Cybersecurity in medical devices

•Download as ODP, PDF•

1 like•592 views

A slide show that details the updates the FDA has made to Post Market Management of Cybersecurity in the Medical Device field

Healthcare

Cybersecurity in Medical
Devices
Post Market Management
Safis Solutions

The Problem
• More and more Medical Devices are
being designed to be networked
with other patient care systems
Ø Networked devices include software that may
be vulnerable to cybersecurity threats
• Safety and Effectiveness Impact
• Risk to Public Health
Ø

The Impact
• Compromised Device Functionality
• Loss of Data Availability or Integrity
Ø Medical
Ø Personal
• Exposure of other connected devices
or networks to security threats
Ø All of the above may lead to potential patient
illness, injury, or death

Scope
• Software containing Medical Devices
• Software that is a Medical Device
Note: Guidance Not Applicable to Experimental or Investigational
Devices

The Solution - FDA’s
Expectation
• Holistic
Ø Includes the entire Product Lifecycle of the device
– from conception to obsolescence
• Not just a point-in-time intervention
Ø Continual monitoring, including post market
Ø E.g. Monitoring vulnerabilities inadvertently
introduced during patch releases
• Device Manufacturers responsible
Ø Proactive, not reactive, posture expected from
manufacturers
Ø Active, voluntary participation in an ISAO
ISAO: Information Sharing Analysis Organizations, per Executive
Order # 13691, released 13th Feb 2015

FDA’s Guidance
• Cybersecurity for Networked Medical
Devices containing OTS Software
Ø Jan 14, 2005
• Content of Premarket Submissions for
Management of Cybersecurity in
Medical Devices
Ø Oct 2, 2014
• Post Market Management of
Cybersecurity in Medical Devices
(Draft)
Ø Jan 22, 2016
Purchasing
Post market
monitoring
Design

Key Themes
• Collaboration
• ISAO Participation
• Shared Responsibility
Ø Cognate terms for collaboration and sharing occur
24 times in the document
• Proactive approach
• Risk based approach
• Essential Clinical Performance
Ø This term occurs 58 times in the document
Ø Idea borrowed from IEC 60601-1, but ‘clinical’
added in this document
You approach your
cybersecurity program with
this…
…to preserve
this.

Collaboration – Key
Communities
Healthcare
Delivery
Organizations
(HDOs)
Clinical User
Community
Medical
Device
Community
IT Community
ISAO

Collaboration – product view
User
IT System
Integrator
Health IT
Developers
IT Vendors
Manufacturer
ISAO

Collaboration
• Advantages
Ø Sharing of established resources
• Standards; Guidelines; Best practices;
Frameworks
Ø Consistent threat assessment & mitigation
• Outputs
Ø Develop a Cybersecurity Risk Management
Culture
Ø Establish a Common Understanding
• Goal
Ø Device safety is preserved
Ø Device effectiveness is not compromised

Comprehensive Cybersecurity
Program
• NIST Framework for improving critical
infrastructure cybersecurity
Ø Identify
Ø Protect
Ø Detect
Ø Respond
Ø Recover
•
http://
www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.p

Identify
• Define Essential Clinical Performance
• Identify Cybersecurity Signals
•

Protect / Detect
• Assess and Characterize Vulnerability
• Analyze Risk (Threat Modeling)
• Analyze Threat Sources
• Incorporate Threat Detection
Capabilities
• ‘Impact Assess’ all Devices
•

Protect / Respond / Recover
• Assess Compensating Controls
Ø Detect / Respond
• Mitigate Risk of Essential Clinical
Performance
•

End Note
• The NIST Framework is mentioned here at
the very highest level
• The purpose of its mention is to simply
raise an awareness
• A separate slide deck is warranted to
delve deeper into what it is and how it
can be implemented
• Individuals are encouraged to ask
questions or provide comments on the
FDA guidance on post market
management of cybersecurity in medical
devices until April 21st of 2016

In this session, we welcome Shankar Somasundaram, CEO of Asimily, Priyanka Upendra, Quality Compliance Director at Banner Health, and Carrie Whysall. Director of Managed Security Services at CynergisTek. Together, they will discuss medical device security, covering all you need to know from medical device assessments to remediation efforts. Attendees will leave this session knowing how to apply what they have learned about medical device security in real life.

Medical device security presentation - Frank Siepmann

Frank Siepmann

[Wroclaw #6] Medical device security

OWASP

Clinical Risk Management

Medigate

Let Medigate inventory all of your connected devices, assign them clinically-based risk scores, generate risk assessment reports, and provide actionable remediation and mitigation insights to keep your patients, PHI and network safe. Learn more: Let Medigate inventory all of your connected devices, assign them clinically-based risk scores, generate risk assessment reports, and provide actionable remediation and mitigation insights to keep your patients, PHI and network safe. Learn more: https://www.medigate.io/

EU cybersecurity requirements under current and future medical devices regula...

Erik Vollebregt

Medical Devices Under Attack

Medigate

What You Need to Know About Intelligent Network Segmentation

Medigate

Why Medical Devices Are So Vulnerable

Medigate

Unlock the Power of Your IoT Security Platform

Medigate

Detroit ISSA Healthcare CybersecurityDoug Copley

Tcs cybersecurity for healthcare

Comtech TCS

Nexthink for Health Care

Brock Spradling

Tech Refresh - Cybersecurity in Healthcare

CompTIA

DR. STEVEN GORIAH, Vice President of Information Technology & CISO Westchester Medical Center Health Network The U.S Healthcare system is seeing a staggering amount of security breaches each year. In this session, you’ll learn about the role of a cybersecurity framework, best practices in choosing a framework, and which framework best fits your organization and why. Dr. Goriah will also speak on implementation, roles and responsibilities and why it's essential to create a culture of privacy and security

Securing Mobile Healthcare Application

CitiusTech

Security for Healthcare Devices - Will Your Device Be Good Enough?

Rio Valdes

Meaningful Use and Security Risk Analysis

Evan Francen

Understanding Cybersecurity in Medical Devices and Applications

EMMAIntl

One of the major pillars of the current Industry 4.0 is Automation. Indeed, technology is intervening in almost every domain to “automate” the workforce and make human life easier and better. In the present age, machines are getting integrated with the Internet of Things, Cloud Computing, and Artificial Intelligence with the data flow being transferred and processed via the Internet. These changes indeed catalyze the overall productivity, but also expose data to the public domains. In cases of continuous data transfers and exposition, Cybersecurity becomes a pivotal element where it not only protects the data but also proactively provides mechanisms to defend against malicious attacks and malware. In the case of medical devices that include sensitive medical data flows and software-controlled hardware devices like heart implants or Continuous Glucose Monitoring (CGM) devices, Cybersecurity becomes an important factor for contributing towards system safety and quality...

New Security Legislation & It's Implications for OSS Management

Black Duck by Synopsys

As legislators continue to expand the scope of the laws governing information security, we will take a look at some of the new European-level laws in this area from an open source perspective, and consider their impact on OSS management practices. The session will focus on the General Data Protection Regulation, not only because it applies to everyone, but also because its requirements are in many ways the most detailed and prescriptive. During the session we will also touch on some industry-specific developments like the Network and Information Services Directive and the Electronic Identification Regulation. Dan will cover what the new laws say (and perhaps more importantly what they don’t say), how to go about applying them to your OSS management regime, and what you might need to think about changing as a result.

Speeding up Healthcare Application with HTTP/2

CitiusTech

Healthcare data is being increasingly accessed over the public internet. With the rapid adoption of EHRs and patient portals, more and more healthcare technology providers are looking at providing the same features over the internet in a SaaS model to reduce feature to market time. As they embrace trends and begin supporting new use cases such as wearables, mobile health, AI and chat bots, more data gets transferred over the same public internet infrastructure Secondly, there is a pressing need to optimize the time healthcare professionals spend on IT per patient instead of patient care. Hence, getting timely and accurate information is of utmost importance to ensure better patient care. Patient engagement initiatives such as patient education, medication and visit reminder, positively impact patient outcomes and are a huge success if the applications built for the same provide seamless user experience. Internet based applications rely on HTTP. As web application became more prevalent, inefficiencies of HTTP need to be addressed. HTTP/2 (Hypertext Transfer Protocol Version 2) is the update to HTTP protocol that has been built with the aim of improving performance and reducing end user perceived latency, reducing network and server resource usage.This document introduces the features and benefits of HTTP/2 and how you can start using HTTP/2

HIPAA security risk assessments

Jose Ivan Delgado, Ph.D.

How to Secure Medical Devices presentation.pptx

Shandevinda

Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...

IT Network marcus evans

What's hot

Network Connected Medical Devices - A Case Study

SophiaPalmira

Medical device security presentation - Frank Siepmann

Frank Siepmann

[Wroclaw #6] Medical device security

OWASP

Clinical Risk Management

Medigate

EU cybersecurity requirements under current and future medical devices regula...

Erik Vollebregt

Medical Devices Under Attack

Medigate

What You Need to Know About Intelligent Network Segmentation

Medigate

Why Medical Devices Are So Vulnerable

Medigate

Unlock the Power of Your IoT Security Platform

Medigate

Detroit ISSA Healthcare CybersecurityDoug Copley

Tcs cybersecurity for healthcare

Comtech TCS

Nexthink for Health Care

Brock Spradling

Tech Refresh - Cybersecurity in Healthcare

CompTIA

Securing Mobile Healthcare Application

CitiusTech

Security for Healthcare Devices - Will Your Device Be Good Enough?

Rio Valdes

Meaningful Use and Security Risk Analysis

Evan Francen

Understanding Cybersecurity in Medical Devices and Applications

EMMAIntl

New Security Legislation & It's Implications for OSS Management

Black Duck by Synopsys

Speeding up Healthcare Application with HTTP/2

CitiusTech

HIPAA security risk assessments

Jose Ivan Delgado, Ph.D.

What's hot (20)

Network Connected Medical Devices - A Case Study

Medical device security presentation - Frank Siepmann

[Wroclaw #6] Medical device security

Clinical Risk Management

EU cybersecurity requirements under current and future medical devices regula...

Medical Devices Under Attack

What You Need to Know About Intelligent Network Segmentation

Why Medical Devices Are So Vulnerable

Unlock the Power of Your IoT Security Platform

Detroit ISSA Healthcare Cybersecurity

Tcs cybersecurity for healthcare

Nexthink for Health Care

Tech Refresh - Cybersecurity in Healthcare

Securing Mobile Healthcare Application

Security for Healthcare Devices - Will Your Device Be Good Enough?

Meaningful Use and Security Risk Analysis

Understanding Cybersecurity in Medical Devices and Applications

New Security Legislation & It's Implications for OSS Management

Speeding up Healthcare Application with HTTP/2

HIPAA security risk assessments

Similar to Cybersecurity in medical devices

How to Secure Medical Devices presentation.pptx

Shandevinda

Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...

IT Network marcus evans

Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.

pselonen

Presentation at AI morning in April 13th at Tampere University of Technology Kampusklubi. "AI Morning in April 13th experiments with a new distinctive concept and remixes together machine learning and analytics in the two verticals of healthcare and industry! There is a huge common ground in diagnostics of people and machines, and the same algorithms can be used in both. The presenters from healthcare and industry keynote a conversational networking forum in theme: 'Health: analytics'." See http://www.aiaamu.fi/

Risk Management Approach to Cyber Security

Ernest Staats

Health apps regulation and quality control case studies and session 2 present...

3GDR

Health apps regulation and quality control case studies and session 2 present...

3GDR

HXR 2017: Bakul Patel: How the FDA Is Promoting Innovation and Protecting the...

HxRefactored

Best_practices-_Access_controls_for_medical_devices (1).pdf

Jacob Li

HIT Policy Committee FDASIA Update

Brian Ahier

Chapter 16bodo-con

Identifying Safety Signals by Data Mining the FDA Adverse Event Reporting Sys...

Perficient, Inc.

Ever since the European Union (EU) introduced new legislation that requires life sciences companies to proactively detect, prioritize, and evaluate safety signals, there has been an increased interest, not only from sponsors and CROs in the EU, but globally, in pharmacovigilance systems that can assist with the signal management process. Perficient's Chris Wocosky, an expert in signal detection and management, shows how your organization can use Empirica Signal, Oracle's state-of-the-art signal detection system to data mine the existing FDA Adverse Event Reporting System (FAERS) to determine safety signals. This presentation and demonstration willhelp you bettter understand how this solution can be used in daily pharmacovigilance activities.

Medical Product Development cycle

max hanafi

How to Secure Your Medical Devices

SecurityMetrics

Computer Software Assurance (CSA): Understanding the FDA’s New Draft Guidance

Greenlight Guru

Adequate directions for use "In the Age of AI and Watson"

Stephen Allan Weitzman

Design Considerations to Maximize Medical Device Cloud Connectivity

Greenlight Guru

Medical device manufacturers are faced with a myriad of design decisions during product development. Several key decisions affecting market readiness must be addressed between bench-top prototypes and initiation of clinical trials. Among the most important are cloud connectivity considerations surrounding firmware, hardware, and use cases. The earlier cloud connectivity factors are identified, considered, and integrated into the design process, the more successful the resulting commercial roll-out in terms of cost, certification, and market acceptance. • Key design factors medical device manufacturers should consider • Advantages of considering connectivity early in the design process • Practical use-case examples highlight more cost-effective clinical trials, wider market acceptance, and reduction in operational costs This session took place live at the Greenlight Guru True Quality Virtual Summit, a three-day event for medical device professionals to learn to get their devices to market faster, stay ahead of regulatory changes, and use quality as their multiplier to grow their device business.

Usability Validation Testing of Medical Devices and Software

UXPA Boston

The U.S. FDA and international regulatory bodies require usability testing of medical devices, products, software, and systems as part of their overall validation. Manufacturers must demonstrate that all potential use-related hazards have been identified, prioritized, and mitigated. The method for demonstrating this is human factors/usability engineering (HF/UE) validation testing. However, the way we conduct these studies is in many ways different from the way we conduct studies of non-medical products and systems. This topic is relevant to the Boston UX community given the convergence of consumer and medical devices, as well as the rise of wearable technologies and the apps that interact with them. This presentation will cover the key aspects of HF/UE validation (a.k.a. ‘summative’) testing and what the FDA expects in the final HF/UE summary report. Importantly, this session will consist of half presentation and half Q&A, with the audience driving the discussion toward current issues, questions, and challenges that are relevant to them.

Webinar: Medical Device Security: An Industry Under Attack and Unprepared to ...

Synopsys Software Integrity Group

A recent survey commissioned by Synopsys was designed to understand the risks to clinicians and patients due to insecure medical devices. The resulting report identified some expected findings, but others were extremely surprising. For instance, 67% of medical device manufacturers and 56% of healthcare delivery organizations believe an attack on a medical device built or in use by their organization is likely to occur over the next 12 months. Join Larry Ponemon of the Ponemon Institute and Mike Ahmadi of Synopsys as they discuss report highlights. They provide insight and predictions regarding the future of security in the medical device and healthcare industries.

Cybersecurity Challenges in Healthcare

Doug Copley

Software security engineering

aizazhussain234

Similar to Cybersecurity in medical devices (20)

How to Secure Medical Devices presentation.pptx

Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...

Cloud Platform for Remote Patient Monitoring. Case: Stroke Remote Care.

Risk Management Approach to Cyber Security

Health apps regulation and quality control case studies and session 2 present...

HXR 2017: Bakul Patel: How the FDA Is Promoting Innovation and Protecting the...

Best_practices-_Access_controls_for_medical_devices (1).pdf

HIT Policy Committee FDASIA Update

Chapter 16

Identifying Safety Signals by Data Mining the FDA Adverse Event Reporting Sys...

Medical Product Development cycle

How to Secure Your Medical Devices

Computer Software Assurance (CSA): Understanding the FDA’s New Draft Guidance

Adequate directions for use "In the Age of AI and Watson"

Design Considerations to Maximize Medical Device Cloud Connectivity

Usability Validation Testing of Medical Devices and Software

Webinar: Medical Device Security: An Industry Under Attack and Unprepared to ...

Cybersecurity Challenges in Healthcare

Software security engineering

Recently uploaded

NKTI Annual Report - Annual Report FY 2022

nktiacc3

Bringing AI into a Mid-Sized Company: A structured Approach

Brian Frerichs

Navigating Challenges: Mental Health, Legislation, and the Prison System in B...

Guillermo Rivera

This conference will delve into the intricate intersections between mental health, legal frameworks, and the prison system in Bolivia. It aims to provide a comprehensive overview of the current challenges faced by mental health professionals working within the legislative and correctional landscapes. Topics of discussion will include the prevalence and impact of mental health issues among the incarcerated population, the effectiveness of existing mental health policies and legislation, and potential reforms to enhance the mental health support system within prisons.

Suraj Goswami Journey From Guru Kashi University

Suraj Goswami

Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...

ILC- UK

The Healthy Ageing and Prevention Index is an online tool created by ILC that ranks countries on six metrics including, life span, health span, work span, income, environmental performance, and happiness. The Index helps us understand how well countries have adapted to longevity and inform decision makers on what must be done to maximise the economic benefits that comes with living well for longer. Alongside the 77th World Health Assembly in Geneva on 28 May 2024, we launched the second version of our Index, allowing us to track progress and give new insights into what needs to be done to keep populations healthier for longer. The speakers included: Professor Orazio Schillaci, Minister of Health, Italy Dr Hans Groth, Chairman of the Board, World Demographic & Ageing Forum Professor Ilona Kickbusch, Founder and Chair, Global Health Centre, Geneva Graduate Institute and co-chair, World Health Summit Council Dr Natasha Azzopardi Muscat, Director, Country Health Policies and Systems Division, World Health Organisation EURO Dr Marta Lomazzi, Executive Manager, World Federation of Public Health Associations Dr Shyam Bishen, Head, Centre for Health and Healthcare and Member of the Executive Committee, World Economic Forum Dr Karin Tegmark Wisell, Director General, Public Health Agency of Sweden

ICH Guidelines for Pharmacovigilance.pdf

NEHA GUPTA

The "ICH Guidelines for Pharmacovigilance" PDF provides a comprehensive overview of the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) guidelines related to pharmacovigilance. These guidelines aim to ensure that drugs are safe and effective for patients by monitoring and assessing adverse effects, ensuring proper reporting systems, and improving risk management practices. The document is essential for professionals in the pharmaceutical industry, regulatory authorities, and healthcare providers, offering detailed procedures and standards for pharmacovigilance activities to enhance drug safety and protect public health.

Deep Leg Vein Thrombosis (DVT): Meaning, Causes, Symptoms, Treatment, and Mor...

The Lifesciences Magazine

CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf

Sachin Sharma

This content provides an overview of preventive pediatrics. It defines preventive pediatrics as preventing disease and promoting children's physical, mental, and social well-being to achieve positive health. It discusses antenatal, postnatal, and social preventive pediatrics. It also covers various child health programs like immunization, breastfeeding, ICDS, and the roles of organizations like WHO, UNICEF, and nurses in preventive pediatrics.

Under Pressure : Kenneth Kruk's Strategy

Kenneth Kruk

Cold Sores: Causes, Treatments, and Prevention Strategies | The Lifesciences ...

The Lifesciences Magazine

Dimensions of Healthcare Quality

Naeemshahzad51

The dimensions of healthcare quality refer to various attributes or aspects that define the standard of healthcare services. These dimensions are used to evaluate, measure, and improve the quality of care provided to patients. A comprehensive understanding of these dimensions ensures that healthcare systems can address various aspects of patient care effectively and holistically. Dimensions of Healthcare Quality and Performance of care include the following; Appropriateness, Availability, Competence, Continuity, Effectiveness, Efficiency, Efficacy, Prevention, Respect and Care, Safety as well as Timeliness.

Trauma Outpatient Center .

TraumaOutpatientCent

Trauma Outpatient Center is a comprehensive facility dedicated to addressing mental health challenges and providing medication-assisted treatment. We offer a diverse range of services aimed at assisting individuals in overcoming addiction, mental health disorders, and related obstacles. Our team consists of seasoned professionals who are both experienced and compassionate, committed to delivering the highest standard of care to our clients. By utilizing evidence-based treatment methods, we strive to help our clients achieve their goals and lead healthier, more fulfilling lives. Our mission is to provide a safe and supportive environment where our clients can receive the highest quality of care. We are dedicated to assisting our clients in reaching their objectives and improving their overall well-being. We prioritize our clients' needs and individualize treatment plans to ensure they receive tailored care. Our approach is rooted in evidence-based practices proven effective in treating addiction and mental health disorders.

TOP AND BEST GLUTE BUILDER A 606 | Fitking Fitness

Fitking Fitness

"Feature: • Intelligent Ergonomically Design Glute Builder Is A Must Have For Those Looking To Target Their Gluteal Muscles And Hamstrings With Precision. • The Ability To Adjust The Starting Position, This Machine Allows For A More Targeted Workout That Is Tailored To Your Specific Needs. • Spacious And Supportive Cushioned Seat Provide Added Comfort And Stability During Your Workout." Get more information visit on:- www.fitking.in Our mail I.D:-care@fitking.in, fitking.in@gmail.com Call us at :- 9958880790, 9870336406, 8800695917

karnapuran PPT made by Dr nishant very easy to understand how karanapuran is ...

Nishant Taralkar

The Impact of Meeting: How It Can Change Your Life

ranishasharma67

Mastoid cavity problem and obilteration presentation by Dr Salison Salim Pani...

salisonsalim1

Nursing Care of Client With Acute And Chronic Renal Failure.ppt

Rommel Luis III Israel

Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.

preciousstephanie75

ABDOMINAL COMPARTMENT SYSNDROME

Rommel Luis III Israel

The Importance of COVID-19 PCR Tests for Travel in 2024.pptx

Global Travel Clinics

COVID-19 PCR tests remain a critical component of safe and responsible travel in 2024. They ensure compliance with international travel regulations, help detect and control the spread of new variants, protect vulnerable populations, and provide peace of mind. As we continue to navigate the complexities of global travel during the pandemic, PCR testing stands as a key measure to keep everyone safe and healthy. Whether you are planning a business trip, a family vacation, or an international adventure, incorporating PCR testing into your travel plans is a prudent and necessary step. Visit us at https://www.globaltravelclinics.com/

Recently uploaded (20)

NKTI Annual Report - Annual Report FY 2022

Bringing AI into a Mid-Sized Company: A structured Approach

Navigating Challenges: Mental Health, Legislation, and the Prison System in B...

Suraj Goswami Journey From Guru Kashi University

Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...

ICH Guidelines for Pharmacovigilance.pdf

Deep Leg Vein Thrombosis (DVT): Meaning, Causes, Symptoms, Treatment, and Mor...

CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf

Under Pressure : Kenneth Kruk's Strategy

Cold Sores: Causes, Treatments, and Prevention Strategies | The Lifesciences ...

Dimensions of Healthcare Quality

Trauma Outpatient Center .

TOP AND BEST GLUTE BUILDER A 606 | Fitking Fitness

karnapuran PPT made by Dr nishant very easy to understand how karanapuran is ...

The Impact of Meeting: How It Can Change Your Life

Mastoid cavity problem and obilteration presentation by Dr Salison Salim Pani...

Nursing Care of Client With Acute And Chronic Renal Failure.ppt

Surgery-Mini-OSCE-All-Past-Years-Questions-Modified.

ABDOMINAL COMPARTMENT SYSNDROME

The Importance of COVID-19 PCR Tests for Travel in 2024.pptx

Cybersecurity in medical devices

1. Cybersecurity in Medical Devices Post Market Management Safis Solutions

2. The Problem • More and more Medical Devices are being designed to be networked with other patient care systems Ø Networked devices include software that may be vulnerable to cybersecurity threats • Safety and Effectiveness Impact • Risk to Public Health Ø

3. The Impact • Compromised Device Functionality • Loss of Data Availability or Integrity Ø Medical Ø Personal • Exposure of other connected devices or networks to security threats Ø All of the above may lead to potential patient illness, injury, or death

4. Scope • Software containing Medical Devices • Software that is a Medical Device Note: Guidance Not Applicable to Experimental or Investigational Devices

5. The Solution - FDA’s Expectation • Holistic Ø Includes the entire Product Lifecycle of the device – from conception to obsolescence • Not just a point-in-time intervention Ø Continual monitoring, including post market Ø E.g. Monitoring vulnerabilities inadvertently introduced during patch releases • Device Manufacturers responsible Ø Proactive, not reactive, posture expected from manufacturers Ø Active, voluntary participation in an ISAO ISAO: Information Sharing Analysis Organizations, per Executive Order # 13691, released 13th Feb 2015

6. FDA’s Guidance • Cybersecurity for Networked Medical Devices containing OTS Software Ø Jan 14, 2005 • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Ø Oct 2, 2014 • Post Market Management of Cybersecurity in Medical Devices (Draft) Ø Jan 22, 2016 Purchasing Post market monitoring Design

7. Key Themes • Collaboration • ISAO Participation • Shared Responsibility Ø Cognate terms for collaboration and sharing occur 24 times in the document • Proactive approach • Risk based approach • Essential Clinical Performance Ø This term occurs 58 times in the document Ø Idea borrowed from IEC 60601-1, but ‘clinical’ added in this document You approach your cybersecurity program with this… …to preserve this.

8. Collaboration – Key Communities Healthcare Delivery Organizations (HDOs) Clinical User Community Medical Device Community IT Community ISAO

9. Collaboration – product view User IT System Integrator Health IT Developers IT Vendors Manufacturer ISAO

10. Collaboration • Advantages Ø Sharing of established resources • Standards; Guidelines; Best practices; Frameworks Ø Consistent threat assessment & mitigation • Outputs Ø Develop a Cybersecurity Risk Management Culture Ø Establish a Common Understanding • Goal Ø Device safety is preserved Ø Device effectiveness is not compromised

11. Comprehensive Cybersecurity Program • NIST Framework for improving critical infrastructure cybersecurity Ø Identify Ø Protect Ø Detect Ø Respond Ø Recover • http:// www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.p

12. Identify • Define Essential Clinical Performance • Identify Cybersecurity Signals •

13. Protect / Detect • Assess and Characterize Vulnerability • Analyze Risk (Threat Modeling) • Analyze Threat Sources • Incorporate Threat Detection Capabilities • ‘Impact Assess’ all Devices •

14. Protect / Respond / Recover • Assess Compensating Controls Ø Detect / Respond • Mitigate Risk of Essential Clinical Performance •

15. End Note • The NIST Framework is mentioned here at the very highest level • The purpose of its mention is to simply raise an awareness • A separate slide deck is warranted to delve deeper into what it is and how it can be implemented • Individuals are encouraged to ask questions or provide comments on the FDA guidance on post market management of cybersecurity in medical devices until April 21st of 2016

Editor's Notes

1
2
3
4 Software includes firmware and/orprogrammable logic
5
6 Implications are:responsible purchasing, recognizing cybersecurity issues up front; Cybersecurity as a design consideration; and continual ongoing monitoring of patches post market
7

Cybersecurity in medical devices

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cybersecurity in medical devices

Similar to Cybersecurity in medical devices (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity in medical devices

Editor's Notes