[Security News] FDA Mandates Cybersecurity for Medical Devices

medical devices thumbnail

April 2023


1. FDA to refuse accepting medical devices lacking cybersecurity measures

The US Food and Drug Administration (FDA) announced that it will begin to refuse to approve medical devices over cybersecurity reasons starting on October 1. Moreover, beginning on March 29, all new devices submitted for approval must be accompanied by a detailed cybersecurity plan.

Specifically, device manufacturers must now provide detailed plans on how they will apply regular security updates and patches, along with a list of potential entry points and vulnerabilities, as well as vulnerability disclosure plans. If a critical vulnerability is discovered outside of the regular update cycles, public disclosure must be made immediately.

A Software Bill of Materials (SBOM) is also required for all new submissions. An SBOM is a list of all open-source software components used in a system or device. This allows the FDA to assess potential cybersecurity risks and flaws.

Sources: FDA


2. Data storage company Western Digital faces service disruptions after cyberattack

Western Digital, a California-based data storage provider and hard drive maker disclosed a cybersecurity incident where an unauthorized third party gained access to multiple systems in its network.

After discovering the attack on March 26, Western Digital was forced to disconnect many of its servers, leading to the disruption of many online storage services. In particular, many business and personal users reported that the company’s popular network-attached storage (NAS) service MyCloud had been inaccessible for several days.

Western Digital did not clarify whether it was a ransomware operation. An attack on a storage service provider of this scale can have a significant impact on all users downstream, leading to further operation disruptions throughout the supply chain.

Sources: SC Media, Bleeping Computer


3. Payment giant NCR reveals ransomware attack impacting point-of-sale systems

NCR, a multinational manufacturer of payment systems including ATMs, self-service kiosks, and POS machines, revealed on April 15 that its data center located in Aloha, Hawaii was attacked by ransomware, which led to a subsequent data breach.

NCR discovered the attack on April 13, after which it immediately contacted the affected customers. The attack directly affected the POS machines used by local restaurants in Aloha. Nevertheless, the company claimed that the attack only impacted certain functionalities and that payment applications remained functional, suggesting that the impacted restaurants could still serve customers.

The BlackCat (a.k.a. ALPHV) ransomware gang claimed responsibility for the attack on its leak site, stating that it had stolen “a lot of credentials” that can be used to access NCR’s client networks. The post was later brought down from the leak site, signaling that a ransom negotiation might have been made.

More and more often, ransomware operators are attacking manufacturers that are critical to their supply chain. In this case, a cyberattack against payment platforms can lead to significant service outages for clients in the retail and hospitality industries.

Sources: Infosecurity, Security Week


4. Outsourcing firm Capita attacked by Black Basta ransomware

Capita, a London-based professional services outsourcing company, disclosed a data breach following a ransomware attack. Capita operates crucial services for both public and private sectors, and is one of the most important government contractors in the UK, with some notable clients including the NHS and the military. 

According to the investigation, the attackers gained access to Capita’s systems on March 22, only to be discovered and stopped on March 31. This led to major system outages for clients. Capita later confirmed that 4% of its IT infrastructure was accessed, exposing sensitive data belonging to customers, employees, and suppliers.

On April 17, the Black Basta ransomware gang claimed responsibility for the attack via a private post on its leak site, showing samples of stolen bank accounts, passport copies, and more. Capita did not make any comment on Black Basta’s claim.

Sources: Bleeping Computer, Computer Weekly, The Guardian


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security