Mobile Devices and Data Breaches Report 2016.pdf

MARSHA STEELE, MED., RHIA JUNE 2, 2016

Mobile Technology, Medical Devices and Security

Implantable Medical Devices - IMDs

IMDs – implantable medical devices

Insulin pumps, pacemakers, defibrillators, pain medication pumps, monitoring devices

Deliver meds at proper rates, measure & collect data, give direct stimulation to critical organs

Vulnerabilities and security flaws

Cyber exploitation

Backdoors in devices

Software flaws

Major Hacks

http://www.sfgate.com/news/article/Hackers-break-into-networks-of-3-big-medical-5217780.php

Medtronics – world’s largest medical device maker – specializes in endovascular and coronary

Boston Scientific

St. Jude Medical – implantable heart devices Hospira – infusion pumps

U.S. is the most attacked country

Reasons

High-tech medical device makers sit on billions of dollars of intellectual property

Spies seek edge in developing next blockbuster

Cybercrime costs U.S. economy about $100 billion annually

Malice

Because they could

Network reconnaissance ~ ways into systems

Your fault

Great reward but small risk ~ especially if sanctioned

Risk & Vulnerability Increasing

 Electronic health records

 Healthcare.gov

 ePHI exchanged online

 Use of medical devices

 Use of mobile devices -BYOD

 Networks and systems integration

 Conferencing systems, web servers, patient portals, emails between patients and providers

 Health care industry is far behind cybersecurity strategies and controls have fallen

http://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735

Biggest Repeat HIPAA Violators

1. U.S. Department of Veterans Affairs — 220 complaints 2. CVS Health — 204 complaints

(ProPublica notes CVS did pay a $2.25 million penalty in 2009 for dumping prescription bottles in unsecured dumpsters) 3. Walgreens — 183 complaints

4. Kaiser Permanente (Oakland, Calif.) —146 complaints 5. Walmart — 71 complaints

6. LabCorp — 58 complaints

7. Quest Diagnostics — 55 complaints 8. Express Scripts —51 complaints 9. Rite Aid — 48 complaints

10. United Healthcare — 43 complaints

HIMSS Cybersecurity Survey Results | CynergisTek, Inc. http://cynergistek.com/cynerg

Anthem Attack

https://www.youtube.com/watch?v=8bU6NQ6i6-Q

Premera Attack

https://www.youtube.com/watch?v=jZiXOxPD-wc

Your medical records are worth more to hackers than your credit cards https://www.youtube.com/watch?v=DoN0Bie6n9o

http://www.beckershospitalreview.com/healthcare- information-technology/5-biggest-healthcare-data-breaches-of-2015.html

Black Market Pricing

Credit card sells for $1

Personal identification information sells for $10-$12 Patient records sell for $20 - $50 each

Complete dosier (driver’s license, health insurance information, ++ can sell for over $500

PHI

43% of all reported identity theft in the U.S. in 2013 were medical identity thefts In 2012, 1.85 million victims

Average out-of-pocket expense per person was $18,660 per incident

HIPAA violations for failure to protect PHI can be up to $50,000 per violation

http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market/

Stolen patient health records can fetch as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry

Change the Mentality within Healthcare

The health sector has become acutely aware of cyber attacks, insider threats,

and other malicious activity.

However, healthcare’s focus has been on HIPAA compliance.

Compliance does not necessarily mean that information will be kept safe and

secure.

All healthcare providers, covered entities, and business associates must

transition from “compliance only” to true cybersecurity as a mindset and

culture.

Hacks

 Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.

 Niney-four percent of health care institutions report they have been victims of cyber attack

Wireless Vulnerabilities & Bad Guy Behaviors

https://www.us-cert.gov/sites/default/files/publications/Wireless-Security.pdf

Piggybacking = hop on to unprotected wireless networks to steal passwords, information or monitor

activity

Wardriving =specific kind of piggybacking – drive through with powerful antenna to find location of

unsecured wireless networks- can engage in illegal activity and mask their identities by using yours

File Sharing = should disable file sharing on computers or have dedicated directory for it with

separate & long password

Evil Twin Attacks – sets up own system to impersonate real access point – unsuspecting connect

thinking its legitimate – can read any data sent over internet and passwords

Wireless Sniffing – use tools to obtain sensitive information sent via wireless EULAS End User License agreements

Cybersecurity Vulnerability



When the software provides the opportunity for unauthorized access to the

network or medical device



May present a risk to the safe and effective operation of the device



_{May cause malfunction}



Must consider impact of malfunction and create “fail safe” measures

Vulnerable

Barnaby Jack – “How to Kill a Man at 50 Feet”, in “Implantable Medical Devices: Hacking Humans”

Patches

Home connected Wireless

Department of Defense Information Assurance

Certification and Accreditation:

Any medical device which is networked must be evaluated and certified

from an information security standpoint before

being used.

http://www.forbes.com/sites/ericbasu/2013/08/03/hacking-insulin-pumps-and-other-medical-devices-reality-not-fiction/

2007 – U.S. Vice President Dick Cheney ordered some of the wireless features to be disabled on his defibrillator due to security concerns.

http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022

FDA Collaborative Approaches for Medical

Device & Healthcare Cybersecurity

1. Cyber threats are evolving, becoming broader and more diverse and the wireless environment and the number of devices make defending against attacks more difficult

2. Threats are rarely done by lone hackers, but by very organized, corporate, and often government sanctioned efforts.

3. The threats are more dangerous and have the potential to disrupt our infrastructure, steal our intellectual property and business secrets, conduct espionage, steal identities and sell them on the black market.

4. Many successful attacks capitalize on vulnerabilities we know about and don’t fix.

5. Basic cyber hygiene and identity management has been around for years

6. Cybersecurity is not just a technology problem – economics, human behavior politics, culture, values, training

FDA Cybersecurity of Medical Devices and

Hospital Networks

Vulnerabilities

 Network-connected/configured medical devices infected or disabled by malware

 The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices

 Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel)

 Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)

 Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service

manuals, and poor coding/SQL injection

FDA Laboratory

FDA is developing a laboratory specifically for testing medical device

cybersecurity

Fuzz testing (a.k.a. fuzzing)

= the process of sending intentionally malformed inputs to software for the

purpose of locating vulnerabilities.

•Who is the point of contact for providing more information about the event?

•When and how was the information security/cybersecurity issue first discovered?

•What specific model numbers and firmware versions are affected?

•How many devices are affected?

•Has the device functionality been compromised? If so, how was the vulnerability exploited (for example, was it exploited remotely or via local access)?

•What is the observed abnormal behavior of the device? What are the possible consequences?

Device manufacturers must comply with the

Medical Device Reporting (MDR) regulations

For ANY cybersecurity issue with a medical device:

Hospitals



Maintain formal business relationships with software vendors and medical

device manufacturers

- Timely receipt of information about quality problems

- Timely receipt of recommended correction and preventative actions



Design system maintenance to ensure cybersecurity maintenance actions do not

impact medical device operation



Let patients know who to contact if experiencing problems and NOT to attempt

fixes/changes on their own

Responsibility for Safety & Effectiveness

Device Manufacturer – for safe and effective performance

The device manufacturer does NOT bear any responsibility

for the hospital network

Mobile Devices

BYOD – Bring Your Own Device

 Many hospitals rely on antiquated systems – pagers, faxes, paper-based forms to communicate

- do not extend across sites

 Current need for providers to access work-related IT applications on their personal mobile devices, or expensive alternative of providing institution-owned mobile devices

 Smartphones have advanced data protection – user validation, encryption, authentication, and support for digital certificates

Mobile Devices

Lost or stolen devices account for 78% of patient records that are compromised Large scale security breaches can result in huge fines for healthcare organizations An astounding 41 % of healthcare providers don’t encrypt their endpoints

To Protect PHI, healthcare organizations must

◦ Deploy encryption

◦ Layer endpoint security

◦ Manage software

◦ Institute policies prohibiting data storage on endpoints

◦ Train staff thoroughly

◦ Perform comprehensive security risk assessments

Mobile Devices

Physician Survey - Results from Responding Doctors

100% use laptops

86% use smartphones 50% said they used all three kinds of devices 53% use tablets

Physicians were most prone to travel with laptops to other facilities and to work at home

Institution-provided mobile devices to support daily work

89% laptops 87% COWs 59% pagers

53% smartphones 47% tablets

Many physicians and other clinicians bring their personal laptops and handheld devices to work

The Escalating Threat

Joe Kochan, Chief Operating Officer for US Ignite, a company developing gigabit-ready digital

experiences and applications:

“Cyber attacks will become a pillar of warfare and terrorism between now and 2025.

So much of a country’s infrastructure—commerce, finance, energy, education, health care—will be online, and gaining control of or disrupting a country’s online systems will become a critical goal in future conflicts.”

Increasing Attacks

Last year in the United States, more than 111 million individuals' data was breached due to a hack or IT incident, according to the Bitglass 2016 Healthcare Breach Report.

The majority of healthcare records leaked (98 percent) in 2015 were compromised due to large-scale cyberattacks. In 2015, there were 56 breaches due to hacking or IT incidents, compared to 31 in 2014.

"The 80 percent increase in data breach hacks in 2015 makes it clear that hackers are targeting healthcare with large-scale attacks affecting one in three Americans," said Nat Kausik, CEO of Bitglass. "As the IoT revolution compounds the problem with real-time patient data, healthcare organizations must embrace innovative data security technologies to meet security and

Increasing Attacks

Everyone’s Involved

Homeland Security

Federal Drug Agency FDA

Europol - Project 2020 by ICSPA International Cyber Security Protection Alliance

- International Effort

- Partners = City of London Police, UK, the European Network and Information Security Agency (ENISA), the International Information System Security Certification Consortium (ISC), and the International Association of Public Prosecutors

- Private – VISA, McAfee, CGI Canada, Atos, Cassidian, Digiware, Core Security Technologies, Trend Micro

Europol

Report includes scenarios involving schemes to defraud and efforts by criminal organizations

Medical Device Schemes

1) Hacking into a system and changing the performance of a device where a patient’s life is held hostage

2) Extortion where a hacker could gain control of data, and demand money in exchange for its

return

Enabled by the “Internet of Things” – prediction that over 50 billion devices will be connected to the Internet by 2010 and over

Homeland Security

Devices at Risk

Surgical and anesthesia devices Ventilators

Drug infusion pumps External defibrillators Patient monitors

Laboratory and analysis equipment

Identified approximately 300 medical devices from about 40 vendors

Homeland Security Alert

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01

HIPAA Security Rule

Review six sections of security rule

Review Breach Notification for covered entities

The most important technical safeguards for PHI on mobile devices are encryption and endpoint security software, which enables security personnel to protect and manage mobile devices remotely.

◦ Endpoint security can be used with desktop and laptop computers, smartphones and tablets ◦ Can send alerts when predefined conditions occur ~ can remotely secure the device

◦ Can use certificates and reports as proof the devices and data were properly secured when a device is stolen or lost ◦ Can monitor where each device is at all times – can be tracked and located or delete data from device remotely ◦ Can check if anyone other than authorized user has opened or tampered with files

◦ Can show audit trail that shows who can view the data, change it, where it resides, and how it’s protected ◦ Shows what and when data was deleted

◦ Can RED FLAG changes in user name, IP address, physical location, hardware configurations and other conditions ◦ Can alert if device leaves geofencing perimeter

This should be backed up with robust policies and procedures, enforcement, and education

No healthcare organization should allow an employee to BYOD unless the device is under a mobile device management (MDM) program.

Must Read

http://www.fda.gov/downloads/medicaldevices/newsevents/workshopsconferences/ucm42685 5.pdf

Ransomware

http://www.beckershospitalreview.com/healthcare-information-technology/hackers-shut-down-hollywood-presbyterian-medical-center-it-systems-demand-3-6-million-ransom.html

Hollywood (Calif.) Presbyterian Medical Center staff declared an internal emergency on Friday after hackers forced the hospital's IT systems offline and locked them out of the EHR – demanding pay of 9,000 in bitcoin = $3.6 M

Definition - A type of malware that restricts access to the infected computer or network There are different types of ransomware

All of them will prevent you from using your PC normally: •Prevent you from accessing Windows

•Encrypt files so you can't use them

•Stop certain apps from running (like your web browser)

Ransomware Incidents

The Baltimore Sun reported receiving a copy of the hackers' demands, and said the cyber criminals have offered MedStar a discount of sorts to release all the data.

According to the report, the hackers said the health system can send 3 bitcoins

(approximately $1,250) to unlock one infected computer, or 45 bitcoins ($19,000) to unlock them all.

It is unclear if one payment of 45 bitcoins would unlock all MedStar's computers, according to The Baltimore Sun.

March 22 2016 Chino Valley Medical Center and Desert Valley Hospital (both part of Prime Healthcare Services Inc) Hackers installed malware and demanded ransome. Now in FBI probe.

Ransomware Incidents

Methodist Hospital, Henderson, Ky - locked pt files

King’s Daughters’ Health, Madison, Ind – installed Locky virus 4/5/16 Ottawa Hospital – embedded in spam email – blocked access to system LA County Health Department – first known attack on apple Mac’s

Hollywood Presbyterian Medical Center – blocked access – ransome of 40 bitcoins = $17,000 Titus Regional Medical Center, Mount Pleasant, Tx – installed ransome virus = still fixing

Lukas Hospital, Neuss Germany

Klinikum Arnsburg Hospital, Westhalia, Germany

Three Types of Ransomware

• Locker ransomware typically restricts access to a device's interface but does not affect the underlying system or files. From 2014 to 2015, approximately 36 percent of binary-based

ransomware was of this type.

• Crypto - Unlike locker ransomware, crypto ransomware targets underlying information and systems. The user can do anything on the device except access the encrypted files. Oftentimes, this type of ransomware includes a time limit. If the victim does not pay the requested ransom within that time, the decryption key will be deleted and access to the data will be permanently lost. From 2014 to 2015, 64 percent of ransomware attacks detected were carried out using crypto ransomware.

• Hybrid ransomware. It is possible hackers could employ both types of ransomware in concert with one another, according to the report.

How Ransomware is Distributed

• Traffic Distribution System (TDS) - will redirect Web traffic to a site, which hosts an exploit kit. Some hackers may hire a TDS to spread their ransomware, according to the report.

• Malvertisement - In this case, a malicious advertisement would take a user to a malicious landing page if clicked on.

• Phishing Email - Phishing scams are the most common way to disseminate malicious content. A single click on a malicious link or attachment could compromise an entire network.

• Downloaders deliver malware into systems in stages, which makes the malicious intent less likely to be recognized by signature based detection.

• Social Engineering relies on maneuvering users into breaking their own security protocols to introduce the malware into their system. • Self-propagating ransomware will have a functionality that supports its continual spread throughout a system.

https://www.us-cert.gov/ncas/alerts/TA16-091A

Ransomware and Variants Alert March 2016

The United States Department of Homeland Security (DHS), in collaboration with Canadian

Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on

ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.

Protections Against Ransomware ~ View

From a consultant

One hospital client told Mr. McMillan that a month ago, they tallied approximately 3,000 suspected ransomware events in their filters a day. Now, that number has multiplied 10-fold to 30,000 a day

1. McMillan reiterates the importance of employee training and education to eliminate human error that leads to malware attacks.

◦ Via better and more consistent experiential-based education so computer end users can better identify and avoid these types of attacks.

2. Hospital leaders need to scrutinize their allowance of personal devices at work. You need to stop and think about the business risk you're opening your organization up to by allowing your users to do all those things that are not work-related on your computer.

3. Investment in adequate and appropriate malware threat protection technology is critical

A combination of the three of these — education, workplace policy and technology — comprises a strong defense, and these defenses are going to become more necessary as ransomware attacks ramp up

Defense

 Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or

system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.

 Use application whitelisting to help prevent malicious software and unapproved programs from running.

◦ Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.

 Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

 Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.

 Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services.

◦ Restricting these privileges may prevent malware from running or limit its capability to spread through the network.

 Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.

◦ For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.

 Do not follow unsolicited Web links in emails.

◦ Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.

National Initiative for Cyber Education

NICE



Address gaps in workforce as a national problem



Provide a way for businesses to think about cybersecurity in a risk

management framework



Enable businesses to make decisions about how to prioritize & optimize

cybersecurity investment



Understand how people think and behave in cyberspace – Example:

passwords via technology & beyond



Provide a roadmap and benchmarking tool



Provide a common vocabulary for cybersecurity

National Initiative for Cyber Education

NICE



Build partnerships to create a cyber-ecosystem (like an immune system) to propagate

defenses much more rapidly to undermine the business model of the hackers



Corporate, private, governments



Identify risks and drive them to the lowest possible threat



Assume that threats will occur and build systems to be recoverable and resilient and

continue to function



Identify what information you have and why you care about it, and what threats

should you protect it from



Define information sharing, have a common language about medical devices, develop

a shared risk assessment and work together – must be able to deliver services AND

DHS Office of Cybersecurity & Communications

RESPONSIBILITY: Support critical infrastructure and & Cybersecurity Risk Reduction

Critical Infrastructure Cyber Community Voluntary Program - C-cubed Voluntary Program Partnership with industry, state and local governments, U.S. government partner

1. Promote central location for promoting resources to support cybersecurity risk management

2. Sponsor program briefings and meetings with all sectors of industry

3. Create guidance and technical assistance via Cyber Resilience Review – (CRR)

4. Support cybersecurity risk priorities

5. Inform partners about risk management strategies (sector specific) & national plans

Cyber Resilience Review – CRR

One of the foundational principles of the CRR is that an organization deploys its assets (people, information, technology, and facilities) in support of specific operational missions or critical services. Applying this principle, the CRR seeks to understand an organization’s capabilities in performing, planning, managing, measuring, and defining operational resilience practices and behaviors through an examination of the following ten domains: Ten Domains

1. Asset Management

2. Controls Management

3. Configuration and Change Management

4. Vulnerability Management

5. Incident Management

6. Service Continuity Management

7. Risk Management

8. External Dependency Management

9. Training and Awareness

10.Situational Awareness

Upon completion of the assessment, a final report is generated with relevant options for consideration.

Based on standards and best practices.

Five Components of NIST Framework

Framework for Improving Critical Infrastructure Cybersecurity

1.

Identify

2.

Protect

3.

Detect

4.

Respond

5.

Recover

Five Framework Core Functions

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets,

data, and capabilities.

The activities in the Identify Function are foundational for effective use of the Framework.

Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Examples of Outcome Categories within this function include:

 Asset Management

 Business Environment

 Governance

 Risk Assessment

Five Framework Core Functions

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical

infrastructure services.

The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.

Examples of Outcome Categories within this function include: Access Control

Awareness and Training Data Security

Information Protection Processes and Procedures Maintenance

Five Framework Core Functions

Detect – Develop and implement the appropriate activities to identify the occurrence of a

cybersecurity event.

The Detect Function enables timely discovery of cybersecurity events.

Examples of Outcome Categories within this function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

Respond – Develop and implement the appropriate activities to take action regarding a detected

cybersecurity event.

The Respond Function supports the ability to contain the impact of a potential cybersecurity event.

Examples of Outcome Categories within this function include:

Five Framework Core Functions

Recover – Develop and implement the appropriate activities to maintain plans for resilience and

to restore any capabilities or services that were impaired due to a cybersecurity event.

The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event.

Examples of Outcome Categories within this function include: Recovery Planning

Improvements Communications

Framework Implementation Tiers

Risk Management Process Integrated Risk Management Program External Participation Tier 1

Partial

Not formalized Limited awareness of cyber risk, no risk management established, irregular

management of risk. No process to share.

No collaborative entities.

Tier 2 Risk

Informed

Approved but not organization-wide

Aware of risk but no organization-wide

approach. Staff has adequate resources for cybersecurity. Management approved

processes defined & implemented. Information is shared on informal basis.

Knows, but has not formalized interaction & external sharing

Tier 3

Repeatable

Risk management policies and practices formally in place and regularly updated with changes in business requirements and

threats and technology .

Organization-wide approach to manage

cybersecurity risk. Policies and procedures in place. Personnel possess knowledge and skills.

Exchanges information with partners & collaborates and makes risk-based decisions in response to events

Tier 4 Adaptive

Adapts policies and cybersecurity practice to lessons learned and predictive indicators. Uses CPI, advanced technologies &

practices, responds to sophisticated threats.

Organization-wide approach using risk-informed policies, procedures, & practices. Cybersecurity risk management is part of organizational culture and evolves with experience, shared information, and

continuous awareness of activites on their systems and networks.

Manages risk & actively shares to improve cybersecurity

Government Concerns and Fixes

DHS

create problems, such as instructing an infusion pump to overdose a patient with drugs, or

forcing a heart implant to deliver a deadly jolt of electricity.” http://rt.com/usa/198320-medical-device-vulnerable-hackers/

FDA

http://www.fda.gov/downloads/Training/CDRHLearn/UCM420891.pdf

 Recognize that the threat is real

 Consider risks to the patient from a malfunction

 Develop products to address cybersecurity

Government Fixes – Core Functions

Identify and Protect

1.

Limit access to trusted users



_{Layered privileges}



Appropriate authentication



Strengthen password

2.

Terminate session after a period of inactivity

3.

Limit access to minimize tampering



_{Physical lock}

Government Fixes – Core Functions

Detect, Respond, and Recover

1.

Implement features that allow users to learn that the device has been

compromised

2.

Provide information on appropriate actions to take once device has been

compromised

3.

Implement features that preserve critical functions including:



Ability to reboot



Ability to recognize drivers

Government Fixes – Core Functions

Hazard Analyses

Evaluate both intentional and unintentional cybersecurity risks



Provide information on the risks analyzed

Controls established to mitigate risks



Provide information on the controls put in place



Provide information on the appropriateness of the controls to mitigate identified risks

Matrix that links cybersecurity controls to the risk being mitigated

Summary documentation on



Plan to provide validated patches / updates



Plan to assure device integrity

Government Fixes – Core Functions

Manufacturers may choose alternative approaches to implementing cyber security controls  Have controls in place

 Demonstrate to the agency the appropriateness of those controls in the premarket submission.

Recognize the threat is continuously evolving and have a plan in place to appropriately manage the evolving threat.

Ponemon Institute

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data May 12, 2016, 10:00

am

We are pleased to announce the release of the Sixth Annual Benchmark Study on Privacy &

Security of Healthcare Data, sponsored by ID Experts. For the sixth year in a row, data breaches

in healthcare are consistently high in terms of volume, frequency, impact, and cost.

Nearly

90 percent of healthcare organizations represented in

this study had a data breach in the past two years,

and nearly half, or 45 percent, had more than five

data breaches in the same time period.

Links

 http://www.sfgate.com/news/article/Hackers-break-into-networks-of-3-big-medical-5217780.php

Infosec Institute http://resources.infosecinstitute.com/hcking-implantable-medical-devices/ Live Cyber Attack Maps

http://www.networkworld.com/article/2366962/microsoft-subnet/spellbound-by-maps-tracking-hack-attacks-and-cyber-threats-in-real-time.html www.map.ip.viking.com and Kaspersky’s interactive cyber threat map

Framework for Improving Critical Infrastructure Cybersecurity Feb. 2014

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Update on the Cybersecurity Framework http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf

Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, The SANS Institute 2014 http://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735