMs (Cybersecurity Bill of Materials)​1​, given the original desire to include hardware components in device bills of materials. Since the original draft guidance, FDA and others have begun referring to the documents as SBOMs (Software Bill of Materials) and eliminating the hardware component inclusion. Vigilant Ops will also refer to these device software bills of materials as SBOMs.

“The Vigilant Ops InSight Platform V1 is a game-changer in medical device cybersecurity,” said Ken Zalevsky, CEO at Vigilant Ops and former Head of Medical Device Cybersecurity at Bayer. “Medical device manufacturers are under extreme pressure from customers, prospects, and regulatory bodies to prove the safety and security of their devices. SBOMs are an industry-accepted solution but are very labor-intensive to generate and require continuous monitoring and maintenance. The InSight Platform eliminates this manual generation effort, while providing real-time monitoring of various public vulnerability sources and continuous maintenance of device bills of materials.”

The InSight Platform uses advanced techniques to interrogate medical device and automatically generate SBOMs. Using artificial intelligence and machine learning, the InSight Platform continuously monitors for vulnerabilities in discovered device components, enabling device manufacturers to respond proactively to the latest discovered threats.

Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.

For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: [email protected]

  1. 1.
    Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. FDA. Published online October 2018.
Vigilant Ops

WANT TO LEARN MORE?

Fill out the form to contact us and learn more about the Vigilant Ops Insight platform and receive information about the product benefits offered to healthcare delivery organizations and medical device manufacturers.


Vigilant Ops
8085 Saltsburg Rd., Pittsburgh, PA 15239

Copyright © 2021 Vigilant Ops. All rights reserved.