From gatekeeper to strategist: The evolution of the CISO role in drug development

[Gorodenkoff/Adobe Stock]

There’s an old joke about chief information security officers (CISOs) being gatekeepers of new technologies and initiatives – the infamous “Department of No.” Imagine a bouncer who, strangely, doesn’t let anyone in, saying the club is already too full, even when it’s clearly empty.

But that image is outdated — especially in risk-focused industries like financial services where CISOs are integral to digital transformation projects and the broader risk management considerations. 

From CIS-‘no’ to risk maestro

“Drug development is a risk-focused industry as well,” said Daniel Ayala, chief security and trust officer for Dotmatics. “There is a huge amount of risk.” Consequently, CISOs working in pharma contexts are increasingly expanding their roles from technical experts to risk-aware business leaders who happen to have deep technical expert…

Read more
  • 0

Safeguarding stand-alone medical devices while navigating FDA’s evolving security standards

Will your stand-alone medical device stand up to scrutiny from the FDA’s cybersecurity reviewers? [Photo by Friends Stock via]

By Normand Martel, MedAcuity

In the highly competitive medical device industry, scientists and engineers are continually pushing boundaries to create innovative medical devices, including stand-alone devices.

The medtech security landscape is rapidly evolving as the FDA introduces changes in regulations that fundamentally redefine the perception and management of security for these devices.

This article aims to demystify the changes to the guidance and security standards. It seeks to empower professionals by providing invaluable insights, enabling you to successfully navigate the complex landscape of regulatory compliance, and fortify security measures when developing stand-alone medical devices.

The premise: Your FDA submission

Let’s say you’r…

Read more
  • 0

Zoll Medical discloses email phishing attack and potential data breach

Zoll Medical Corp. said a cyberattack may have exposed protected health information of current and former employees, dependants and beneficiaries.

Chelmsford, Massachusetts-based Zoll — an Asahi Kasei company — characterized the incident as a “sophisticated email phishing attack” that targeted a Zoll employee.

Phishing attacks use seemingly trustworthy communications via emails, text messages or even phone calls to get the recipient to share security information such as passwords or to open a malicious hyperlink or attachment.

“This incident was limited to emails and had no impact on Zoll’s medical devices, software, or services,” the company said in a news release. “The PHI affected by the incident varied by individual and may have included some individuals’ names, addresses, Social Security numbers, and protected health information and/or health insurance information.”

Zoll said it has no indication that…

Read more
  • 0

Henry Schein reports more disruption as cyberattackers take credit

Henry Schein (Nasdaq: HSIC) + said today that it is working to bring its ecommerce platform back up after more problems related to its cyberattack.

The medical device manufacturer and distributor said last week that its ecommerce platform and other applications were unavailable and that “the threat actor from the previously disclosed cyber incident has claimed responsibility.”

Today, the company said its ecommerce platform is back online in the U.S. and was expected to be restored in Canada and Europe “shortly.”

Henry Schein said it continued to take orders via alternate methods previously communicated to customers, and continued shipping products.

Earlier this month, the company warned customers and suppliers that their sensitive information may have been exposed in the cyberattack.

Henry Schein first disclosed the cyber security incident in October. A ransomware gang known…

Read more
  • 0

Another medtech reports a cybersecurity incident

LivaNova (NASDAQ: LIVN) + says it’s the latest victim of a cybersecurity incident.

The London-based device developer disclosed the cybersecurity incident in a Securities and Exchange Commission filing this week, saying the incident disrupted portions of its information technology systems and business operations.

“Promptly after detecting the issue, the company began an investigation with assistance from external cybersecurity experts and is coordinating with law enforcement,” LivaNova said in the filing. “The company continues to assess what information and systems were impacted and is executing its incident response plan, including implementing remediation measures to mitigate the impact of the incident.”

“The company has and will continue to take actions to remediate the issue, such as taking certain systems offline,” the company continued.

LivaNova said it expe…

Read more
  • 0

Henry Schein confirms data breach, details financial impact of cyberattack

Henry Schein (Nasdaq: HSIC) + warned customers and suppliers today that their sensitive information may have been exposed in a cyberattack.

The medical device manufacturer and distributor first disclosed the cyber security incident on Oct. 15. Then this month, a ransomware gang known as BlackCat/ALPHV said they encrypted the company’s systems and stole 35 TB of sensitive data. The cyberattackers said they caused $150 million in losses and threatened to release internal payroll data and shareholder folders.

Today, Henry Schein shared more details on its disruption and financial impacts during today’s earnings call for Q3 (ended Sept. 30).

In letters to customers and suppliers, Henry Schein confirmed the data breach and said bank account and credit card numbers may have been exposed. The company encouraged data security measures for both groups and promised to provide credit monitoring and identify pro…

Read more
  • 0

Cyber gang threatens to release Henry Schein data in ransomware attack

A cyberattack group known as BlackCat is threatening to release Henry Schein (Nasdaq: HSIC) + data unless the medical device manufacturer and distributor pays a ransom.

BlackCat (also known as ALPHV, both named after the ransomware of the same name) said they’ve encrypted Henry Schein’s systems after failed negotiations with Coveware, which describes itself as “ransomware recovery first responders.”

The cyber gang said they’ve stolen 35 TB of “sensitive data,” including “internal payroll data and shareholder folders.”

Henry Schein disclosed a cyber security incident on October 15 and has offered few details.

The latest update came in a Securities and Exchange Filing this week asking for more time to file its quarterly report for the three months ended Sept. 30. The company said it wouldn’t be able to file on time “due to information access …

Read more
  • 0

Four ways to meet the new FDA guidance for medical device security

The FDA’s 2023 cybersecurity guidance, while demanding, sets the stage for a safer future where medical devices are resilient to evolving cyber threats.

By Curtis Yanko, CodeSecure

The FDA recently issued updated guidance on best practices for medical device cybersecurity, a progressive step forward from its 2014 recommendations. This revision underscores the need for manufacturers to adopt proactive security measures, integrating them into the very design and fabric of devices.

The underlying message of this new guidance is that manufacturers are encouraged to adopt a “security by design” methodology. This represents a significant departure from prevailing manufacturing and design mindsets, and necessitates considerable investments in new technologies and training.

A cornerstone of this new guidance is its focus on software supply chain security. Manufacturers aren’t just expected to produce secure devices; They are mandated to continuously …

Read more
  • 0

Quest International achieves ISO 27001 information security certification

NEWS RELEASE: Quest International Achieves ISO 27001:2013 Certification, Proving Its Commitment to Cybersecurity

Quest meets strict ISO criteria in delivering a secure, resilient Information Security Management System for post-sales service support for OEMs

IRVINE, Calif., August 2023 — Quest International, a leading global post-sales service support partner for Original Equipment Manufacturers (OEMs) and an IT managed services provider, announced that it has received ISO 27001:2013 certification from the International Organization for Standardization (ISO). The only globally recognized certifiable information security standard for Information Security Management Systems (ISMS), ISO 27001:2013 has auditable requirements to encompass the overall management of information security, including cybersecurity protections.

“With ISO2700:2013 certification, Quest is certified as a responsible and trustworthy steward of client data as well as third-party information,” …

Read more
  • 0

BD discloses 8 cybersecurity vulnerabilities with Alaris infusion system

The Alaris system with Guardrails Suite MX. [Image courtesy of BD]BD (NYSE: BDX) + today voluntarily posted a product security bulletin for a number of vulnerabilities with its Alaris infusion system.

Franklin Lakes, New Jersey-based BD recently identified eight vulnerabilities. These vulnerabilities are associated with the BD Alaris system with Guardrails Suite MX, versions 12.1.3 and earlier.

The company discovered the vulnerabilities through routine internal security testing as part of its software development life cycle. This includes vulnerability scanning, code analysis, threat modeling and penetration testing.

Get the full story at our sister site, Drug Delivery Business News.

Read more
  • 0

CISA warns on cybersecurity vulnerability for Medtronic cardiac device data workflow system

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on the Medtronic (NYSE: MDT) + cardiac device data workflow system.

This vulnerability affects Paceart Optima systems, versions 1.11 and prior.

CISA lists the vulnerability as the deserialization of untrusted data, “exploitable remotely” with “low attack complexity.” The agency says successful exploitation could result in a remote code execution or a denial-of-service condition. This could impact a healthcare delivery organization’s Paceart Optima system.

If a healthcare delivery organization enabled the optional Paceart Messaging Service in the system, an unauthorized user could exploit the vulnerability. The unauthorized user may perform remote code execution and/or denial-of-service attacks, the CISA notice said. They could send specifically crafted messages to the system.

Remote code executi…

Read more
  • 0

Zoll data breach affects more than 1 million people

More than 1 million people may have had personal data compromised during a recent hacking of Zoll Medical’s systems.

That’s according to a notice that Zoll filed with the Main Attorney General, one of a number filed with federal and state agencies since the late January data breach.

Run out of Massachusetts, Zoll is an Asahi Kasei company. It makes a variety of advanced emergency care devices that provide defibrillation and cardiac monitoring, circulation enhancement and CPR feedback, supersaturated oxygen therapy, ventilation, and more.

According to an accompanying sample notice that Zoll sent to those affected, the company detected unusual activity on its internal network on Jan. 28. The company engaged in mitigation efforts, consulted with third-party cybersecurity experts, and notified law enforcement.

Within days, Zoll had determined that the data breach could have enabled hackers to gain access to customers’ personal health…

Read more
  • 0