Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity and the FDA


Published on

The FDA's Post-Market Cyber-Security Draft Guidance has new recommendations for manufacturers. Here is a high-level overview of what medical device manufacturers should be doing to comply.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cybersecurity and the FDA

  1. 1. Cybersecurity and the FDA Overview for Medical Devices By Frances Cohen President Promenade Software Inc. Board Member MedISAO
  2. 2. My Background The highlights: • B.S. Geophysics – UCLA. Worked in the Dept. on an Apple IIe and 1st PC. (dinosaurs still roamed the earth but punch cards were going extinct) • Hated oil research – loved software. Got a BS Computer Engineering from the Technion – Israel Institute of Technology. • Chief Architect and core team manager at Phoenix BIOS back in the PC heyday of 286/386/486/Pentium, Windows 3.1 – XP. • Implemented and Managed development a GE Medical Hospital Defibrillator at Cardiac Science – first introduction to medical devices. • Directed software development at Source Scientific LLC, a medical device contract developer and manufacture for 9 years. • Current- President of Promenade Software Inc. – a medical device software service co. 3+ years.
  3. 3. Promenade Software Inc. • A service provider of Medical Device Software – ~15 software engineers – Full stack of software for devices and their associated eco-system • Embedded and User-facing software. • Mobile Apps and Cloud – Handle software regulatory submission – Cybersecurity solutions and services
  4. 4. Med ISAO • A medical device information sharing and analysis organization. – Provides ongoing cybersecurity information tailored to the medical device industry. – Alerts members of potential threats – Geared towards smaller manufacturers and startups.
  5. 5. Cybersecurity and Medical Devices Some Definitions • Cybersecurity – the procedure of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed , or transferred from a medical device to an external recipient. • Vulnerability – A weakness in a device’s cybersecurity (implementation or processes) that could be exploited.
  6. 6. Background • From Executive Order 13636 – Cyber threats to national security are among the most serious. • Thousands of medical devices have been shown to be vulnerable to hacking – Rising number of medical devices connected to the internet. – Insufficient security practices: ex: Fixed hardcoded passwords, or defaults not changed. Or no encryption. – From infusion pumps to CT scans, implantable defibrillators – many easily accessible from within the hospital, and some on the web or within Bluetooth reach. • Raising privacy concerns and safety concerns
  7. 7. Ex: GE’s Password Cloud Default passwords with an advisory not to change them in the manual – for service reasons.
  8. 8. Recent Issues • Hospira Symbiq Infusion System – July 2015 – FDA issued advisory to stop using due to cybersecurity risk • J&J Animas Insulin Pump – October 2016 – J&J advised to turn off wireless functions until patched – Attacker could command pump to dispense arbitrary amount of insulin from 25 feet away • St. Jude Pacemaker – August 2016 – Security firm reported ability to wirelessly control implanted pacemaker – St. Jude stock Dropped ~10% – Ongoing investigations on validity of claim
  9. 9. FDA Guidance - History • No initial mention in guidance material • Oct 2014 – FDA released the Guidance for “Premarket Submission for Management of Cybersecurity in Medical Devices” • Jan 2016 – FDA release a draft guidance “Postmarket Management of Cybersecurity in Medical Devices” – Talk of release by the end of the year.
  10. 10. Premarket Guidance Guidance follows standards for securing networked systems (ex: systems having to do with money…) • Identify and Protect – Limit Access to Trusted Users Only • Require authentication of users (ex: ID and password, or biometric). No hardcoded passwords. Use modern hashes • Use multi-factor authentication to privileged device access (service techs., system admins). • Require user authentication for upgrades. • Terminate sessions after a timeout, as appropriate. – Ensure trusted content • Upgraded code should be authenticated (e.g. signed) • Ensure secure data transfer to and from device, using encryption.
  11. 11. Premarket Guidance • Detect, Respond, Recover – Implement features allowing for detection of security compromises. – Implement features that protect critical functionality, even when cybersecurity has been compromised. – Provide method of recovery by an authenticated privileged user.
  12. 12. Premarket Guidance • Documentation – Include a Hazard Analysis with mitigations pertaining to cybersecurity risks. – Show traceability to requirements. – Describe plan for providing updates. – Provide instructions for recommended cybersecurity controls appropriate for the intended use.
  13. 13. Postmarket Guidance To address evolving cybersecurity risks, FDA identifies a number of critical components that should be included from the device manufacturer postmarket. – Monitor information sources for vulnerabilities – Assess presence and impact of a vulnerability – Establish and communicate process for vulnerability intake and handling – Define essential clinical performance • To develop mitigations to protect, respond and recover – Adopt a Coordinated Vulnerability Disclosure policy and practice – Deploy mitigations prior to exploitation.
  14. 14. Coordinated Disclosure • FDA recognizes IEC 29147:2014 – deals with the interface between vendors and those who find and report potential vulnerabilities – Could be external – how does a 3rd party report a vulnerability found? • Why have one? – FDA recommends it – Gives advanced notice of vulnerabilities  Makes patients safer  Better publicity control – More likely for security researchers to work with you instead of against you
  15. 15. Private Sector Information Sharing • Executive Order 13691 – Promotes private sector information sharing, encouraging ISAOs (information sharing analysis organizations) • ISAOs serve as focal points for cybersecurity information sharing and collaboration. • ISAOs protect privacy of individuals and preserve business confidentiality, safeguarding information being shared. • FDA considers participation in an ISAO a critical component of a medical device manufacturers’ comprehensive proactive approach to management of postmarket cybersecurity threats.
  16. 16. Advantage of ISAO Membership • Manufactures must report vulnerabilities to the FDA unless all of the following are met: – There are no known serious adverse events or deaths associated. – Manufacturer implements controls within 30 days – Manufacture is a participating member of an ISAO
  17. 17. Advantage of ISAO Membership From the guidance: “Participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002”
  18. 18. Summary • The Device Manufacturer has responsibility to implement cybersecurity risk management programs premarket and postmarket. • Information sharing is a critical part of postmarket cybersecurity programs The FDA now views cybersecurity risks just as seriously as defective product risks.
  19. 19. Need more Info? Contact Us For more information please feel free to contact Promenade Software