Cybersecurity in Medical Devices This document discusses cybersecurity issues related to medical devices. It begins by defining key cybersecurity concepts like assets, threats, vulnerabilities, and risks as they apply to medical devices and patient data. It then outlines FDA guidance on premarket and postmarket cybersecurity. The document discusses cybersecurity from the perspectives of physicians, industry, and patients. For physicians, it notes the challenges of cybersecurity informed consent. It also discusses benefits and challenges to communicating cybersecurity safety concerns with patients.

1. Cybersecurity in Medical Devices
Yuan Song
Professor, Data Scientist
Duke University
1Copyright by Bigfish HealthSep. 2019

2. DISCLAIMER
The views and opinions presented represent those of the
speaker and should not be considered to represent advice
or guidance on behalf of the Food and Drug Administration.
Sep. 2019 Copyright by Bigfish Health 2

3. PREMARKET CYBERSECURITY
GUIDANCE 2014
POSTMARKET CYBERSECURITY
GUIDANCE 2016
Sep. 2019 Copyright by Bigfish Health 3

4. Cybersecurity?
• Asset: The people, property, and information to be protected. In medical device
cybersecurity, assets include the patient, the medical device, and data transmitted about
the patient.
• Threat: Anyone or anything that can exploit a vulnerability, intentionally or accidentally,
and steal, damage, or destroy an asset. In medical device cybersecurity, the threat is often
an unauthorized person who intentionally accesses and controls a device and uses that
access to issue commands to the device.
• Vulnerability: A weakness or gap in a security program or protocol that can be exploited by
threats to gain unauthorized access to an asset. In medical device cybersecurity, the
vulnerability is typically associated with a security gap in the software or firmware used by
the device.
• Risk: The potential for loss, damage, or destruction of an asset which occurs when a threat
exploits a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities. In
medical device cybersecurity, the risk is typically associated with an unauthorized person
(threat) accessing the device(s) of one or more patients by exploiting a vulnerability (such
as a security weakness in the device’s software or firmware). Examples include
inappropriate pacing or shocks from a pacemaker or inappropriate dosing from an infusion
pump.
Sep. 2019 Copyright by Bigfish Health 4

5. Physician Perspective on Cybersecurity
Cybersecurity Informed consent
•Identification
•Purpose
•Benefits
•Risks
•Alternatives
•Questions
•Affirmation
• Challenges in Cyber Informed
Consent
• True risk is unknown and can
change
• Unconnected devices may not exist
• Doctors don’t understand cyber
Sep. 2019 Copyright by Bigfish Health 5

6. Benefits to Cyber Informed Consent
• Patients rights and
empowerment
• Patient education
• Physician education
• Raises awareness and
possible detection of adverse
events across healthcare
• Advances the entire
healthcare cyber security
maturity
Sep. 2019 Copyright by Bigfish Health 6

7. Challenges with communicating safety
concerns
•Audience health literacy
•The effects pf stress experienced by target
audiences
•Language barriers
•Barriers to internet access and use
Sep. 2019 Copyright by Bigfish Health 7

8. Industry Perspective on Cybersecurity
Communication
Sep. 2019 Copyright by Bigfish Health 8

9. Patient Perspective on Cybersecurity
Communication
Sep. 2019 Copyright by Bigfish Health 9
• Not too much concern until it becomes a problem.
• How to empower patients?

10. Copyright by Bigfish Health 10
Thank you
Q&A
Sep. 2019