SlideShare a Scribd company logo

Cybersecurity in Medical Devices

Download as PPTX, PDF
S
Sheersha Pramanik 🇮🇳

Due to advancement of technology and incorporation of sofrtwares and microchips, vulnerability increased for medical devices. Outsiders are hacking the devices by advanced technologies.

Health & Medicine
1 of 25
CYBERSECURITY IN MEDICAL DEVICES PRESENTED BY : SHEERSHA PRAMANIK (NIPERA1719MD10) COURSE INSTRUCTOR : DR. MUKTY SINHA
FLOW OF PRESENTATION  INTRODUCTION  TECHNOGICAL ADVANCEMENT IN MEDICAL DEVICES  REASON FOR FOCUSING CYBERSECURITY  ROLE OF FDA  MED ISAO  PRINCIPLES OF MEDICAL DEVICES SECURITY  TYPES OF ATTACKS  EXAMPLES OF SOME NETWORKED DEVICES  EXAMPLES OF SOME ATTACKS  PREVENTION STEPS  STANDARDS
INTRODUCTION  What is a medical device?  “An instrument, apparatus, implement, machine,contrivance, implant … which is intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease”– Food, Drug and Cosmetic Act  What is Cybersecurity?  Unauthorized access to data (either resident in or exchanged between systems)  Attacks on system resources (i.e. computer hardware, operating system and application software) by malicious computer programs.
TECHNOGICAL ADVANCEMENT IN MEDICAL DEVICES BEFORE AFTER Data obtained from devices are stored on paper or locally Data obtained from devices are stored in the cloud Devices are physical products Devices include software and even databases of health Information Devices are connected to patients physically Devices are connected wirelessly to patients and other devices Physical access is needed to view health data Health data can be accessed anywhere on earth Care is hand-administered at a health care location Care is available to patients in the palm of their hand through apps
WHY CYBERSECURITY IS NOW BEING FOCUSED MORE ? THE DRIVER THE IMPACT TOTAL BUSINESS CONNECTED A business’ payroll, sales and products might all be connected to the Internet—and vulnerable SYSTEMIC RISKS A new vulnerability could leave a once-secure business open to major problems immediately RISK TO PHYSICAL ASSETS Internet-connected products are vulnerable to physical problems, including failure
FDA’s GUIDANCE  Cybersecurity for Networked Medical Devices containing OTS Software - Jan 14, 2005  Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Oct 2, 2014  Post Market Management of Cybersecurity in Medical Devices - Jan 22, 2016 PURCHASING DESIGN POST MARKET MONITORING
PRE MARKET SUBMISSIONS  This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.  The guidance document consists of : Premarket Notification (510(k)) including Traditional, Special, and Abbreviated 1.· De novo submissions ·2. Premarket Approval Applications (PMA) ·3. Product Development Protocols (PDP) · 4. Humanitarian Device Exemption (HDE) submissions.
CONTD.  Manufacturers should address cybersecurity during the design and development of the medical device.  Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g).  The approach should appropriately address the following elements: 1. Identification of assets, threats, and vulnerabilities; 2. Assessment of the impact of threats and vulnerabilities on device functionality . 3. Assessment of the likelihood of a threat and of a vulnerability being exploited; 4. Determination of risk levels and suitable mitigation strategies. 5. Assessment of residual risk and risk acceptance criteria.
MAIN TAKEAWAYS FROM FDA’S GUIDANCE
POST MARKET GUIDANCE  Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.  Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;  Understanding, assessing and detecting presence and impact of a vulnerability;  Establishing and communicating processes for vulnerability intake and handling;  Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;  Adopting a coordinated vulnerability disclosure policy and practice; and  Deploying mitigations that address cybersecurity risk early and prior to exploitation.
CONTD.  Manufacturers should report these vulnerabilities to the FDA according to 21 CFR part 806, unless reported under 21 CFR parts 803 or 1004.  However, the FDA does not intend to enforce reporting requirements under 21 CFR part 806 if all of the following circumstances are met:  There are no known serious adverse events or deaths associated with the vulnerability,  Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and  The manufacturer is a participating member of an ISAO, such as NH-ISAC(National Health Information Sharing and Analysis Center). *(ISAO : Information Sharing and Analysis Organisation)
MED ISAO  A medical device “Information Sharing and Analysis Organization”.  Provides ongoing cybersecurity information tailored to the medical device industry.  Alerts members of potential threats  Geared towards smaller manufacturers and startups.  ISAOs protect privacy of individuals and preserve business confidentiality, safeguarding information being shared.  FDA considers participation in an ISAO a critical component of medical device manufacturers’ comprehensive proactive approach to management of postmarket cybersecurity threats.  To improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.
ADVANTAGE OF ISAO MEMBERSHIP  From the guidance:  “Participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002”
PRINCIPLES FOR MEDICAL DEVICE SECURITY Security risk management plan Security risk analysis Security risk evaluation Security risk control Evaluation of overall residual security risk acceptability Security risk management report Production and post-production information From TIR57: Principles for medical device security – Risk management © 2016 by the Association for the Advancement of Medical Instrumentation
TYPES OF ATTACKS  Carrier Based Methods  Man in the middle (MiTM) attacks which can steal data Hijack wireless transmission.  Endpoints based methods . Inject code to tamper with web application or web services  Stealing user sensitive phone contents using Malwares  Wireless interfaces based methods  Stealing data when its in-transit using wireless channel . Exploit access and authentication access  An adversary steals sensitive data by reading SD Card based stored content
ACCIDENTS  1. PACEMAKER :  Small device placed in the chest or abdomen to help control abnormal heart rhythms.  Uses electrical pulses to prompt the heart to beat at a normal rate  Have wireless transmitters to allow them to be programmed without an invasive procedure
PACEMAKERS- THE DANGER  Due to the convenience of wireless transmitters, security vulnerabilities of remote attacks on the body are now possible  Allows for hacking through not only a laptop, but also Malware installed on a hospital or company computer that may briefly interact with an implant  Could infect, reprogram, or command the device to perform a more lethal Function  BARNABY JACK - Discovered a way to hack into a pacemaker via its wireless transmitter and make the device send an 830-volt shock through a person’s body  Can be done with a laptop from 30 to 50 feet away
INSULIN PUMPS  Device used for administration of insulin in the treatment of diabetes • Many insulin pumps are now wireless • Allows the patient to check on the pump’s status and activity • Allows for control of the dosage administered INSULIN PUMPS – THE DANGER  Wireless transmitters once again can cause problems, and cause the pump to deliver a deadly dose of the hormone  Currently there are patents for insulin pumps that can hook up to WiFi and be controlled via a web browser  Huge potential for exploits, especially since exploits to compromise web interfaces are developed daily
Manufacturer Disclosure Statement for Medical Device Security (MDS2) v2  Developed by HIMSS (Healthcare Information and Management Systems Society) and the National Electrical Manufacturers Association (NEMA)  Since 2013 Medical device manufacturers have to disclose the cybersecurity features of medical devices they sell to healthcare providers.  A hospital risk assessment tool to assess the vulnerabilities and risks of the medical devices.  Allows easy comparison of security features across different devices and different manufacturers
WHAT TO DO TO SAVE THE DEVICE? • Product design must protect the information& the device against any threats posed by external circumstances or by other connected devices. Protect information and maintain device integrity • Product design must be equipped with handling patient sensitive information to meet both HIPAA and FDA regulations.Imbed data privacy management • Product design must enable identification and management of risk through the product development life cycleEnable risk identification and mitigation • Product design must incorporate safety features that meet the regulatory requirements such as alarm systems to protect users and patients from unanticipated adverse situation Incorporate product safety
Applicable standards, technical specifications and reports  PAS 277:2015, Health and wellness apps – Quality criteria across the life cycle – Code of practice  EN ISO 13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes  EN ISO 14971:2012, Medical devices. Application of risk management to medical devices  PD ISO/TR 24971:2013, Medical devices. Guidance on the application of ISO 14971  EN IEC 62304:2006, Medical device software – Software life cycle processes  EN ISO IEC 62366-1:2015, Medical devices – Part 1: Application of usability engineering to medical devices  IEC ISA 62443 series, Industrial communication networks – Network and system security  ISO IEC 27005:2011, Information technology – Security techniques – Information security risk management  ISO IEC 27032:2012, Information technology – Security techniques  ISO IEC 80001 series, Application of risk management for IT-networks incorporating medical devices  EN IEC TR 80002-1:2009, Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software  ISO DTR 80002-2, Medical device software – Part 2: Validation of software for medical device quality systems  IEC TR 80002-3:2014, Medical device software – Part 3: Process reference model of medical device software life cycle processes (IEC 62304)  EN IEC TR 80001-2-8:2016, Application of risk management for IT-networks incorporating medical devices – Part 2-8: Application guidance – Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2  IEC 82304-1:2016, Health software – Part 1: General requirements for product
REFERENCES  www.fda.gov.in
Cybersecurity in Medical Devices

Recommended

CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
Pam Gilmore
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Understanding IEC 62304
Understanding IEC 62304Understanding IEC 62304
Understanding IEC 62304
MethodSense, Inc.
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdf
ICS
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up
ICS
 
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Intland Software GmbH
 

Recommended

CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
Pam Gilmore
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Understanding IEC 62304
Understanding IEC 62304Understanding IEC 62304
Understanding IEC 62304
MethodSense, Inc.
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdf
ICS
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up
ICS
 
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Intland Software GmbH
 
Risk Management in Medical Device Development
Risk Management in Medical Device DevelopmentRisk Management in Medical Device Development
Risk Management in Medical Device Development
Intland Software GmbH
 
EU MDR
EU MDR EU MDR
EU MDR
RohitParkale
 
An Overview for Software as a Medical Device (SaMD)
An Overview for Software as a Medical Device (SaMD)An Overview for Software as a Medical Device (SaMD)
An Overview for Software as a Medical Device (SaMD)
DePuy Synthes
 
IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management
MethodSense, Inc.
 
EU Medical Device Regulatory Framework_Dec, 2022
EU Medical Device Regulatory Framework_Dec, 2022EU Medical Device Regulatory Framework_Dec, 2022
EU Medical Device Regulatory Framework_Dec, 2022
Levi Shapiro
 
Medical Device Regulatory Approval
Medical Device Regulatory ApprovalMedical Device Regulatory Approval
Medical Device Regulatory Approval
ruyang89
 
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALMApplying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Aligned AG
 
How to Prepare for the New EU Medical Device Regulations (MDR)
How to Prepare for the New EU Medical Device Regulations (MDR)How to Prepare for the New EU Medical Device Regulations (MDR)
How to Prepare for the New EU Medical Device Regulations (MDR)
Greenlight Guru
 
Medical Devices Regulation (MDR) 2017/745 - Annex I
Medical Devices Regulation (MDR) 2017/745 - Annex I Medical Devices Regulation (MDR) 2017/745 - Annex I
Medical Devices Regulation (MDR) 2017/745 - Annex I
Arete-Zoe, LLC
 
Advamed MDR IVDR update
Advamed MDR IVDR updateAdvamed MDR IVDR update
Advamed MDR IVDR update
Erik Vollebregt
 
IVDR Readiness Checklist
IVDR Readiness ChecklistIVDR Readiness Checklist
IVDR Readiness Checklist
Greenlight Guru
 
Building a QMS for Your SaMD
Building a QMS for Your SaMDBuilding a QMS for Your SaMD
Building a QMS for Your SaMD
EMMAIntl
 
PMS and PMCF report
PMS and PMCF reportPMS and PMCF report
PMS and PMCF report
Sakthisri87
 
Iso 14971 2019
Iso 14971 2019Iso 14971 2019
Iso 14971 2019
Suhas R
 
Iso 13485:2016
Iso 13485:2016Iso 13485:2016
Iso 13485:2016
Suhas R
 
Difference between fda 21 cfr part 820 and ISO 13485
Difference between fda 21 cfr part 820 and ISO 13485Difference between fda 21 cfr part 820 and ISO 13485
Difference between fda 21 cfr part 820 and ISO 13485
Anil Chaudhari
 
IEC 62304 Action List
IEC 62304 Action List IEC 62304 Action List
IEC 62304 Action List
MethodSense, Inc.
 
PECB Webinar: Hands on medical devices risk assessment
PECB Webinar: Hands on medical devices risk assessmentPECB Webinar: Hands on medical devices risk assessment
PECB Webinar: Hands on medical devices risk assessment
PECB
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
WillianMachadoFonsec
 
Medical device design and development | Combination Product
Medical device design and development | Combination ProductMedical device design and development | Combination Product
Medical device design and development | Combination Product
Anil Chaudhari
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
EMMAIntl
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 

More Related Content

What's hot

Risk Management in Medical Device Development
Risk Management in Medical Device DevelopmentRisk Management in Medical Device Development
Risk Management in Medical Device Development
Intland Software GmbH
 
EU MDR
EU MDR EU MDR
EU MDR
RohitParkale
 
An Overview for Software as a Medical Device (SaMD)
An Overview for Software as a Medical Device (SaMD)An Overview for Software as a Medical Device (SaMD)
An Overview for Software as a Medical Device (SaMD)
DePuy Synthes
 
IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management
MethodSense, Inc.
 
EU Medical Device Regulatory Framework_Dec, 2022
EU Medical Device Regulatory Framework_Dec, 2022EU Medical Device Regulatory Framework_Dec, 2022
EU Medical Device Regulatory Framework_Dec, 2022
Levi Shapiro
 
Medical Device Regulatory Approval
Medical Device Regulatory ApprovalMedical Device Regulatory Approval
Medical Device Regulatory Approval
ruyang89
 
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALMApplying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Aligned AG
 
How to Prepare for the New EU Medical Device Regulations (MDR)
How to Prepare for the New EU Medical Device Regulations (MDR)How to Prepare for the New EU Medical Device Regulations (MDR)
How to Prepare for the New EU Medical Device Regulations (MDR)
Greenlight Guru
 
Medical Devices Regulation (MDR) 2017/745 - Annex I
Medical Devices Regulation (MDR) 2017/745 - Annex I Medical Devices Regulation (MDR) 2017/745 - Annex I
Medical Devices Regulation (MDR) 2017/745 - Annex I
Arete-Zoe, LLC
 
Advamed MDR IVDR update
Advamed MDR IVDR updateAdvamed MDR IVDR update
Advamed MDR IVDR update
Erik Vollebregt
 
IVDR Readiness Checklist
IVDR Readiness ChecklistIVDR Readiness Checklist
IVDR Readiness Checklist
Greenlight Guru
 
Building a QMS for Your SaMD
Building a QMS for Your SaMDBuilding a QMS for Your SaMD
Building a QMS for Your SaMD
EMMAIntl
 
PMS and PMCF report
PMS and PMCF reportPMS and PMCF report
PMS and PMCF report
Sakthisri87
 
Iso 14971 2019
Iso 14971 2019Iso 14971 2019
Iso 14971 2019
Suhas R
 
Iso 13485:2016
Iso 13485:2016Iso 13485:2016
Iso 13485:2016
Suhas R
 
Difference between fda 21 cfr part 820 and ISO 13485
Difference between fda 21 cfr part 820 and ISO 13485Difference between fda 21 cfr part 820 and ISO 13485
Difference between fda 21 cfr part 820 and ISO 13485
Anil Chaudhari
 
IEC 62304 Action List
IEC 62304 Action List IEC 62304 Action List
IEC 62304 Action List
MethodSense, Inc.
 
PECB Webinar: Hands on medical devices risk assessment
PECB Webinar: Hands on medical devices risk assessmentPECB Webinar: Hands on medical devices risk assessment
PECB Webinar: Hands on medical devices risk assessment
PECB
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
WillianMachadoFonsec
 
Medical device design and development | Combination Product
Medical device design and development | Combination ProductMedical device design and development | Combination Product
Medical device design and development | Combination Product
Anil Chaudhari
 

What's hot (20)

Risk Management in Medical Device Development
Risk Management in Medical Device DevelopmentRisk Management in Medical Device Development
Risk Management in Medical Device Development
 
EU MDR
EU MDR EU MDR
EU MDR
 
An Overview for Software as a Medical Device (SaMD)
An Overview for Software as a Medical Device (SaMD)An Overview for Software as a Medical Device (SaMD)
An Overview for Software as a Medical Device (SaMD)
 
IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management
 
EU Medical Device Regulatory Framework_Dec, 2022
EU Medical Device Regulatory Framework_Dec, 2022EU Medical Device Regulatory Framework_Dec, 2022
EU Medical Device Regulatory Framework_Dec, 2022
 
Medical Device Regulatory Approval
Medical Device Regulatory ApprovalMedical Device Regulatory Approval
Medical Device Regulatory Approval
 
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALMApplying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
 
How to Prepare for the New EU Medical Device Regulations (MDR)
How to Prepare for the New EU Medical Device Regulations (MDR)How to Prepare for the New EU Medical Device Regulations (MDR)
How to Prepare for the New EU Medical Device Regulations (MDR)
 
Medical Devices Regulation (MDR) 2017/745 - Annex I
Medical Devices Regulation (MDR) 2017/745 - Annex I Medical Devices Regulation (MDR) 2017/745 - Annex I
Medical Devices Regulation (MDR) 2017/745 - Annex I
 
Advamed MDR IVDR update
Advamed MDR IVDR updateAdvamed MDR IVDR update
Advamed MDR IVDR update
 
IVDR Readiness Checklist
IVDR Readiness ChecklistIVDR Readiness Checklist
IVDR Readiness Checklist
 
Building a QMS for Your SaMD
Building a QMS for Your SaMDBuilding a QMS for Your SaMD
Building a QMS for Your SaMD
 
PMS and PMCF report
PMS and PMCF reportPMS and PMCF report
PMS and PMCF report
 
Iso 14971 2019
Iso 14971 2019Iso 14971 2019
Iso 14971 2019
 
Iso 13485:2016
Iso 13485:2016Iso 13485:2016
Iso 13485:2016
 
Difference between fda 21 cfr part 820 and ISO 13485
Difference between fda 21 cfr part 820 and ISO 13485Difference between fda 21 cfr part 820 and ISO 13485
Difference between fda 21 cfr part 820 and ISO 13485
 
IEC 62304 Action List
IEC 62304 Action List IEC 62304 Action List
IEC 62304 Action List
 
PECB Webinar: Hands on medical devices risk assessment
PECB Webinar: Hands on medical devices risk assessmentPECB Webinar: Hands on medical devices risk assessment
PECB Webinar: Hands on medical devices risk assessment
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
 
Medical device design and development | Combination Product
Medical device design and development | Combination ProductMedical device design and development | Combination Product
Medical device design and development | Combination Product
 

Similar to Cybersecurity in Medical Devices

Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
EMMAIntl
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
Presentation: Proposed Reforms to the Regulation of Software, Including Softw...
Presentation: Proposed Reforms to the Regulation of Software, Including Softw...Presentation: Proposed Reforms to the Regulation of Software, Including Softw...
Presentation: Proposed Reforms to the Regulation of Software, Including Softw...
TGA Australia
 
Medical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveMedical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory Perspective
Jon Lendrum
 
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciencesChallenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
PEPGRA Healthcare
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
Flaskdata.io
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
Flaskdata.io
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on Cybersecurity
EMMAIntl
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
Ajay Ohri
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
HCL Technologies
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
The Security of Things Forum
 
The fda and byod mobile and fixed medical device cybersecurity[1]
The fda and byod mobile and fixed medical device cybersecurity[1]The fda and byod mobile and fixed medical device cybersecurity[1]
The fda and byod mobile and fixed medical device cybersecurity[1]
Pam Gilmore
 
The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
The FDA and BYOD, Mobile and Fixed Medical Device CybersecurityThe FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
Valdez Ladd MBA, CISSP, CISA,
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management
Medigate
 
Understanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical DevicesUnderstanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical Devices
Keerthi Gunasekaran
 
Post Marketing Surveillance - RSI
Post Marketing Surveillance - RSIPost Marketing Surveillance - RSI
Post Marketing Surveillance - RSI
Regulatory Solutions India
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicaux
Market iT
 
Unisys Integrated Medical Device Management - Executive Brief
Unisys Integrated Medical Device Management - Executive BriefUnisys Integrated Medical Device Management - Executive Brief
Unisys Integrated Medical Device Management - Executive Brief
Unisys Corporation
 
EU Medical Device Directive Newcastle May
EU Medical Device Directive Newcastle MayEU Medical Device Directive Newcastle May
EU Medical Device Directive Newcastle May
HANDI HEALTH
 

Similar to Cybersecurity in Medical Devices (20)

Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
Presentation: Proposed Reforms to the Regulation of Software, Including Softw...
Presentation: Proposed Reforms to the Regulation of Software, Including Softw...Presentation: Proposed Reforms to the Regulation of Software, Including Softw...
Presentation: Proposed Reforms to the Regulation of Software, Including Softw...
 
Medical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveMedical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory Perspective
 
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciencesChallenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on Cybersecurity
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
 
The fda and byod mobile and fixed medical device cybersecurity[1]
The fda and byod mobile and fixed medical device cybersecurity[1]The fda and byod mobile and fixed medical device cybersecurity[1]
The fda and byod mobile and fixed medical device cybersecurity[1]
 
The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
The FDA and BYOD, Mobile and Fixed Medical Device CybersecurityThe FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management
 
Understanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical DevicesUnderstanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical Devices
 
Post Marketing Surveillance - RSI
Post Marketing Surveillance - RSIPost Marketing Surveillance - RSI
Post Marketing Surveillance - RSI
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicaux
 
Unisys Integrated Medical Device Management - Executive Brief
Unisys Integrated Medical Device Management - Executive BriefUnisys Integrated Medical Device Management - Executive Brief
Unisys Integrated Medical Device Management - Executive Brief
 
EU Medical Device Directive Newcastle May
EU Medical Device Directive Newcastle MayEU Medical Device Directive Newcastle May
EU Medical Device Directive Newcastle May
 

Recently uploaded

A Classical Text Review on Basavarajeeyam
A Classical Text Review on BasavarajeeyamA Classical Text Review on Basavarajeeyam
A Classical Text Review on Basavarajeeyam
Dr. Jyothirmai Paindla
 
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
rightmanforbloodline
 
Hemodialysis: Chapter 4, Dialysate Circuit - Dr.Gawad
Hemodialysis: Chapter 4, Dialysate Circuit - Dr.GawadHemodialysis: Chapter 4, Dialysate Circuit - Dr.Gawad
Hemodialysis: Chapter 4, Dialysate Circuit - Dr.Gawad
NephroTube - Dr.Gawad
 
REGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptx
REGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptxREGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptx
REGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptx
LaniyaNasrink
 
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
Donc Test
 
Best Ayurvedic medicine for Gas and Indigestion
Best Ayurvedic medicine for Gas and IndigestionBest Ayurvedic medicine for Gas and Indigestion
Best Ayurvedic medicine for Gas and Indigestion
Swastik Ayurveda
 
share - Lions, tigers, AI and health misinformation, oh my!.pptx
share - Lions, tigers, AI and health misinformation, oh my!.pptxshare - Lions, tigers, AI and health misinformation, oh my!.pptx
share - Lions, tigers, AI and health misinformation, oh my!.pptx
Tina Purnat
 
Ear and its clinical correlations By Dr. Rabia Inam Gandapore.pptx
Ear and its clinical correlations By Dr. Rabia Inam Gandapore.pptxEar and its clinical correlations By Dr. Rabia Inam Gandapore.pptx
Ear and its clinical correlations By Dr. Rabia Inam Gandapore.pptx
Dr. Rabia Inam Gandapore
 
Osteoporosis - Definition , Evaluation and Management .pdf
Osteoporosis - Definition , Evaluation and Management .pdfOsteoporosis - Definition , Evaluation and Management .pdf
Osteoporosis - Definition , Evaluation and Management .pdf
Jim Jacob Roy
 
CHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdf
CHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdfCHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdf
CHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdf
rishi2789
 
THERAPEUTIC ANTISENSE MOLECULES .pptx
THERAPEUTIC ANTISENSE MOLECULES .pptxTHERAPEUTIC ANTISENSE MOLECULES .pptx
THERAPEUTIC ANTISENSE MOLECULES .pptx
70KRISHPATEL
 
Muscles of Mastication by Dr. Rabia Inam Gandapore.pptx
Muscles of Mastication by Dr. Rabia Inam Gandapore.pptxMuscles of Mastication by Dr. Rabia Inam Gandapore.pptx
Muscles of Mastication by Dr. Rabia Inam Gandapore.pptx
Dr. Rabia Inam Gandapore
 
Efficacy of Avartana Sneha in Ayurveda
Efficacy of Avartana Sneha in AyurvedaEfficacy of Avartana Sneha in Ayurveda
Efficacy of Avartana Sneha in Ayurveda
Dr. Jyothirmai Paindla
 
The Best Ayurvedic Antacid Tablets in India
The Best Ayurvedic Antacid Tablets in IndiaThe Best Ayurvedic Antacid Tablets in India
The Best Ayurvedic Antacid Tablets in India
Swastik Ayurveda
 
TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...
TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...
TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...
rightmanforbloodline
 
8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx
8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx
8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx
Holistified Wellness
 
Cell Therapy Expansion and Challenges in Autoimmune Disease
Cell Therapy Expansion and Challenges in Autoimmune DiseaseCell Therapy Expansion and Challenges in Autoimmune Disease
Cell Therapy Expansion and Challenges in Autoimmune Disease
Health Advances
 
Promoting Wellbeing - Applied Social Psychology - Psychology SuperNotes
Promoting Wellbeing - Applied Social Psychology - Psychology SuperNotesPromoting Wellbeing - Applied Social Psychology - Psychology SuperNotes
Promoting Wellbeing - Applied Social Psychology - Psychology SuperNotes
PsychoTech Services
 
Cardiac Assessment for B.sc Nursing Student.pdf
Cardiac Assessment for B.sc Nursing Student.pdfCardiac Assessment for B.sc Nursing Student.pdf
Cardiac Assessment for B.sc Nursing Student.pdf
shivalingatalekar1
 
Abortion PG Seminar Power point presentation
Abortion PG Seminar Power point presentationAbortion PG Seminar Power point presentation
Abortion PG Seminar Power point presentation
AksshayaRajanbabu
 

Recently uploaded (20)

A Classical Text Review on Basavarajeeyam
A Classical Text Review on BasavarajeeyamA Classical Text Review on Basavarajeeyam
A Classical Text Review on Basavarajeeyam
 
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
 
Hemodialysis: Chapter 4, Dialysate Circuit - Dr.Gawad
Hemodialysis: Chapter 4, Dialysate Circuit - Dr.GawadHemodialysis: Chapter 4, Dialysate Circuit - Dr.Gawad
Hemodialysis: Chapter 4, Dialysate Circuit - Dr.Gawad
 
REGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptx
REGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptxREGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptx
REGULATION FOR COMBINATION PRODUCTS AND MEDICAL DEVICES.pptx
 
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
TEST BANK For Community Health Nursing A Canadian Perspective, 5th Edition by...
 
Best Ayurvedic medicine for Gas and Indigestion
Best Ayurvedic medicine for Gas and IndigestionBest Ayurvedic medicine for Gas and Indigestion
Best Ayurvedic medicine for Gas and Indigestion
 
share - Lions, tigers, AI and health misinformation, oh my!.pptx
share - Lions, tigers, AI and health misinformation, oh my!.pptxshare - Lions, tigers, AI and health misinformation, oh my!.pptx
share - Lions, tigers, AI and health misinformation, oh my!.pptx
 
Ear and its clinical correlations By Dr. Rabia Inam Gandapore.pptx
Ear and its clinical correlations By Dr. Rabia Inam Gandapore.pptxEar and its clinical correlations By Dr. Rabia Inam Gandapore.pptx
Ear and its clinical correlations By Dr. Rabia Inam Gandapore.pptx
 
Osteoporosis - Definition , Evaluation and Management .pdf
Osteoporosis - Definition , Evaluation and Management .pdfOsteoporosis - Definition , Evaluation and Management .pdf
Osteoporosis - Definition , Evaluation and Management .pdf
 
CHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdf
CHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdfCHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdf
CHEMOTHERAPY_RDP_CHAPTER 6_Anti Malarial Drugs.pdf
 
THERAPEUTIC ANTISENSE MOLECULES .pptx
THERAPEUTIC ANTISENSE MOLECULES .pptxTHERAPEUTIC ANTISENSE MOLECULES .pptx
THERAPEUTIC ANTISENSE MOLECULES .pptx
 
Muscles of Mastication by Dr. Rabia Inam Gandapore.pptx
Muscles of Mastication by Dr. Rabia Inam Gandapore.pptxMuscles of Mastication by Dr. Rabia Inam Gandapore.pptx
Muscles of Mastication by Dr. Rabia Inam Gandapore.pptx
 
Efficacy of Avartana Sneha in Ayurveda
Efficacy of Avartana Sneha in AyurvedaEfficacy of Avartana Sneha in Ayurveda
Efficacy of Avartana Sneha in Ayurveda
 
The Best Ayurvedic Antacid Tablets in India
The Best Ayurvedic Antacid Tablets in IndiaThe Best Ayurvedic Antacid Tablets in India
The Best Ayurvedic Antacid Tablets in India
 
TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...
TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...
TEST BANK For Basic and Clinical Pharmacology, 14th Edition by Bertram G. Kat...
 
8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx
8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx
8 Surprising Reasons To Meditate 40 Minutes A Day That Can Change Your Life.pptx
 
Cell Therapy Expansion and Challenges in Autoimmune Disease
Cell Therapy Expansion and Challenges in Autoimmune DiseaseCell Therapy Expansion and Challenges in Autoimmune Disease
Cell Therapy Expansion and Challenges in Autoimmune Disease
 
Promoting Wellbeing - Applied Social Psychology - Psychology SuperNotes
Promoting Wellbeing - Applied Social Psychology - Psychology SuperNotesPromoting Wellbeing - Applied Social Psychology - Psychology SuperNotes
Promoting Wellbeing - Applied Social Psychology - Psychology SuperNotes
 
Cardiac Assessment for B.sc Nursing Student.pdf
Cardiac Assessment for B.sc Nursing Student.pdfCardiac Assessment for B.sc Nursing Student.pdf
Cardiac Assessment for B.sc Nursing Student.pdf
 
Abortion PG Seminar Power point presentation
Abortion PG Seminar Power point presentationAbortion PG Seminar Power point presentation
Abortion PG Seminar Power point presentation
 

Cybersecurity in Medical Devices

  • 1. CYBERSECURITY IN MEDICAL DEVICES PRESENTED BY : SHEERSHA PRAMANIK (NIPERA1719MD10) COURSE INSTRUCTOR : DR. MUKTY SINHA
  • 2. FLOW OF PRESENTATION  INTRODUCTION  TECHNOGICAL ADVANCEMENT IN MEDICAL DEVICES  REASON FOR FOCUSING CYBERSECURITY  ROLE OF FDA  MED ISAO  PRINCIPLES OF MEDICAL DEVICES SECURITY  TYPES OF ATTACKS  EXAMPLES OF SOME NETWORKED DEVICES  EXAMPLES OF SOME ATTACKS  PREVENTION STEPS  STANDARDS
  • 3. INTRODUCTION  What is a medical device?  “An instrument, apparatus, implement, machine,contrivance, implant … which is intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease”– Food, Drug and Cosmetic Act  What is Cybersecurity?  Unauthorized access to data (either resident in or exchanged between systems)  Attacks on system resources (i.e. computer hardware, operating system and application software) by malicious computer programs.
  • 4. TECHNOGICAL ADVANCEMENT IN MEDICAL DEVICES BEFORE AFTER Data obtained from devices are stored on paper or locally Data obtained from devices are stored in the cloud Devices are physical products Devices include software and even databases of health Information Devices are connected to patients physically Devices are connected wirelessly to patients and other devices Physical access is needed to view health data Health data can be accessed anywhere on earth Care is hand-administered at a health care location Care is available to patients in the palm of their hand through apps
  • 5. WHY CYBERSECURITY IS NOW BEING FOCUSED MORE ? THE DRIVER THE IMPACT TOTAL BUSINESS CONNECTED A business’ payroll, sales and products might all be connected to the Internet—and vulnerable SYSTEMIC RISKS A new vulnerability could leave a once-secure business open to major problems immediately RISK TO PHYSICAL ASSETS Internet-connected products are vulnerable to physical problems, including failure
  • 6. FDA’s GUIDANCE  Cybersecurity for Networked Medical Devices containing OTS Software - Jan 14, 2005  Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Oct 2, 2014  Post Market Management of Cybersecurity in Medical Devices - Jan 22, 2016 PURCHASING DESIGN POST MARKET MONITORING
  • 7. PRE MARKET SUBMISSIONS  This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.  The guidance document consists of : Premarket Notification (510(k)) including Traditional, Special, and Abbreviated 1.· De novo submissions ·2. Premarket Approval Applications (PMA) ·3. Product Development Protocols (PDP) · 4. Humanitarian Device Exemption (HDE) submissions.
  • 8. CONTD.  Manufacturers should address cybersecurity during the design and development of the medical device.  Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g).  The approach should appropriately address the following elements: 1. Identification of assets, threats, and vulnerabilities; 2. Assessment of the impact of threats and vulnerabilities on device functionality . 3. Assessment of the likelihood of a threat and of a vulnerability being exploited; 4. Determination of risk levels and suitable mitigation strategies. 5. Assessment of residual risk and risk acceptance criteria.
  • 9. MAIN TAKEAWAYS FROM FDA’S GUIDANCE
  • 10. POST MARKET GUIDANCE  Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.  Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;  Understanding, assessing and detecting presence and impact of a vulnerability;  Establishing and communicating processes for vulnerability intake and handling;  Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;  Adopting a coordinated vulnerability disclosure policy and practice; and  Deploying mitigations that address cybersecurity risk early and prior to exploitation.
  • 11. CONTD.  Manufacturers should report these vulnerabilities to the FDA according to 21 CFR part 806, unless reported under 21 CFR parts 803 or 1004.  However, the FDA does not intend to enforce reporting requirements under 21 CFR part 806 if all of the following circumstances are met:  There are no known serious adverse events or deaths associated with the vulnerability,  Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and  The manufacturer is a participating member of an ISAO, such as NH-ISAC(National Health Information Sharing and Analysis Center). *(ISAO : Information Sharing and Analysis Organisation)
  • 12. MED ISAO  A medical device “Information Sharing and Analysis Organization”.  Provides ongoing cybersecurity information tailored to the medical device industry.  Alerts members of potential threats  Geared towards smaller manufacturers and startups.  ISAOs protect privacy of individuals and preserve business confidentiality, safeguarding information being shared.  FDA considers participation in an ISAO a critical component of medical device manufacturers’ comprehensive proactive approach to management of postmarket cybersecurity threats.  To improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.
  • 13. ADVANTAGE OF ISAO MEMBERSHIP  From the guidance:  “Participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002”
  • 14. PRINCIPLES FOR MEDICAL DEVICE SECURITY Security risk management plan Security risk analysis Security risk evaluation Security risk control Evaluation of overall residual security risk acceptability Security risk management report Production and post-production information From TIR57: Principles for medical device security – Risk management © 2016 by the Association for the Advancement of Medical Instrumentation
  • 15. TYPES OF ATTACKS  Carrier Based Methods  Man in the middle (MiTM) attacks which can steal data Hijack wireless transmission.  Endpoints based methods . Inject code to tamper with web application or web services  Stealing user sensitive phone contents using Malwares  Wireless interfaces based methods  Stealing data when its in-transit using wireless channel . Exploit access and authentication access  An adversary steals sensitive data by reading SD Card based stored content
  • 16.
  • 17. ACCIDENTS  1. PACEMAKER :  Small device placed in the chest or abdomen to help control abnormal heart rhythms.  Uses electrical pulses to prompt the heart to beat at a normal rate  Have wireless transmitters to allow them to be programmed without an invasive procedure
  • 18. PACEMAKERS- THE DANGER  Due to the convenience of wireless transmitters, security vulnerabilities of remote attacks on the body are now possible  Allows for hacking through not only a laptop, but also Malware installed on a hospital or company computer that may briefly interact with an implant  Could infect, reprogram, or command the device to perform a more lethal Function  BARNABY JACK - Discovered a way to hack into a pacemaker via its wireless transmitter and make the device send an 830-volt shock through a person’s body  Can be done with a laptop from 30 to 50 feet away
  • 19. INSULIN PUMPS  Device used for administration of insulin in the treatment of diabetes • Many insulin pumps are now wireless • Allows the patient to check on the pump’s status and activity • Allows for control of the dosage administered INSULIN PUMPS – THE DANGER  Wireless transmitters once again can cause problems, and cause the pump to deliver a deadly dose of the hormone  Currently there are patents for insulin pumps that can hook up to WiFi and be controlled via a web browser  Huge potential for exploits, especially since exploits to compromise web interfaces are developed daily
  • 20. Manufacturer Disclosure Statement for Medical Device Security (MDS2) v2  Developed by HIMSS (Healthcare Information and Management Systems Society) and the National Electrical Manufacturers Association (NEMA)  Since 2013 Medical device manufacturers have to disclose the cybersecurity features of medical devices they sell to healthcare providers.  A hospital risk assessment tool to assess the vulnerabilities and risks of the medical devices.  Allows easy comparison of security features across different devices and different manufacturers
  • 21.
  • 22. WHAT TO DO TO SAVE THE DEVICE? • Product design must protect the information& the device against any threats posed by external circumstances or by other connected devices. Protect information and maintain device integrity • Product design must be equipped with handling patient sensitive information to meet both HIPAA and FDA regulations.Imbed data privacy management • Product design must enable identification and management of risk through the product development life cycleEnable risk identification and mitigation • Product design must incorporate safety features that meet the regulatory requirements such as alarm systems to protect users and patients from unanticipated adverse situation Incorporate product safety
  • 23. Applicable standards, technical specifications and reports  PAS 277:2015, Health and wellness apps – Quality criteria across the life cycle – Code of practice  EN ISO 13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes  EN ISO 14971:2012, Medical devices. Application of risk management to medical devices  PD ISO/TR 24971:2013, Medical devices. Guidance on the application of ISO 14971  EN IEC 62304:2006, Medical device software – Software life cycle processes  EN ISO IEC 62366-1:2015, Medical devices – Part 1: Application of usability engineering to medical devices  IEC ISA 62443 series, Industrial communication networks – Network and system security  ISO IEC 27005:2011, Information technology – Security techniques – Information security risk management  ISO IEC 27032:2012, Information technology – Security techniques  ISO IEC 80001 series, Application of risk management for IT-networks incorporating medical devices  EN IEC TR 80002-1:2009, Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software  ISO DTR 80002-2, Medical device software – Part 2: Validation of software for medical device quality systems  IEC TR 80002-3:2014, Medical device software – Part 3: Process reference model of medical device software life cycle processes (IEC 62304)  EN IEC TR 80001-2-8:2016, Application of risk management for IT-networks incorporating medical devices – Part 2-8: Application guidance – Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2  IEC 82304-1:2016, Health software – Part 1: General requirements for product