Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.

Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via private mentions, a kind of direct messaging on the platform.

The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.

Since then, the same spammers have used this method to advertise more than 100 different crypto investment-themed domains. Chaput said that at one point this month the volume of bot accounts being registered for the crypto spam campaign started overwhelming the servers that handle new signups at Mastodon.social.

We suddenly went from like three registrations per minute to 900 a minute, Chaput said. There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.

One of the crypto investment scam messages promoted in the spam campaigns on Mastodon this month.

Seeking to gain a temporary handle on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, those same servers came under a sustained distributed denial-of-service (DDoS) attack.

Chaput said whoever was behind the DDoS was definitely not using point-and-click DDoS tools, like a booter or stresser service.

This was three hours non-stop, 200,000 to 400,000 requests per second, Chaput said of the DDoS. At first, they were targeting one path, and when we blocked that they started to randomize things. Over three hours the attack evolved several times.

Chaput says the spam waves have died down since they retrofitted mastodon.social with a CAPTCHA, those squiggly letter and number combinations designed to stymie automated account creation tools. But hes worried that other Mastodon instances may not be as well-staffed and might be easy prey for these spammers.

We dont know if this is the work of one person, or if this is [related to] software or services being sold to others, Chaput told KrebsOnSecurity. Were really impressed by the scale of it using hundreds of domains and thousands of Microsoft email addresses.

Chaput said a review of their logs indicates many of the newly registered Mastodon spam accounts were registered using the same 0auth credentials, and that a domain common to those credentials was quot[.]pw.

The domain quot[.]pw has been registered and abandoned by several parties since 2014, but the most recent registration data available through DomainTools.com shows it was registered in March 2020 to someone in Krasnodar, Russia with the email address edgard011012@gmail.com.

This email address is also connected to accounts on several Russian cybercrime forums, including __edman__, who had a history of selling logs large amounts of data stolen from many bot-infected computers as well as giving away access to hacked Internet of Things (IoT) devices.

In September 2018, a user by the name (phonetically Zipper in Russian) registered on the Russian hacking forum Lolzteam using the edgard0111012@gmail.com address. In May 2020, Zipper told another Lolzteam member that quot[.]pw was their domain. That user advertised a service called Quot Project which said they could be hired to write programming scripts in Python and C++.

I make Telegram bots and other rubbish cheaply, reads one February 2020 sales thread from Zipper.

Quotpw/Ahick/Edgard/ advertising his coding services in this Google-translated forum posting.

Clicking the open chat in Telegram button on Zippers Lolzteam profile page launched a Telegram instant message chat window where the user Quotpw responded almost immediately. Asked if they were aware their domain was being used to manage a spam botnet that was pelting Mastodon instances with crypto scam spam, Quotpw confirmed the spam was powered by their software.

It was made for a limited circle of people, Quotpw said, noting that they recently released the bot software as open source on GitHub.

Quotpw went on to say the spam botnet was powered by well more than the hundreds of IP addresses tracked by Chaput, and that these systems were mostly residential proxies. A residential proxy generally refers to a computer or mobile device running some type of software that enables the system to be used as a pass-through for Internet traffic from others.

Very often, this proxy software is installed surreptitiously, such as through a Free VPN service or mobile app. Residential proxies also can refer to households protected by compromised home routers running factory-default credentials or outdated firmware.

Quotpw maintains they have earned more than $2,000 sending roughly 100,000 private mentions to users of different Mastodon communities over the past few weeks. Quotpw said their conversion rate for the same bot-powered direct message spam on Twitter is usually much higher and more profitable, although they conceded that recent adjustments to Twitters anti-bot CAPTCHA have put a crimp in their Twitter earnings.

My partners (Im programmer) lost time and money while ArkoseLabs (funcaptcha) introduced new precautions on Twitter, Quotpw wrote in a Telegram reply. On Twitter, more spam and crypto scam.

Asked whether they felt at all conflicted about spamming people with invitations to cryptocurrency scams, Quotpw said in their hometown they pay more for such work than in white jobs referring to legitimate programming jobs that dont involve malware, botnets, spams and scams.

Consider salaries in Russia, Quotpw said. Any spam is made for profit and brings illegal money to spammers.

Shortly after edgard011012@gmail.com registered quot[.]pw, the WHOIS registration records for the domain were changed again, to msr-sergey2015@yandex.ru, and to a phone number in Austria: +43.6607003748.

Constella Intelligence, a company that tracks breached data, finds that the address msr-sergey2015@yandex.ru has been associated with accounts at the mobile app site aptoide.com (user: CoolappsforAndroid) and vimeworld.ru that were created from different Internet addresses in Vienna, Austria.

A search in Skype on that Austrian phone number shows it belongs to a Sergey Proshutinskiy who lists his location as Vienna, Austria. The very first result that comes up when one searches that unusual name in Google is a LinkedIn profile for a Sergey Proshutinskiy from Vienna, Austria.

Proshutinskiys LinkedIn profile says he is a Class of 2024 student at TGM, which is a state-owned, technical and engineering school in Austria. His resume also says he is a data science intern at Mondi Group, an Austrian manufacturer of sustainable packaging and paper.

Mr. Proshutinskiy did not respond to requests for comment.

Quotpw denied being Sergey, and said Sergey was a friend who registered the domain as a birthday present and favor last year.

Initially, I bought it for 300 rubles, Quotpw explained. The extension cost 1300 rubles (expensive). I waited until it expired and forgot to buy it. After that, a friend (Sergey) bought [the] domain and transferred access rights to me.

Hes not even an information security specialist, Quotpw said of Sergey. My friends do not belong to this field. None of my friends are engaged in scams or other black [hat] activities.

It may seem unlikely that someone would go to all this trouble to spam Mastodon users over several weeks using an impressive number of resources all for just $2,000 in profit. But it is likely that whoever is actually running the various crypto scam platforms advertised by Quotpws spam messages pays handsomely for any investments generated by their spam.

According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.

Update, May 25, 10:30 a.m.: Corrected attribution of the Austrian school TGM.

Read more here:
Interview With a Crypto Scam Investment Spammer Krebs on ... - Krebs on Security

Global data flows have substantially risen in recent years, along with trade in digital services across borders. As per the Report published by the World Bank, in 2020, global internet traffic was estimated to be approximately three zettabytes which counts to one GB per day per person. This volume is expected to double fold itself in the coming years. Such a huge amount of data flow is pushing the growth of International trade. Cross-border data flows facilitate trade in goods, enhancing productivity and reducing costs; it also serves as the primary means of transacting in digital services. Cross-border data flows, and international trade are interdependent, and cross-border data transfer is one of the key contributors to the exponential growth of international trade. In todays world, electronic payment systems, internet-based advertising and retailing, and cloud computing have become integral parts of almost all businesses, irrespective of the sector they operate in. In fact, it is difficult to envision an international trade transaction that does not involve data transfer.

A well-formulated legal framework for cross-border data transfer is essential for the economic growth of any country and should be the top priority looking at the ever-increasing rate of global data flows and its potential misuse in terms of national security, data breaches, and privacy concerns. The aim of such a framework is to ensure that personal data is adequately protected during the transfer process and not subject to misuse or abuse.

Currently, there are several models for cross-border data transfers, including the European Unions General Data Protection Regulations (GDPR), the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, and the United States (US) - European Union (EU) Privacy Shield Framework.

The GDPR is one of the most comprehensive frameworks for cross-border data transfers. It applies to all businesses that process the personal data of EU citizens, regardless of where the business is located. The GDPR requires businesses to obtain explicit consent from individuals before collecting their personal data and to provide clear information about how that data will be used. The APEC Privacy Framework is a voluntary framework that provides guidelines for protecting personal data in the Asia-Pacific region. It is based on nine privacy principles, including the collection limitation principle, the data quality principle, and the security safeguards principle. The US-EU Privacy Shield Framework is a framework that allows businesses to transfer personal data between the EU and the US. It is based on the principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse.

Despite these frameworks, there is still a need for a more comprehensive legislative framework for cross-border data transfers. This is because many countries do not have laws that adequately protect personal data, and there is a lack of consistency between different frameworks.

Such as in India, there is a lack of a comprehensive legislative framework for cross-border data transfer. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under the Information Technology Act, 2000, require companies to obtain the individuals consent before transferring their sensitive personal data. Additionally, the Reserve Bank of India has issued guidelines for the outsourcing of financial services that require companies to ensure that the outsourcing of services does not result in a compromise of customer data.

India will soon introduce the Digital Personal Data Protection Bill 2023 (DPDP Bill) before the parliament this year. Clause 17 of the DPDP Bill talks about the transfer of personal data outside India. It states that The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified. It appears that Central Government. may come up with certain rules under Clause 17 of the DPDP Bill, which lays down data protection standards that must be maintained by any country that intends to indulge in data transfer with India.

While framing the data protection standards under the rules, the following approaches and suggestions may be taken into consideration

A mature approach to regulating the cross border data transfers:

Among the three models for regulating cross-border data transfers, namely, the open model, the conditional model, and the control model, India may consider adopting a mid-approach between the open model and the conditional model, which is neither too stringent nor too loose, aiming to build a maintain a balance between countries growth and data privacy. Efforts should be made to promote international trade while safeguarding data subjects rights and national security and not hindering innovations and the financial growth of the economy. The best example of a conditional model is the EUs GDPR which majorly focuses on data subjects rights and safeguarding the privacy of the data subjects and, side by side, keeping mediocre compliances for the businesses. A similar approach is opted for by South Africa, Singapore, Japan, and various other countries in framing their cross-border data transfer regulations. Indian Government may also form their baselines in line with GDPR especially adopting their principles such as data localization with regard to cross-border data transfers and providing a comprehensive set of rights to the data subjects where they have full ownership and access to their data in every situation whatsoever and whenever. As India is a developing country aiming to become a five trillion-dollar economy by 2025, it wont be possible without fostering international trade, so India must keep its cross-border data compliance requirements flexible and relaxed that prioritizing business needs over individual rights. The US has a slacken data privacy standards for cross borders data transfers and keeps its country more open for ease of doing business for the entities.

Collective actions by the stakeholders for developing a culture of Data Free Flow with Trust:

No matter how stringent or loose a regulatory framework may be for cross-border transfers, it is more dependent on the foreign countries involved in the transfer arrangements to make their responsibility and duty-bound themselves to take all relevant technical, administrative, or social measures that the data they collect from the other country is safe and protected, and they adhere to all the due diligence requirements of the other countries law. This responsible behavior of the foreign country may develop bricks of trust among the countries so that they can indulge in international trade more and more with each other without any fear of the data of their country being misused or compromised. For this, India may conduct engagement programmes with communities of stakeholders that may help in understanding their interests and the challenges they may face while cross-border data transfers. This approach will increase the potential of the other stakeholders while dealing with the protection of the data transferred and enable a broader, more open, and more inclusive environment for cross border data transfers between stakeholders.

A modern and updated consent mechanism in case of data transferred outside India:

The Rules must provide a stricter approach to the consent mechanism in case of cross-border data transfer rather than following the traditional method of taking consent from the data subjects. As India has a low digital literacy rate, it is a challenge to take the actual consent of such digitally illiterate citizens who do not understand the terms and conditions, purpose, and type of data for which their consent is taken. The rules must provide what explicit consent means, and additional and separate consent must be taken in case the data is transferred outside India. The consent taken must be explicit, such as while ticking the consent checkbox; the terms and conditions and other relevant information regarding the data transfer must be in a text-to-speech format where the data subject is given the option to listen to the relevant information in their chosen language.

Time period for data breach notification:

Entrusting the business entities engaged in the cross border data transfers with a higher level of due diligence with regard to notification in case of any data breach. Once a determination of a data breach has been made by the business entity, it should immediately inform the Governments of the respective countries whose citizens data has been targeted and the data subjects whose personal data has been compromised as well so that instant measures can be taken from both ends. The term immediately implies that once the business entity has verified the existence of the breach or has reasonable certainty that it has occurred. In compliance with this, an electronic notification may be sent to the aggrieved data subjects clearly stating that a data breach has occurred and the appropriate measures to be taken further to protect their personal data or any other information in their online accounts.

Right to data portability:

One of the significant data subject rights in case of data transferred abroad is the right to data portability that ensures that the data subject can obtain, reuse, move, copy, or transfer its personal data from one internet infrastructure to another hassle-free. Especially when the personal data of the data subjects are shared with a foreign entity, the data subject should have the right to data portability and receive its personal data in a machine-readable and structured manner and can further transmit to another entity. Take an instance where a data subject has taken consultation from a hospital in Germany, and he now wants to move to a hospital in Australia. In such cases, the personal data shared by the data subjects in Germany must be provided to the data subjects in a well-structured manner so that such data can be further used by the data subject without any hindrance and fear of losing the data.

Additional due diligence requirements on the entities involved in cross-border data transfers-

Foreign entities indulging in cross-border data transfers must be obliged to adopt best practices for safeguarding the personal data of the data subjects. For this, requirements such as enhanced cyber security measures and infrastructure that protects against the misuse of data, easy complaint and grievance redressal mechanisms for the data subjects, conducting regular cyber security audits and data privacy impact assessments and risk assessments, regular monitoring and tracking of the different modus operandi of the bad actors for hampering the data privacy and taking immediate steps in case of risk detected. Foreign entities must adopt data protection by design and by default.

The future of global trade is highly dependent on how a countrys domestic regulations are framed and whether these regulations provide a wide scope for ease of doing business and lesser compliance requirements on the part of foreign countries. It wont be a cakewalk for a country like India, which has the largest population in the world, to frame regulations for cross-border data transfers as they have to put at stake the data of such a huge population and simultaneously ensure the data subjects rights, protecting national security, and promoting the countrys economic growth. The above-laid-down suggestive approaches may help the central Government while framing the rules for cross-border data transfer under the DPDP Bill and act as a foundational guideline for the policymakers.

******************

Details of the Authors

Present Position Senior Legal Associate, Data Privacy and Cyber Security, PriceWaterhouseCooper Services Ltd.

Former Assistant Legal Manager, Cyberlaw Division, Ministry of Electronics & Information Technology, Govt. of India

Email bhavnadu2017@gmail.com

Contact - 9717490199

Present Position Director, Public Policy, Chase India

Former Scientist E, Cyberlaw Division, Ministry of Electronics & Information Technology, Govt. of India

Email dhawal.gupta@gmail.com

Present Position Assistant Section Officer, Policy & Administration, Department of Fertilizer, Ministry of Chemical and Fertilizers, Govt. of India

Email jaychauhan4444@gmail.com

Go here to read the rest:
Data Protection Standards For Cross Border Data Transfers In India: Suggestive Approaches And Way Forward - Live Law - Indian Legal News

Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Federal prosecutors said Tuesday that they had disrupted a Russian intelligence cyberespionage operation by targeting malware used by Kremlin hackers to steal classified and sensitive information. The disruption occurred through the remote deployment of an FBI tool dubbed Perseus that issued commands causing the malware, known as Snake, to overwrite itself.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

A U.S. District Court judge issued a search and seizure order Thursday authorizing the FBI to use the tool to target eight U.S. systems infected by Snake as part of an effort the Department of Justice dubbed "Medusa." In Greek mythology, Perseus slayed the Gorgon Medusa after being tricked into the quest by his would-be father-in-law.

The FBI in a sworn statement tied the malware to a unit of Russia's Federal Security Service also known as Turla, a group also dubbed "Krypton," "Venomous Bear" and "Waterbug" by security researchers.

Turla regularly targets both government agencies and the private sector, and is known to have stolen documents from hundreds of systems worldwide. Its victims include NATO governments, journalists and others of interest to Moscow.

Michael J. Driscoll, assistant director in charge of the FBI's New York field office, described Snake as the Russian government's "foremost cyberespionage tool."

Most Snake infections use the host computer as a routing point in a peer-to-peer network used by Russian state hackers, the FBI said, "to make it more difficult for compromised victims to identify and block suspicious connections to Snake-compromised endpoints, among other reasons." Although Snake's code is the basis for a range of highly prolific malware including the Carbon backdoor, Kremlin hackers have not deployed Snake widely in a bid to decrease the probability of detection, the FBI also said.

Snake gains persistence on infected systems by loading a kernel driver and employing a keylogger that routinely reports back to FSB hackers, says a joint cybersecurity advisory released Tuesday by the Five Eyes intelligence alliance, comprised of Australia, Canada, New Zealand, United Kingdom and United States.

"Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets," the advisory says. "Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts."

Snake's kernel component examines inbound internet traffic to see if it contains a unique authentication code. When it does, it forwards the packets onward to another Snake node. That method of interception allows the malware to communicate without detection by ordinary intrusion detection security apps or firewalls.

Versions of Snake infect systems running Windows, as well as Linux and MacOS, and are designed to allow attackers to push modules with additional malicious capabilities onto infected endpoints. Even when victims detect the malware, it has historically been tough to eradicate.

Nevertheless, the DOJ said Snake's developers made some errors that it was able to exploit to find ways to disrupt the malware and its associated infrastructure.

Even if Snake operations are permanently disrupted, the group accused of wielding the Turla toolset has already secured its place in cybersecurity history, having been tied to one of the first known episodes of cyberespionage in the 1990s, dubbed Moonlit Maze by the FBI. Later, Turla was accused of building the malicious Agent.btz worm discovered in 2008, which successfully stole military secrets and helped birth U.S. Cyber Command.

"Turla is a Russian cyberespionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s when Kevin Mandia was responding to their intrusions into government and the defense industry," said John Hultquist, head of intelligence analysis at incident response firm Mandiant, which is part of Google.

Western intelligence officials say Snake began development as "Uroburos" in late 2003 and debuted in early 2004. They say it appears to be tied to a specific facility in Ryazan, Russia, backed by daily operations that run from about 7 a.m. to 8 p.m. local time.

Turla pursues "the classic targets of espionage - government, military and the defense sector - and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention," said Hultquist, adding that the group has become known for its continuing innovation.

One of Turla's more innovative alleged efforts involved hijacking attack tools and command-and-control servers used by an Iranian nation-state group called OilRig - aka APT34, Crambus or Helix Kitten.

Russian-speaking attackers' use of the suborned Iranian infrastructure caused private-sector security researchers to first attribute the attacks to Iran. Later, the National Security Agency and U.K. National Cyber Security Center issued a joint alert saying that Russia had been behind a number of seeming OilRig campaigns (see: Turla Teardown: Why Attribute Nation-State Attacks?).

Turla's activities were detailed in a secret 2011 presentation by Canada's Communications Security Establishment that was leaked by ex-NSA contractor Edward Snowden in 2013.

The presentation describes the activities and infrastructure of Turla, which has the codename MAKERSMARK, as "designed by geniuses, implemented by morons." It says Turla members appeared to be using the attack infrastructure for personal browsing and that the group's development environment had been "infected by crimeware."

Read this article:
Feds Dismember Russia's 'Snake' Cyberespionage Operation - BankInfoSecurity.com

by Plamena Entcheva-Dimitrov, Joseph Madden

Plamena Entcheva-Dimitrov, PhD, RAC, founder of Preferred Regulatory Consulting and Joseph Madden, vice president of sales at Nova Leah, discuss cybersecurity of medical devices in the United States.

Security experts say no and explain that the internet was conceived and developed for ease of use, for connivance, for moving big data, but security was an afterthought. The FBI says that 90% of American companies are susceptible to a cyberattack. That is shocking! But what is worse, is that lifesaving and life supporting medical devices or even entire healthcare networks can be the target (willingly or by coincidence) of such attacks putting innocent lives at risk.

Introduction

As medical devices are becoming more reliant on network connectivity to performs their basic functions or to interact with other devices, smart phones are hosting medical apps, and algorithms are stored on the cloud, medical devices are becoming more vulnerable to cyberattacks. Medical devices are also a gateway into hospital networks storing sensitive patient data, exacerbating the problem, and intensifying the need to strengthen cybersecurity systems for medical devices.

Background

Industry groups along with FDA experts have been working on strengthening cyber security of medical devices for over 20 years. Other agencies, such as FCC, FBI, CISA, NIST are also stakeholders in an increasingly more complex healthcare system. Series of events, such as hacked insulin pumps, stolen personal health records and industrial espionage, are becoming normal in the press. These cyberattacks become possible through the medical devices that are connected to hospital, home, or public networks.

What is a cyberattack?

A cyberattack is an attempt to gain unauthorised access to a computer or computer network. No-one is immune and medical technology is one of the high-profile targets. The average cost for a cybersecurity incident in the healthcare sector in 2022 was $10.1 million dollars. The costs are far greater than the simple monetary costs, of the hospitals experiencing a cybersecurity incident, 20% said they saw an increase in mortality rates during the attack.

Several outcomes from a cyberattack:

In the medical field, there are several areas of vulnerability:

Any one of these can affect our medical care, hospital, and home medical devices, such as ventilators, pacemakers, OR equipment, infusion pumps, ICU monitoring system, glucose meters, dialysis machines and many more! Thus, FDA considers cybersecurity as a critical safety issue. New submissions now must demonstrate reasonable assurance that medical devices are protected from cyberattacks. This assurance is gained through testing in variable environments, through wired or wireless connection and using different tools.

Some high-profile cases of cyber security attacks include:

As seen by the examples, the risks of malicious cyberattacks on medical devices and health care infrastructure are a matter of life and death. Thus, it is critical for manufacturers, and for health care providers at large to conduct proper risk analysis and mitigate those risks in anticipation of a cyberattack. Cybersecurity risk analysis was first introduced by FDA in 2014 GuidanceContent of Premarket Submissions for Management of Cybersecurity in Medical Devices. As more medical devices are connected to networks, the need to conduct cybersecurity risk analysis and mitigation has become more critical, which lead to the issuance of new FDA draft guidance in 2022,Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.

Recent changes in law

Medical devices are subject to the Food, Drug and Cosmetics Act (FD&C, 21 U.S.C. 351 et seq).Recently, Congress, through the passing of the Omnibus Bill, (H.R. 2617, Section 3305) amended the FD&C Act, by adding a new Section 524B., Ensuring Cybersecurity of Devices.This section codifies new cyber security requirements for medical device manufacturers. The requirements are applicable to all types of medical device marketing submissions: 510(k)s, de novos and PMAs [submission under section 510(k), 513, 515(c), 515(f), or 520(m)].

Updated requirements are as follows:

1. Plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.

2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address

3. Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.

4. Comply with such other applicable requirements to demonstrate reasonable assurance that the device and related systems are cybersecure.

Important dates to keep in mind

The effective date for the new requirements is 90 days after passing the bill, i.e. 29 March 2023.

The changes to FD&C Act introduced in the 2022 Omnibus Bill (H.R. 2617, Section 3305) will lead to updating some FDA final and draft guidance documents, so manufacturers of cyber devices (defined in H.R. 2617, Section 3305) should be on the look for those. In the meanwhile, it is recommended, that manufacturers of cyber devices familiarise themselves with the requirements in the amended FD&C Act.

As stated in Section 3305, within two years of the enactment of the new law, HHS Secretary (though FDA) and the director of Cybersecurity and Infrastructure Security Agency (CISA) will be updating the requirements of the information to be included in submissions for cyber devices.

Within 180 days, i.e. 22 June 2023, FDA is required to provide to the public information regarding improving cybersecurity of devices, including identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers.

Within one year of enactment of this law, the controller general is required to publish a report identifying challenges in cybersecurity for devices, including legacy devices that may not support certain software security updates.

Conclusion

Medical devices are becoming sophisticated and increasingly reliant on network connectivity. The risks of cyberattacks on or through these sophisticated devices has increased exponentially, and they are often a gateway into hospital networks that store sensitive patient data, exacerbating the problem and intensifying the need to strengthen cybersecurity systems for medical devices.These cybersecurity vulnerabilities create risks and expose sensitive patient data which ultimately causes adverse patient outcomes, serious injury or in some cases death. Assessing and mitigating cyber risks for medical devices has become a major part of design and development of connected medical device technologies and detailed documentation needs to be (i) prepared from the beginning of each such project, (ii) included in the FDA submissions and (iii) maintained post-marketing.

by Plamena Entcheva-Dimitrov, Joseph Madden

Go here to see the original:
Are medical devices protected from cyber criminals? - Med-Tech Innovation