Apple “ECG” watch, OIG on FDA MD cybersecurity

Posted by: Julia Annaloro      Date: September 18, 2018

TLP White: We start with discussion around the Apple watch’s new features and what it means to healthcare. We also look at the OIG’s recommendations for the FDA when reviewing medical devices before they hit the market. We conclude by shedding some light on how using AI to create synthetic brain cancer scans actually preserves privacy. Welcome back to Hacking Healthcare.
 
Authors note: In recognition of the H-ISAC’s increased focus on international healthcare, we will be adding additional information regarding policy and legislative hearings from around the world. We welcome any feedback on how to make this as useful as possible.

Hot Links –

 

1.  Apple Watch’s Medical Makeover.

Last week Apple revealed an upgraded Apple watch with new heart-monitoring and fall-detection capabilities. The new Apple watch contains electrodes and sensors that convert the watch into an electrocardiogram (“ECG”) with the capacity to measure a heart’s electrical activity and detect disorders and irregularities. These new utilities make the Apple watch seem more like a medical device than simply a timepiece, and reflect a larger trend among tech companies that are now dabbling in medical monitoring.

The U.S. Food and Drug Administration (“FDA”) seems to be optimistic about the watch’s potential, stating that the new features “may help millions of users identify health concerns more quickly.” The FDA approved marketing of the ECG app and irregular-rhythm notification on the watch on Tuesday, the day before Apple’s big reveal. The FDA’s approval came just a day after the Department of Health & Human Services Office of the Inspector General (“OIG”) released a report containing recommendations for the FDA regarding cybersecurity and the agency’s medical device review process.
 

2.  OIG Urges FDA to Further Integrate Cybersecurity in Medical Device Review.

As referenced above, the Department of Health and Human Services Office of the Inspector General (“OIG”) recently released a report following a study examining the U.S. Food and Drug Administration’s (“FDA”) review of cybersecurity in premarket submissions for networked medical devices. Currently, FDA reviews cybersecurity documentation in premarket submissions prior to allowing the device to be marketed. Using 2014 guidance on the content of premarket submissions and cybersecurity, FDA reviewers consider whether a device demonstrates known cybersecurity risks and threats in addition to reviewing any documentation provided by the device manufacturer that would describe the device’s cybersecurity risks, controls, and threats that the manufacturer has already considered.

Following the study, OIG recommended that FDA make better use of the presubmission meetings to address cybersecurity-related questions by including cybersecurity documentation as a criterion in FDA’s Refuse-To-Accept checklists. The FDA uses these checklists to screen submissions for completeness, and the checklists currently do not include checks for cybersecurity information. Additionally, OIG recommended that FDA include cybersecurity as an element in its Smart template, a tool that the FDA uses to guide reviews of submissions.

3.  AI Application in Healthcare That Actually Preserves Privacy.

 
The trouble with rare medical conditions is, well, they are rare. Of course this makes it difficult for medical professionals to have enough data readily available so that they can detect abnormalities as early as possible. AI researchers from Nvidia teamed up with the Mayo Clinic and the MGH & BWH Center for Clinical Data Science to understand how to use generative adversarial networks (“GANS”) to create synthetic brain MRI images. GANS essentially are comprised of two AI systems: one that creates images and another that works to differentiate between synthetic and real images. The result is that the two networks are trained such that the discriminatory system is unable to distinguish between real images and synthesized images.

This type of machine learning opens the medical field up to a much larger dataset for all types of conditions, including those that are especially rare. The beauty of it is that once the dataset is created, it can be accessed and shared broadly without running into the types of patient privacy concerns associated with traditional data collection. Researchers are actively exploring other ways to apply machine learning to medical research, and we can expect even more innovative applications to come.
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 9.18.2018 TLP White

Australia’s Consumer Data Right, NIST, Encryption

Posted by: Julia Annaloro      Date: September 11, 2018

TLP White: Australia and the development of a Consumer Data Right, NIST’s plans to create a privacy framework, and the 2018 Five Country Ministerial.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 9.11.2018 TLP White

Cyber Extortion, CVE program, CA Privacy Bill

Posted by: Julia Annaloro      Date: September 05, 2018

TLP White: Cyber extortion, Common Vulnerabilities and Exposures, and California privacy legislation.
 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 9.05.2018 TLP White

Compelled Decryption, Mirai “Sora”, Apache Struts

Posted by: Julia Annaloro      Date: August 29, 2018

TLP White: Louisiana decryption case and potential repercussions of compelled decryption in the healthcare industry, a resurgence of the Mirai malware, the Apache Struts vulnerability and the multi-stakeholder coordinated vulnerability disclosure process.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 8.28.2018 TLP White

Chinese Cyber-Recon, PPD-20 Nixed, Medicaid Gaps

Posted by: Julia Annaloro      Date: August 21, 2018

TLP White: Chinese hackers attempt trade advantage, President Trump’s move towards a more offensive cyber strategy, and security gaps in Maryland’s Medicaid Management Information System.  Welcome back to Hacking Healthcare:

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 8.21.18 White

DHS, Blockchain/Breach, Breach Barometer

Posted by: Julia Annaloro      Date: August 14, 2018

TLP White:  We start with an announcement from the Department of Homeland Security about the formation of a National Risk Management Center.  We also address some amendments to Ohio law which have implications for Blockchain and data breaches.  We conclude with discussing a recent data breach and the role that employees play in those statistics.  Welcome back to Hacking Healthcare:

 

Hot Links –

  1. DHS Announces National Risk Management Center. From our “Where were you when…?” department, we look at the recent Department of Homeland Security (“DHS”) National Cybersecurity Summit. The summit brought together a few hundred people from government and industry to listen to leaders discuss the importance of cybersecurity to the nation and to their world.

 

The words “collaborate”, “coordinate”, “public/private”, and “partnership” were in full force during the day long summit. If you have spent any time working for or with the government, you may be forgiven for thinking that these words are code for “we don’t really know what we want to do, but working together is better than not. Right?” And in truth, while lots of smart people are committed to making a difference, details were a bit light. DHS did announce a new federal risk management initiative, created to help coordinate risk management efforts among government and industry.[1]  The fact sheet published by DHS explains that as part of the initiative, there will be a new National Risk Management Center (“Center”) housed within DHS.[2]

 

According to DHS, the Center “will create a cross-cutting risk management approach between the private sector and government to improve the defense of our nation’s critical infrastructure.”  DHS has identified three mission areas for the Center: (1) identify, assess, and prioritize risks to national critical functions; (2) collaborate on the development of risk management strategies and approaches to manage risks to national critical functions; and (3) coordinate integrated cross-sector risk management activities.  It is encouraging that there is activity in this space, and we are supportive of DHS and its mission to coordinate and facilitate risk management approaches between the public and private sector.

[1] https://www.dhs.gov/news/2018/08/01/dhs-hosts-successful-first-ever-national-cybersecurity-summit

[2] https://www.dhs.gov/sites/default/files/publications/18_0731_cyber-summit-national-risk-management-fact-sheet.pdf

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 8.014.2018 TLP White

DNC on Huawei & ZTE, NIST, FBI on IoT

Posted by: Julia Annaloro      Date: August 07, 2018

TLP White: DNC announcement regarding the use of Chinese telecom companies Huawei and ZTE, guidance on healthcare mobile device security,  FBI PSA regarding IoT security and how to protect and defend against attacks.   
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 8.07.2018 TLP White

Bluetooth, Australian initiative and SingHealth

Posted by: Julia Annaloro      Date: July 31, 2018

TLP White: Bluetooth vulnerability, Australian healthcare data initiatives and a SingHealth breach update.

 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 7.31.2018 TLP White

Data Transfer Project, Singapore Breach, IoT, DNS

Posted by: Julia Annaloro      Date: July 24, 2018

 

TLP White: An effort to make moving user data easier, healthcare data breach in Singapore and IoT security.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 7.24.2018 TLP White

Fitness App, Equifax Lessons, Biometric Data

Posted by: Julia Annaloro      Date: July 17, 2018

TLP White: Exercise data shenanigans, some lessons from the CISO of Equifax, and a look at a law in Illinois dealing with biometric data and who owes who what when it is collected.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 7.17.2018 TLP White