Breakout Session: Cybersecurity in Medical Devices
•Download as PPTX, PDF•
4 likes•2,487 views
Presentation by PwC at Medtech Conference 2016. Participant: Geoff Fisher, Director – PwC Powered by: Healthegy For more healthcare innovation Visit us at Healthegy.com
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Breakout Session: Cybersecurity in Medical Devices
Similar to Breakout Session: Cybersecurity in Medical Devices (20)
More from Healthegy
More from Healthegy (20)
Recently uploaded
Recently uploaded (20)
Breakout Session: Cybersecurity in Medical Devices
- 1. The internet of deadly things Medical Device Cybersecurity Geoff Fisher Director & Leader of PwC Medical Device Cybersecurity Practice Health Industries Cybersecurity and Privacy
- 2. PwC What is a medical device? “An instrument, apparatus, implement, machine, contrivance, implant … which is … intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease” – Food, Drug and Cosmetic Act
- 3. PwC What’s driving a focus on cybersecurity? Total business connectedness01 Systemic risks02 Everything is under attack03 Risk to physical assets04 The driver The impact A business’ payroll, sales and products might all be connected to the Internet—and vulnerable A new vulnerability could leave a once-secure business open to major problems immediately People are looking for money, data, laughs, information, back- doors and infamy. Internet-connected products are vulnerable to physical problems, including failure
- 4. PwC Over the years, medical devices have seen dramatic technological advances… Before Devices are connected to patients physically Data obtained from devices are stored on paper or locally Devices are physical products Care is hand-administered at a health care location Physical access is needed to view health data Now Devices are connected wirelessly to patients and other devices Data obtained from devices are stored in the cloud Devices include software and even databases of health information Care is available to patients in the palm of their hand through apps Health data can be accessed anywhere on earth
- 5. PwC So have the concerns… If a device gets hacked into, there are some big potential problems Patients could be harmed Protected health data could be lost Patients could die Lost trust in connected devices
- 6. PwC And the cost of breaches. Cybersecurity breaches are common and costly 18% of breaches cost more than $1 million to remediate 85% of large health organizations experienced a data breach in 2014
- 7. PwC 19% 31% 22% 29% 9% 29% Would never again use any connected medical device Would be wary of using any connected medical device Would never again use that manufacturer's connected devices Would be wary of using any of that manufacturer's connected devices Would never again use that specific hospital Would be wary of using that specific hospital Hacked devices, lost customers Many customers say they would never use, or would be wary of using, medical devices known to have been hacked or the or healthcare facilities where the hack occurred. “Some medical devices (e.g., in hospitals) are now connected to the Internet to allow for software updates. You heard that a medical device (e.g., a blood pressure monitor, etc.) had been the subject of a hack that left a patient injured physically and/or financially. How comfortable would you feel using another…” – HRI Consumer Health Survey 2015
- 8. PwC Customers value Security over Utility! …knowing my health data is secure. …functionality and ease of use. “When using medical devices or healthcare mobile apps, I most value…” 38% 62% HRI Consumer Survey 2015
- 9. PwC A shift in how the FDA thinks about regulating medical devices Traditional considerations meet technology Security Once a medical device is networked with other devices or the internet, is it still safe, or is it vulnerable to potentially serious problems? Quality After approval, a device must be kept safe and effective through adherence to quality manufacturing standards established by FDA Safety Is a medical device safe for use in humans? Does it cause adverse events? Are its risks tolerable in relation to its benefits? Efficacy Is a device effective for its given purpose? What is the magnitude of the effect? TraditionalEvolving
- 10. PwC A brief history of FDA and medical device cybersecurity FDA issues general warning on device cybersecurity based on “known vulnerabilities” FDA issues draft guidance on medical device cybersecurity FDA releases final guidance on cybersecurity for networked medical devices containing off-the-shelf software January 2005 FDA issues first-ever warning about cybersecurity vulnerability of a device FDA issues its final guidance document on including medical device cybersecurity information in premarket applications President Obama issues executive order on improving infrastructure cybersecurity February 2013 June 2013 June 2013 October 2014 July 2015 FDA issues draft guidance document on post-approved monitoring of medical device cybersecurity January 2016 Late 2016??? FDA issues final guidance document on post-approved monitoring and remediation of medical device cybersecurity
- 11. PwC FDA Pre-Market Cybersecurity Guidance Key takeaways from the FDA’s previous guidance: • Manufacturers should address cybersecurity during the “design and development” of the medical device • Leverage NIST’s Cybersecurity Framework (NIST CSF) • The scope of the Guidance covers the following: 510k, de novo submissions, Premarket Approval Applications (PMAs), product development protocols, and humanitarian device exemption RecoverDetectIdentify RespondProtect
- 12. PwC Draft FDA Post-Market Cybersecurity Guidance ‘Medical device manufacturers […] should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.’ • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk; • Understanding, assessing and detecting presence and impact of a vulnerability; • Establishing and communicating processes for vulnerability intake and handling; • Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk; • Adopting a coordinated vulnerability disclosure policy and practice; and • Deploying mitigations that address cybersecurity risk early and prior to exploitation.
- 13. PwC Draft FDA Post-Market Cybersecurity Guidance In the absence of remediation, a device with uncontrolled risk to its essential clinical performance […]. may be considered in violation of the FD&C Act and subject to enforcement or other action. Manufacturers should report these vulnerabilities to the FDA according to 21 CFR part 806, unless reported under 21 CFR parts 803 or 1004. However, the FDA does not intend to enforce reporting requirements under 21 CFR part 806 if all of the following circumstances are met: • There are no known serious adverse events or deaths associated with the vulnerability, • Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and • The manufacturer is a participating member of an ISAO, such as NH-ISAC;
- 14. PwC Medical Device Cyber Threat Landscape Motives/Targets Obtaining PHI/PII Physical Attacks Street ‘Cred’ Financial Gain Retaliation Extortion Political/Social Change Shift Organizational Objectives Disrupt Business Threat Actors are driven by these motives and targets… Threat Actors Criminal Groups Rogues Intelligence Services Hackers Activists Nation States D/DoS Threat Vectors Software Vulnerabilities Sniffing Brute Force Malware / Viruses …utilizing these Threat Vectors The cybersecurity challenge now extends beyond just protecting our information. Today, threat actors may be targeting the very devices that are used to provide care and treatment … Insiders
- 15. PwC FDA is not the only US Regulator interested in cybersecurity Four US agencies monitor medical devices in some way 01 02 03 04 FDA NIST FDA DHS HHS FTC The Food and Drug Administration Department of Homeland Security (ICS-CERT) Department of Health and Human Services Federal Trade Commission
- 16. PwC Medical Device manufacturers need to be proactive to secure their devices… Look to mature software and technology firms for inspiration and models Determine best practices for connecting, securing and updating devices Like quality, security must be designed into each product Create incentives to find and report vulnerabilities Routine security assessments to review device vulnerabilities Limited experience/ability reacting to cybersecurity events in devices after product launch Consumer confidence in the entire sector being hurt due to one company’s failures Tougher regulation may follow problems affecting a patient’s health Lawsuits, reputational harm, fired executives, and recalled products Patients harmed or killed by a compromised device What to fear What to do
- 17. PwC A security centric, risk based product development process is core to the deployment of a secure effective medical device… 02 Protected Health Information Product design must be equipped with handling patient sensitive information to meet both HIPAA and FDA regulations. 04 Product Safety Product design must incorporate safety features that meet the regulatory requirements such as alarm systems to protect users and patients from unanticipated adverse situations Medical Device Development Secure Product Architecture Product design must protect the information & the device against any threats posed by external circumstances or by other connected devices. 03 Risk Assessment and Management Product design must enable identification and management of risk through the product development lifecycle. 01
- 18. PwC With evolving technology and the changing regulatory climate it is essential that medical device design includes holistic product safety considerations and incorporates leading edge solutions against security threats & vulnerabilities Medical Device Privacy and Security Product Design Product Launch Strategy Patient Needs Market Insights Regulatory Requirements Innovation Strategy Business Requirements Financial Targets
- 19. PwC To meet the current regulatory requirements and protect the device from cybersecurity attacks, it is critical to embed security within the lifecycle of the product and in risk management considerations… Product DesignRequirements Product Launch Pre-market Risk Management Lifecycle Inevitable need to explore unidentifiable risks including foreseeable tampering Established mechanism to feed post market monitoring data into next Gen device design Continuous compliance with HIPAA and other privacy regulations IT compliance function with expertise to evaluate compliance with various regulations Effective security and data standards with an ability to rapidly respond to emerging threats Risk Management Considerations
- 20. …and build an Incident Response capability that will allow the organization to respond to emerging threats to their devices in a methodical, repeatable and defensible way. Incident Response Life Cycle Use the information gained during the event to build more secure devices and improve future response Recover Understand the threat that has been uncovered and how it is impacting the device React Determine how to remediate the issue and notify your customers Respond Determine how an event will be handled, by whom and what tools will be necessary to be effective Prepare
- 21. PwC Questions…
- 22. PwC
Editor's Notes
- The definition of a medical device is complex, in part because it is defined by what it isn’t. It’s a product which does NOT achieve its intended effects through chemical action or through the metabolism. As such, medical devices are incredibly diverse, and include everything from the obvious – a pacemaker, for example – to the less obvious. Certain types of medical software can be a medical device. Even some smartphone apps can be medical devices.
- Networked medical devices are at risk for the same reason almost everything connected to the internet is at risk. Almost everything a business does is connected to the internet. Its payroll. Its accounting. Its sales, marketing and online store. Its products might be entirely digital (i.e. Netflix). The products it sells might function best when connected to the Internet (i.e. a smartphone). Problems can emerge very, very quickly. Think about your house: If you did a walkthrough of your house right now to find problems, you could feel fairly confident that if everything looked, worked and indeed was in good shape today, your house would be fine tomorrow. It wouldn’t spontaneously collapse due to foundational problems that appears over-night. But that’s the exact scenario most companies face with their digital infrastructure. One day things can look find, and the next day they can find out that a piece of software their entire business relies on has a critical vulnerability, putting their entire operation at risk. Everything is under attack. When everything is connected to the Internet, everything can be attacked by everyone on the Internet. The range of threat actors is extensive, as are their motives for attacking (boredom, profit, fame, infamy, politics, etc). Healthcare sectors aren’t immune from this, and have in fact become a target for groups seeking sensitive information. When physical products are connected to the Internet of Things, they can become vulnerable to physical problems. The utility sector is especially wary of this, as pumps that stop working can cause physical damage. An alarm that gets turned off could prevent required oversight. Medical devices are susceptible to many conceptually similar problems. A pacemaker could have an alarm turned off. An infusion pump could have its flow rate increased. A medical database could present the incorrect information. All could harm patients.
- Traditionally, most concerns about breaches have focused on data. Thanks to HIPAA, that’s probably not a bad thing. But data aren’t the only concerned companies, regulators and care providers need to watch out for. Among the greatest risks: That patients could be harmed or killed by malfunctioning medical devices – even held hostage; that their sensitive patient data could be stolen or used for blackmail; and that they might no longer trust connected devices, potentially limiting the spread of devices which have the potential to vastly improve human health over time.
- What is clear is that betting on cybersecurity breaches not happening is an unwise choice. 85% of all large health care organizations experiences a data breach in 2014, with 18% of those breaches costing more than $1 million to remediate. That’s not counting secondary costs like lost business opportunities, reputational harm, and more.
- In September 2015 we polled 1,000 consumers and presented to them a scenario: If they heard that a medical device had been hacked into, resulting in injury to a patient (either physical or financial), how likely would they be to take certain actions? Our survey looked at three distinct outcomes: What happens to the specific manufacturer of the hacked device; what happens to the hospital or healthcare facility where the hack occurred; and what happens to other manufacturers of connected medical devices. The responses showed illustrated major problems for all three groups. About one-in-five consumers would never again use that manufacturer’s devices, or indeed any manufacturer’s connected device. This indicates a deep level of mistrust between consumers and the ability of device manufacturers to protect them. Hospitals fared better, but not my much. Almost one-in-ten consumers said they would avoid using the specific hospital where the hack occurred. About 30% of consumers said they would be wary of using specific devices of hospitals again. What does this mean? For device manufacturers, failure to act is akin to the tragedy of the commons. One bad actor could taint an entire industry’s reputation, leading to action by regulators, legislators and more.
- Consumers are already starting to express their preferences toward security. A recent survey of consumers by HRI indicated that 62% preferred assurances that their health data was secure over a device being functional or easy to use. This could have big implications on the market going forward.
- To talk about medical device cybersecurity in 2016, let’s first take a big step back – all the way back to 1938 when Congress passed he Federal Food, Drug and Cosmetic Act (FD&C Act). The law required, for the first time, all drug products to proven safe for use in humans before they could be introduced to the market. 20 Years later, in 1962, the Kefhauver-Harris Amendments became law, requiring all drug products to be proven effective before they were allowed on the market. These two elements remain essential parts of our regulatory system today, and since the 1976 Medical Device Amendments have also applied to most medical devices. But today, we also recognize that it’s not enough for devices to be proven to be safe and effective to just FDA; they need to remain safe and effective once they’re on the market. So we require companies to show that these products are made using federal standards for manufacturing quality. If you’ve ever heard of a product being recalled due to manufacturing problems or sterility issues, they’re really referring to quality problems with the product. Now, in 2015, federal regulators are starting to consider something of a fourth metric – that of security. This can be thought of as digital quality – a networked product’s capability to be resilient against targeted threats (i.e. hackers), non-specific threats (i.e. viruses, malware) and general bugs (i.e. coding problems and crashes). This is quality that transcends the traditional manufacturing space. Traditionally, companies needed to worry about quality when a device was in their possession and during manufacturing. Now they need to maintain the quality of a device once it’s out in the field and through software updates.
- The government has been attempting to address cybersecurity issues with medical devices for about a decade now. In 2005, FDA issued an early-stage guidance document on cybersecurity specifically focusing on those devices relying on off-the-shelf software (http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077823.pdf) The guidance document – a non-binding document – confirms that companies need to report known cybersecurity vulnerabilities to FDA under existing quality system regulations. The guidance also confirms that most software patches made to enhance the security of a medical device don’t need premarket approval or clearance before being rolled out to devices. Since then, FDA has become aware of at least one specific device – an infusion pump – which it said had vulnerabilities serious enough to warrant being removed from use. However, no recall notice was issued. FDA’s alert happened in July 2015 January 2016 guidance: http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
- NIST (the National Institute for Standards and Technology) maintains a cybersecurity infrastructure improvement project (http://www.nist.gov/cyberframework/) The Department of Homeland Security’s Industrial Control Systems – Computer Emergency Response Team (ICS-CERT) is often the first indication the public gets that a problem exists with a device FDA is working on standing up its own cybersecurity testing laboratory, though details are extremely sparse HHS works closely with FDA, one of its child agencies, to implement Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity” 9https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity)
- Now let’s address some specifics implications about medical device cybersecurity. In general, there are things the healthcare industry needs to be wary of (if not outright fear), and there are ways in which the industry can mitigate or contain those threats (but probably not eliminate them). *Cyber vulnerabilities may be seized upon by product litigation groups as “design defects,” subjecting their companies to class-action lawsuits