BD secures ISO certification for its information security management system

BD announced today that it has secured ISO certification for its enterprise-level Information Security Management System.

The Franklin Lakes, New Jersey–based company said the ISMS meets a rigorous set of independently audited international standards. BD says the ISO/IEC 27001:2022 certification demonstrates its commitment to protecting the company, customers and patients from cybersecurity threats.

The International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) established the global ISO/IEC 27001:2022 standard. Certification means an organization is establishing, maintaining and continually improving on its information security systems.

“Cybersecurity continues to be a top priority for Merck and all of health care,” said Michael Harrison, associate director of supplier risk management for Merck.

Harrison added in the BD news release: “As an important supplier to Merck, BD’s ISO 27001 certification demonstra…

Read more
  • 0

BD secures ISO certification for its information security management system

BD announced today that it has secured ISO certification for its enterprise-level Information Security Management System.

The Franklin Lakes, New Jersey–based company said the ISMS meets a rigorous set of independently audited international standards. BD says the ISO/IEC 27001:2022 certification demonstrates its commitment to protecting the company, customers and patients from cybersecurity threats.

The International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) established the global ISO/IEC 27001:2022 standard. Certification means an organization is establishing, maintaining and continually improving on its information security systems.

“Cybersecurity continues to be a top priority for Merck and all of health care,” said Michael Harrison, associate director of supplier risk management for Merck.

Harrison added in the BD news release: “As an important supplier to Merck, BD’s ISO 27001 certification demonstra…

Read more
  • 0

CISA warns on cybersecurity vulnerabilities for certain Baxter infusion pumps

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today issued a warning on some Baxter (NYSE:BAX) infusion pumps.

Sigma and Baxter Spectrum infusion pumps are included in a CISA notice over remotely exploitable vulnerabilities. Those vulnerabilities include: missing description of sensitive data, use of externally controlled format string and missing authentication for critical functions.

The successful exploitation of the vulnerabilities could allow access to sensitive data. It could also result in the alteration of system configuration.

Get the full story at our sister site, Drug Delivery Business News.

Read more
  • 0

Government warns on cybersecurity issues with BD’s Pyxis, Synapsys systems

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) today released advisories on two products from BD (NYSE:BDX).

Vulnerabilities with the BD Pyxis automated medication dispensing system and the BD Synapsys microbiology informatics software were voluntarily reported by Franklin Lakes, New Jersey-based BD through the CISA coordinated vulnerability disclosure program.

The BD Pyxis’ vulnerability is labeled as “Not Using Password Aging,” meaning successful exploitation of the vulnerability could allow an attacker to gain access to electronic protected health information (ePHI) or other sensitive information, according to the CISA notice. CISA determined that the vulnerability is exploitable remotely and has low attack complexity.

Specific BD Pyxis products were installed with default credentials and still may operate with such credentials, creating potential scenarios in which those products were installed with the same defa…

Read more
  • 0

Stryker leaders talk medtech trends at DeviceTalks Boston: ‘If you’re slow, you’re going to lose’

Tracy Robertson is VP of Digital at Stryker. [Photo courtesy of Stryker]The first day of DeviceTalks Boston closed with a panel of Stryker (NYSE:SYK) executives discussing new tools, technologies and strategies in medtech.

Digital VP Tracy Robertson, Digital, Robotics, and Enabling Technologies President Robert Cohen and Surgical Technologies VP of Digital Innovation Siddarth Satish offered their thoughts on industry trends in healthcare and at the Kalamazoo, Michigan–based orthopedic device giant.

It was only the first question posed to the panel yesterday, which also featured Dave Lively — SVP of Product Management, Vocera (now part of Stryker) — and was moderated by Orthopaedics and Spine Group President Spencer Stiles.

Get the full story at our sister site, Medical Design & Outsourcing.

Read more
  • 0

FDA proposes new cybersecurity, supply chain and inspection laws for medical device manufacturers

Ventilators were in high demand during the first peaks of the COVID-19 pandemic. (Image from Raumedic)

The FDA today offered a slate of proposed laws for Congress to consider along with the agency’s $8.4 billion budget request for fiscal year 2023.

The legislative wish list includes several proposals that would affect medical device developers, manufacturers and distributors, including cybersecurity requirements for medical devices, mandatory supply chain reporting, remote inspections for FDA-regulated facilities and the destruction of dangerous imports.

Medical device cybersecurity

One proposal would require medical device manufacturers to design cybersecurity into their devices, such as the ability to update and patch software in a timely manner. Manufacturers would also need to provide cybersecurity assurance in premarket submissions, include a Software bill of Materials that tells patients …

Read more
  • 0

Government warns on cybersecurity issues with Philips’ e-Alert MRI monitoring system

The U.S. Cyber Security & Infrastructure Security Agency (CISA) today issued a notice regarding the e-Alert system from Royal Philips (NYSE:PHG).

CISA called attention to the e-Alert MRI system monitoring platform (version 2.7 and prior) and a potential vulnerability related to “missing authentication for critical function.”

According to the CISA notice, successful exploitation of the vulnerability — in which the software does not perform any authentication for critical system functionality — could allow an unauthorized actor to remotely shut down the system if on the healthcare facility’s network.

Philips plans a new release to remediate the vulnerability before July 2022. For interim mitigation to the vulnerability, Philips recommends that users operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls, with only authorized personnel permitted to access th…

Read more
  • 0

Data breaches targeting pharma companies are ‘rampant,’ report says

Photo by Edward Jenner from Pexels

For pharmaceutical companies, cyberattacks can get expensive quickly. 

In 2021, the average cost of a data breach was $5 million, which is the third-highest of any industry, according to the IBM Cost of a Data Breach report. 

Cyberattacks can also cause operational disruptions. For example, in 2017, Merck & Co. (NYSE: MRK) struggled to keep up with demand for hepatitis B vaccine because it was a victim of Notpetya ransomware. Merck estimated the damages from that attack to be roughly $1.4 billion. 

Breaches in the pharma industry are rampant, concludes a recently published report from the cybersecurity firm Constella (Los Altos, California), which analyzes data exposures, breaches and leakages within the industry from January 2018 to September 2021. In that time frame, the company identified 9,030 breaches or leakages and more than 4,500,000 exposed record…

Read more
  • 0

Government warns on cybersecurity issue with Fresenius Kabi’s Agilia Connect infusion system

The U.S. Cyber Security & Infrastructure Security Agency today issued a medical advisory for the Fresenius Kabi Agilia Connect infusion system.

Fresenius Kabi’s Agilia Connect infusion system has been deemed “exploitable remotely/low attack complexity” by the agency. Successful exploitation of vulnerabilities could allow an attacker to gain access to sensitive information, modify settings or parameters or perform arbitrary actions as an authenticated user.

Get the full story at our sister site, Drug Delivery Business News.

Read more
  • 0

FDA says there’s a cybersecurity vulnerability with Apache’s Log4j

[Image from Pixabay]

The FDA is raising awareness about a cybersecurity vulnerability related to Apache’s Log4j — used to log security and performance information for many software applications, including in the medical device space.

The vulnerability involves Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1.

The FDA said in a statement posted on December 17 that it does not know of the Log4j problems causing a medical device adverse event. However, there is still a risk that the situation could make a medical device unavailable, or an unauthorized user could remotely impact safety and effectiveness.

The Cybersecurity and Infrastructure Security Agency (CISA) agency has established a website with more information, including recommendations to address the vulnerability. The FDA encourages manufacturers to communicate with customers about the problem and coordinate with the …

Read more
  • 0

How to protect medical devices from hidden cybersecurity risks

[Image by Tumisu on Pixabay]

Your software supply chain could be a cybersecurity risk. Here’s what you can do.

Vince Arneja, GrammaTech

The healthcare industry has been fighting a war on two fronts during the COVID-19 pandemic against the virus and an outbreak of cyberattacks. The Department of Health and Human Services says the sector reported a 9,851% increase in cyberattacks in 2020 compared to 2019.

Cybercriminals see healthcare organizations as “soft targets” that are not as well defended; they need to be accessible to users and have heavy traffic of files and records, which leave multiple attack vectors open for criminals. In addition, healthcare is in the midst of a technology expansion, with explosive growth in Internet of Things (IoT) connections, patient portals and telehealth.

All these new medical technology applications run…

Read more
  • 0

Why cyberattacks targeting pharma are ramping up

Cyberattacks targeting the pharma industry have ramped up during the pandemic, and insider threats and nation-state attacks are on the rise. Meanwhile, the average cost of a pharma breach in 2021 is $5.04 million, according to the IBM-sponsored Ponemon Institute’s Cost of a Data Breach Report. For context, an average data breach incurs damages of $4.24 million.

Pharmaceutical companies are beginning to allocate more resources to cybersecurity, according to Howard Ting, CEO of data detection and response business Cyberhaven (Palo Alto, Calif.).

Pharma companies’ data is increasingly decentralized

The traditional model for protecting sensitive data was to create the networking equivalent to a castle and moat. But in the pharmaceutical industry and elsewhere, sensitive data can no longer be stored under lock and key. Pharmaceutical companies’ data must “move and be shared,” Ting said. For example, a contract manufacturer might need access to sensitive data. …

Read more
  • 0