Presentation by PwC at Medtech Conference 2016.
Participant:
Geoff Fisher, Director – PwC
Powered by:
Healthegy
For more healthcare innovation
Visit us at Healthegy.com
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Breakout Session: Cybersecurity in Medical Devices
1. The internet of deadly things
Medical Device Cybersecurity
Geoff Fisher
Director & Leader of PwC Medical Device Cybersecurity Practice
Health Industries Cybersecurity and Privacy
2. PwC
What is a medical device?
“An instrument, apparatus, implement, machine,
contrivance, implant … which is … intended for use in the
diagnosis of disease or other conditions, or in the cure,
mitigation, treatment, or prevention of disease”
– Food, Drug and Cosmetic Act
3. PwC
What’s driving a focus on cybersecurity?
Total business
connectedness01
Systemic risks02
Everything is under
attack03
Risk to physical assets04
The driver The impact
A business’ payroll, sales and
products might all be connected
to the Internet—and vulnerable
A new vulnerability could leave a
once-secure business open to
major problems immediately
People are looking for money,
data, laughs, information, back-
doors and infamy.
Internet-connected products are
vulnerable to physical problems,
including failure
4. PwC
Over the years, medical devices have seen dramatic technological advances…
Before
Devices are connected to
patients physically
Data obtained from devices
are stored on paper or locally
Devices are physical products
Care is hand-administered at a
health care location
Physical access is needed to
view health data
Now
Devices are connected
wirelessly to patients and other
devices
Data obtained from devices are
stored in the cloud
Devices include software and
even databases of health
information
Care is available to patients in
the palm of their hand through
apps
Health data can be accessed
anywhere on earth
5. PwC
So have the concerns…
If a device gets hacked into, there are some big potential problems
Patients could be
harmed
Protected health
data could be lost
Patients could
die
Lost trust in
connected
devices
6. PwC
And the cost of breaches.
Cybersecurity breaches are common and costly
18%
of breaches cost more
than $1 million to
remediate
85%
of large health organizations
experienced a data breach in 2014
7. PwC
19%
31%
22%
29%
9%
29%
Would never
again use any
connected
medical device
Would be wary of
using any
connected
medical device
Would never
again use that
manufacturer's
connected
devices
Would be wary of
using any of that
manufacturer's
connected
devices
Would never
again use that
specific hospital
Would be wary of
using that
specific hospital
Hacked devices, lost customers
Many customers say they would never use, or would be wary of using, medical devices known
to have been hacked or the or healthcare facilities where the hack occurred.
“Some medical devices (e.g., in hospitals) are now connected to the Internet to allow for software updates. You heard that a medical device (e.g., a blood
pressure monitor, etc.) had been the subject of a hack that left a patient injured physically and/or financially. How comfortable would you feel using
another…” – HRI Consumer Health Survey 2015
8. PwC
Customers value Security over Utility!
…knowing my
health data is
secure.
…functionality
and ease of
use.
“When using medical devices or healthcare mobile apps, I most value…”
38% 62%
HRI Consumer Survey 2015
9. PwC
A shift in how the FDA thinks about regulating medical devices
Traditional considerations meet technology
Security
Once a medical device is networked with other devices or
the internet, is it still safe, or is it vulnerable to potentially
serious problems?
Quality
After approval, a device must be kept safe and effective
through adherence to quality manufacturing standards
established by FDA
Safety
Is a medical device safe for use in humans? Does it cause
adverse events? Are its risks tolerable in relation to its
benefits?
Efficacy
Is a device effective for its given purpose? What is the
magnitude of the effect?
TraditionalEvolving
10. PwC
A brief history of FDA and medical device cybersecurity
FDA issues general warning on device
cybersecurity based on “known
vulnerabilities”
FDA issues draft guidance on
medical device cybersecurity
FDA releases final guidance on
cybersecurity for networked medical
devices containing off-the-shelf software
January 2005
FDA issues first-ever warning about
cybersecurity vulnerability of a device
FDA issues its final guidance document
on including medical device cybersecurity
information in premarket applications
President Obama issues executive order
on improving infrastructure cybersecurity
February 2013
June 2013
June 2013
October 2014
July 2015
FDA issues draft guidance document
on post-approved monitoring of medical
device cybersecurity
January 2016
Late 2016???
FDA issues final guidance document
on post-approved monitoring and
remediation of medical
device cybersecurity
11. PwC
FDA Pre-Market Cybersecurity Guidance
Key takeaways from the FDA’s previous guidance:
• Manufacturers should address cybersecurity during the “design and development” of the medical device
• Leverage NIST’s Cybersecurity Framework (NIST CSF)
• The scope of the Guidance covers the following: 510k, de novo submissions, Premarket Approval Applications (PMAs),
product development protocols, and humanitarian device exemption
RecoverDetectIdentify RespondProtect
12. PwC
Draft FDA Post-Market Cybersecurity Guidance
‘Medical device manufacturers […] should take steps to ensure appropriate safeguards. Manufacturers are responsible for
remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to
cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper
device performance.’
• Monitoring cybersecurity information sources for identification and detection of cybersecurity
vulnerabilities and risk;
• Understanding, assessing and detecting presence and impact of a vulnerability;
• Establishing and communicating processes for vulnerability intake and handling;
• Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from
the cybersecurity risk;
• Adopting a coordinated vulnerability disclosure policy and practice; and
• Deploying mitigations that address cybersecurity risk early and prior to exploitation.
13. PwC
Draft FDA Post-Market Cybersecurity Guidance
In the absence of remediation, a device with uncontrolled risk to its essential clinical performance […]. may be considered in
violation of the FD&C Act and subject to enforcement or other action.
Manufacturers should report these vulnerabilities to the FDA according to 21 CFR part 806, unless reported under 21
CFR parts 803 or 1004. However, the FDA does not intend to enforce reporting requirements under 21 CFR part 806 if
all of the following circumstances are met:
• There are no known serious adverse events or deaths associated with the vulnerability,
• Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or
compensating controls to bring the residual risk to an acceptable level and notifies users, and
• The manufacturer is a participating member of an ISAO, such as NH-ISAC;
14. PwC
Medical Device Cyber Threat Landscape
Motives/Targets
Obtaining PHI/PII
Physical Attacks
Street ‘Cred’
Financial Gain
Retaliation
Extortion
Political/Social
Change
Shift Organizational
Objectives
Disrupt Business
Threat Actors
are driven by
these motives
and targets…
Threat
Actors
Criminal
Groups
Rogues
Intelligence
Services
Hackers
Activists
Nation
States
D/DoS
Threat
Vectors
Software
Vulnerabilities
Sniffing
Brute Force
Malware /
Viruses
…utilizing
these Threat
Vectors
The cybersecurity challenge now extends beyond just protecting our information. Today, threat actors
may be targeting the very devices that are used to provide care and treatment …
Insiders
15. PwC
FDA is not the only US Regulator interested in cybersecurity
Four US agencies monitor medical devices in some way
01
02
03
04
FDA
NIST
FDA
DHS
HHS
FTC
The Food and Drug
Administration
Department of Homeland
Security (ICS-CERT)
Department of Health
and Human Services
Federal Trade
Commission
16. PwC
Medical Device manufacturers need to be proactive to secure their devices…
Look to mature software and technology firms for
inspiration and models
Determine best practices for connecting,
securing and updating devices
Like quality, security must be
designed into each product
Create incentives to find and report
vulnerabilities
Routine security assessments to review device
vulnerabilities
Limited experience/ability reacting to
cybersecurity events in devices after product launch
Consumer confidence in the entire sector
being hurt due to one company’s failures
Tougher regulation may follow
problems affecting a patient’s health
Lawsuits, reputational harm, fired
executives, and recalled products
Patients harmed or killed
by a compromised device
What to fear What to do
17. PwC
A security centric, risk based product development process is core to the deployment of a
secure effective medical device…
02
Protected Health Information
Product design must be equipped with
handling patient sensitive information to
meet both HIPAA and FDA regulations.
04
Product Safety
Product design must incorporate safety
features that meet the regulatory
requirements such as alarm systems to
protect users and patients from
unanticipated adverse situations
Medical Device
Development
Secure Product Architecture
Product design must protect the information
& the device against any threats posed by
external circumstances or by other connected
devices.
03
Risk Assessment and
Management
Product design must enable identification
and management of risk through the product
development lifecycle.
01
18. PwC
With evolving technology and the changing regulatory climate it is essential that medical
device design includes holistic product safety considerations and incorporates leading
edge solutions against security threats & vulnerabilities
Medical Device
Privacy
and
Security
Product
Design
Product
Launch
Strategy
Patient Needs
Market Insights
Regulatory Requirements
Innovation Strategy
Business Requirements
Financial Targets
19. PwC
To meet the current regulatory requirements and protect the device from cybersecurity
attacks, it is critical to embed security within the lifecycle of the product and in risk
management considerations…
Product DesignRequirements
Product
Launch
Pre-market
Risk
Management
Lifecycle
Inevitable need to explore unidentifiable
risks including foreseeable tampering
Established mechanism to feed post
market monitoring data into next Gen
device design
Continuous compliance with HIPAA and
other privacy regulations
IT compliance function with expertise to
evaluate compliance with various
regulations
Effective security and data standards with
an ability to rapidly respond to emerging
threats
Risk Management Considerations
20. …and build an Incident Response capability that will allow the organization to respond to
emerging threats to their devices in a methodical, repeatable and defensible way.
Incident
Response
Life Cycle
Use the information
gained during the
event to build more
secure devices and
improve future
response
Recover
Understand the
threat that has been
uncovered and how
it is impacting the
device
React
Determine how to
remediate the issue
and notify your
customers
Respond
Determine how an
event will be
handled, by whom
and what tools will
be necessary to be
effective
Prepare
The definition of a medical device is complex, in part because it is defined by what it isn’t. It’s a product which does NOT achieve its intended effects through chemical action or through the metabolism.
As such, medical devices are incredibly diverse, and include everything from the obvious – a pacemaker, for example – to the less obvious. Certain types of medical software can be a medical device. Even some smartphone apps can be medical devices.
Networked medical devices are at risk for the same reason almost everything connected to the internet is at risk.
Almost everything a business does is connected to the internet. Its payroll. Its accounting. Its sales, marketing and online store. Its products might be entirely digital (i.e. Netflix). The products it sells might function best when connected to the Internet (i.e. a smartphone).
Problems can emerge very, very quickly. Think about your house: If you did a walkthrough of your house right now to find problems, you could feel fairly confident that if everything looked, worked and indeed was in good shape today, your house would be fine tomorrow. It wouldn’t spontaneously collapse due to foundational problems that appears over-night. But that’s the exact scenario most companies face with their digital infrastructure. One day things can look find, and the next day they can find out that a piece of software their entire business relies on has a critical vulnerability, putting their entire operation at risk.
Everything is under attack. When everything is connected to the Internet, everything can be attacked by everyone on the Internet. The range of threat actors is extensive, as are their motives for attacking (boredom, profit, fame, infamy, politics, etc). Healthcare sectors aren’t immune from this, and have in fact become a target for groups seeking sensitive information.
When physical products are connected to the Internet of Things, they can become vulnerable to physical problems. The utility sector is especially wary of this, as pumps that stop working can cause physical damage. An alarm that gets turned off could prevent required oversight. Medical devices are susceptible to many conceptually similar problems. A pacemaker could have an alarm turned off. An infusion pump could have its flow rate increased. A medical database could present the incorrect information. All could harm patients.
Traditionally, most concerns about breaches have focused on data. Thanks to HIPAA, that’s probably not a bad thing.
But data aren’t the only concerned companies, regulators and care providers need to watch out for.
Among the greatest risks: That patients could be harmed or killed by malfunctioning medical devices – even held hostage; that their sensitive patient data could be stolen or used for blackmail; and that they might no longer trust connected devices, potentially limiting the spread of devices which have the potential to vastly improve human health over time.
What is clear is that betting on cybersecurity breaches not happening is an unwise choice. 85% of all large health care organizations experiences a data breach in 2014, with 18% of those breaches costing more than $1 million to remediate. That’s not counting secondary costs like lost business opportunities, reputational harm, and more.
In September 2015 we polled 1,000 consumers and presented to them a scenario: If they heard that a medical device had been hacked into, resulting in injury to a patient (either physical or financial), how likely would they be to take certain actions?
Our survey looked at three distinct outcomes: What happens to the specific manufacturer of the hacked device; what happens to the hospital or healthcare facility where the hack occurred; and what happens to other manufacturers of connected medical devices.
The responses showed illustrated major problems for all three groups.
About one-in-five consumers would never again use that manufacturer’s devices, or indeed any manufacturer’s connected device. This indicates a deep level of mistrust between consumers and the ability of device manufacturers to protect them.
Hospitals fared better, but not my much. Almost one-in-ten consumers said they would avoid using the specific hospital where the hack occurred.
About 30% of consumers said they would be wary of using specific devices of hospitals again.
What does this mean? For device manufacturers, failure to act is akin to the tragedy of the commons. One bad actor could taint an entire industry’s reputation, leading to action by regulators, legislators and more.
Consumers are already starting to express their preferences toward security. A recent survey of consumers by HRI indicated that 62% preferred assurances that their health data was secure over a device being functional or easy to use.
This could have big implications on the market going forward.
To talk about medical device cybersecurity in 2016, let’s first take a big step back – all the way back to 1938 when Congress passed he Federal Food, Drug and Cosmetic Act (FD&C Act).
The law required, for the first time, all drug products to proven safe for use in humans before they could be introduced to the market.
20 Years later, in 1962, the Kefhauver-Harris Amendments became law, requiring all drug products to be proven effective before they were allowed on the market.
These two elements remain essential parts of our regulatory system today, and since the 1976 Medical Device Amendments have also applied to most medical devices.
But today, we also recognize that it’s not enough for devices to be proven to be safe and effective to just FDA; they need to remain safe and effective once they’re on the market. So we require companies to show that these products are made using federal standards for manufacturing quality. If you’ve ever heard of a product being recalled due to manufacturing problems or sterility issues, they’re really referring to quality problems with the product.
Now, in 2015, federal regulators are starting to consider something of a fourth metric – that of security. This can be thought of as digital quality – a networked product’s capability to be resilient against targeted threats (i.e. hackers), non-specific threats (i.e. viruses, malware) and general bugs (i.e. coding problems and crashes).
This is quality that transcends the traditional manufacturing space. Traditionally, companies needed to worry about quality when a device was in their possession and during manufacturing. Now they need to maintain the quality of a device once it’s out in the field and through software updates.
The government has been attempting to address cybersecurity issues with medical devices for about a decade now.
In 2005, FDA issued an early-stage guidance document on cybersecurity specifically focusing on those devices relying on off-the-shelf software (http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077823.pdf)
The guidance document – a non-binding document – confirms that companies need to report known cybersecurity vulnerabilities to FDA under existing quality system regulations. The guidance also confirms that most software patches made to enhance the security of a medical device don’t need premarket approval or clearance before being rolled out to devices.
Since then, FDA has become aware of at least one specific device – an infusion pump – which it said had vulnerabilities serious enough to warrant being removed from use. However, no recall notice was issued. FDA’s alert happened in July 2015
January 2016 guidance: http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
NIST (the National Institute for Standards and Technology) maintains a cybersecurity infrastructure improvement project (http://www.nist.gov/cyberframework/)
The Department of Homeland Security’s Industrial Control Systems – Computer Emergency Response Team (ICS-CERT) is often the first indication the public gets that a problem exists with a device
FDA is working on standing up its own cybersecurity testing laboratory, though details are extremely sparse
HHS works closely with FDA, one of its child agencies, to implement Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity” 9https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity)
Now let’s address some specifics implications about medical device cybersecurity.
In general, there are things the healthcare industry needs to be wary of (if not outright fear), and there are ways in which the industry can mitigate or contain those threats (but probably not eliminate them).
*Cyber vulnerabilities may be seized upon by product litigation groups as “design defects,” subjecting their companies to class-action lawsuits