The reality is Risk Management is one of the more complex aspects of compliance and product efficacy, as risk comes in so many forms and perceptions, and on top of it risk assessments can be interpreted differently across a sector. Often decisions must be made with not enough data to accurately quantify risks. This course teaches the principles and org mindset needed to manage RM and setup cyber security. An Excerpt from ASQ MN presentation by the author Keerthi Gunasekaran
Introduction to ArtificiaI Intelligence in Higher Education
Â
Understanding Risk Management & Cyber security Principles in Medical Devices
1. UNDERSTANDING RISK MANAGEMENT IN MEDICAL
DEVICES
Covers Principles and RM Mindset to tackle Risk Management while staying compliant to FDA
requirements
Excerpt from ASQ 2019 MN Quality Conference presentation by Keerthi Gunasekaran.
NOTE: The content and views are solely provided by the author, and its made available for
educational purposes . The content is their interpretation, opinions on Risk Management, FDA
regulations and cybersecurity guidance originating from years practicing RM and work
experience. It does not reflect, represent any entities or organizationsâ involvement or
inputs.
2. LEARNING OBJECTIVES
- RISK MANAGEMENT THINKING
- UNDERSTAND CYBERSECURITY AND
HOW TO INTEGRATE CYBERSECURITY
INTO RISK MANAGEMENT
3. ENTROPY
⢠Physics: a thermodynamic quantity
representing the unavailability of a
system's thermal energy for
conversion into mechanical work,
often described as the degree of
disorder or randomness in the
system.
⢠Lack of order or predictability;
gradual decline into disorder.
4. RISK MANAGEMENT IS ABOUT COMBATING
ENTROPY
âŚâŚâŚâŚâŚ..THROUGH OUR ASSESSMENT OF
FACTS, REALITY AND PREDICTIONS TO DRIVE A
SET OF ACTIONS
5. UNIVERSAL LAWS OF RISK MANAGEMENT
⢠Risk should be objective
⢠Risk assessment process has to be
definitive
⢠Risk acceptability can be subjective
Example: A external Ventricular Assist
Device (VAD) can be an acceptable risk
for treatment of end-stage heart
failure versus chronic care heart
diseases.
7. RISK MANAGEMENT?
Risk Management is the systematic application of management policies, procedures and
practices to the tasks of analyzing, evaluating, controlling and monitoring risk
[Risk Assessment in this context is: Combination of probability of occurrence and severity of harm ]
â Application of Risk Management to Medical Devices Risk Management Process- ISO 14971.7
8. (OPSCon)2 METHODOLOGY
⢠Outcomes
⢠Objectives
⢠Process
⢠Performance (IFU, Optimization, etc)
⢠Scenarios (Use Conditions, Experience)
⢠Safety
⢠Controls
⢠Contingencies
COPYRIGHTED â MAY 2019 PROPERTY OF KEERTHI GUNASEKARAN
X
Outcomes
Process
Scenarios
Controls
12. SOUNDS FAMILIAR ?
âAN EFFECTIVE CYBERSECURITY RISK MANAGEMENT PROGRAM
SHOULD INCORPORATE BOTH PREMARKET AND POST-MARKET
LIFECYCLE PHASES AND ADDRESS CYBERSECURITY FROM DEVICE
CONCEPTION TO OBSOLESCENCE.â â FDA CYBERSECURITY POST
MARKET GUIDANCE
13. CYBER ENTROPY
⢠Lack of order or predictability;
gradual acute decline into disorder
sourced by different bodies with
different intentions
14. GROWING CYBER STAKEHOLDERS LANDSCAPE
Traditional
Stakeholders
Stakeholders
Patients
Media
Security
Researchers
ICS-CERT
Hospital
IT
Customers
Business
FDA
New / Emerging
Stakeholders
âEthical Hackingâ
15. 15
CYBERSECURITY ADVISORIES
⢠Their mission is to improve the cybersecurity
posture of 16 critical infrastructure sectors â
which includes medical devices (Healthcare
and Public Health)
⢠ICS-CERT advisories are public disclosures of
security vulnerabilities to critical
infrastructure to inform on risks and
mitigations
16. CYBERSECURITY EXPECTATION
POST-MARKET CYBER SECURITY PROGRAM INTENT
⢠Evidence of an ongoing structured and systematic approach in risk management and
quality management systems that entails:
⢠Methods to analyze, detect, and assess threat sources,
⢠Methods to identify, characterize, assess and mitigate or recover from a cybersecurity
vulnerability.
⢠Includes Design Expectations: Maintaining robust software lifecycle processes,
⢠Using threat modeling for safety and essential performance & communication
- excerpt from post market guidance page 13
17. CYBERSECURITY ESSENTIALS
Confidentiality
⢠Prevent unauthorized disclosure
Integrity
⢠Prevent unauthorized modification
Availability
⢠Functions when needed
Key Design Considerations:
1) Accessibility:
ď§ External Interfaces: analyze & protect
ď§ Communication Technology: key
interface, remotely available
2) Authentication: validating with whom you are
communicating
3) Encryption: protect data
4) Availability: how can this be constrained yet
still meet System design needs?
5) Updates: security updates will be needed,
ensure upgradability is built-in
18. POST-MARKET CYBERSECURITY
ELEMENTS OF AN EFFECTIVE POST-MARKET CYBERSECURITY RISK
MANAGEMENT PROGRAM
Post-market risk management program should contain steps to:
1. Identify,
2. Protect,
3. Detect,
4. Respond,
5. Recover.
Maintain safety and essential performance- Evidence in: FMEA
process, RM reports, Complaint SOPs. Identify cyber security
signals,
Vulnerability Characterization, Risk Analysis & Threat Modeling,
Sources, and Impact Assessment
Compensating Controls Assessment, Risk Mitigation and deploying
mitigations that address cybersecurity risk early and prior to
exploitation
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
19. SECURITY RISK: MANAGE WITH PRODUCT RISKS
Key compliance consideration where
security risks feeds into the overall
product risk analysis:
- Patient Safety Documentation
(Design)
- Hazard / Harm Analysis
- Safety / System Characterization
- Use- Error Analysis
- Complaint Reporting (coding)
- Service and Repairs
20. AUDIT CS QUICK CHECKLIST
ďą Evidence of cybersecurity in risk management plan,
ďą Threat or signal sources defined and monitored
ďą Software lifecycle evaluation contains cybersecurity assessments
ďą Evidence of Vulnerability Characterization and Assessment
ďą Threat modeling; Patient harm,
ďą Risk acceptance criteria.
ďą Use of âCommon Vulnerability Scoring System,â Version 3.0 (page13)
ďą Post-Market Triage vulnerabilities for remediation
ďą Post-Market Risk Analysis and Remediation
21. KEY TAKEAWAYS
1. Risk is objective, Risk assessment process has to be definitive but Risk
acceptability can be subjective
2. Risk Management is the systematic oversight of analyzing, evaluating,
controlling and monitoring risk
3. Cybersecurity requires evidence of an ongoing structured and systematic
approach in risk management and quality management systems that
entails: methods to analyze, detect, assess and mitigate threat sources.
4. Cybersecurity is about protecting confidentiality, integrity and availability.
5. Key compliance consideration include patient safety, risk characterization,
user error analysis and complaints and servicing.
26. POST-MARKET
PRE-MARKET NOT DISCUSSED
This guidance applies to any marketed and distributed medical device (+âlegacy
devicesâ) including:
1) medical devices that contain software (including firmware) or programmable logic;
2) software that is a medical device, including mobile medical applications.
3) devices that are considered part of an interoperable system
28. STRIDE
STRIDE is a model of threats developed at Microsoft for identifying computer security threats. It provides a
way to screen for security threats in six categories.
⢠Spoofing of user identity
⢠Tampering
⢠Repudiation
⢠Information disclosure (privacy breach or data leak)
⢠Denial of service (D.o.S)
⢠Elevation of privilege
29. CVSS
⢠The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey vulnerability
severity and help determine the urgency and priority of response. When vulnerabilities are discovered
in medical devices, medical device manufacturers, typically working with the Department of Homeland
Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), use CVSS to
provide a consistent and standardized way to communicate the severity of a vulnerability between
multiple parties, including the medical device manufacturer, hospitals, clinicians, patients, NCCIC, and
vulnerability researchers.
⢠CVSS and its associated rubric were developed for enterprise information technology systems and do
not adequately reflect the clinical environment and potential patient safety impacts. To address this
challenges, the MITRE Corporation, under contract to FDA, developed a rubric that provides guidance
for how an analyst can utilize CVSS as part of a risk assessment for a medical device.
⢠This rubric was developed by MITRE in collaboration with a working group of subject matter experts
across the medical device ecosystem, including FDA, medical device manufacturers, healthcare delivery
organizations, security experts, and safety/risk assessment experts.
30. CYBERSECURTIY QMS AND RA AREAS
Areas within QMS in addition to the risk management program:
Quality System areas:
1. FCA (21 CFR 806)
2. Complaint handling (21 CFR 820.198, 803),
3. Quality audit (21 CFR 820.22),
4. Corrective and preventive action (21 CFR 820.100),
5. Software validation and risk analysis (21 CFR 820.30(g))
6. Servicing (21 CFR 820.200).
7. Supplier quality
Regulatory areas:
1. PMA Periodic reports (21 CFR 814.84)
31. REFERENCED IN FDA CYBERSECURITY GUIDANCE
ď§ 21 CFR Part 820 Quality Systems Regulations
ď§ 820.30 Subpart C â Design Controls of the Quality System
Regulation
ď§ 806.10 â Reports of corrections and removals
ď§ 807.81 (a)(3)
ď§ 806.10(f)
ď§ 820.100 Corrective action and preventative action
ď§ 7.42 Recall Strategy for elements of a remediation plan
ď§ 7 (b)(3) Effectiveness checks
ď§ 814.39
ď§ 814.84
ď§ 820.30(g)
⢠ANSI/AAMI ES60601-1:2005/(R)2012 and A1:2012, C1:2009/(R)2012
and A2:2010/(R)2012 (Consolidated Text) Medical electrical
equipmentâ Part 1: General requirements for basic safety and
essential performance (IEC 60601-1:2005, MOD), section 3.27 defines
âEssential Performanceâ as performance of a clinical function, other
than that related to basic safety, where loss or degradation beyond the
limits specified by the manufacturer results in an unacceptable risk.â
⢠ISO/IEC 30111:2013: Information Technology â Security Techniques â
Vulnerability Handling Processes (recognized standard)
⢠ISO/IEC 29147:2014: Information Technology â Security Techniques â
Vulnerability Disclosure
⢠AAMI TIR57: Principles for medical device securityâRisk management
⢠IEC/TR 80001-2-1:2012 Application of risk management for IT-networks
incorporating medical devices
What Why, not the how, a tleast not in a satisfactory detail
Security Risk Analysis feeds into Hazard Analysis for risks with safety impact.
Difference: security risk assessment also considers business and data (PHI) risks that may require mitigation
Security Risk Analysis feeds security-related hazardous situations and associated likelihood ratings (p1 = probability of hazardous situation) into the Hazard Analysis for probability of patient harm determination.
I am going to give an example of how this flow works from security risk analysis to hazard analysis as well as flowing to requirements identification.