MEDICAL DEVICE Cybersecurity.

Size: px
Start display at page:

Download "MEDICAL DEVICE Cybersecurity."

Transcription

1 MEDICAL DEVICE Cybersecurity.

2 2 MEDICAL DEVICE CYBERSECURITY

3 Introduction Wireless technology and the software in medical devices have greatly increased healthcare providers abilities to efficiently and effectively monitor and treat patients. However, the use of wireless technology and the software in medical devices present risks unique to the healthcare industry. An added concern for the healthcare industry comes from the need to not only protect patient health data, but also the need to protect patients health. Cybersecurity vulnerabilities in medical devices can have life threatening consequences in the event of failure or intentional tampering. The threat is real as hackers have demonstrated the ability to compromise a diverse array of medical devices. Although there have been no reported patient injuries or deaths associated with cybersecurity incidents, cybersecurity specialists have identified a number of vulnerabilities with these devices. Due to the increased media focus on the identified issues, the U.S. Food and Drug Administration (FDA) is investigating numerous devices for cybersecurity issues. On October 2, 2014, the FDA issued a final guidance containing recommendations to medical device manufacturers on cybersecurity management. The guidance is applicable to all new premarket submissions containing software, programmable logic, and standalone software that is a medical device. This guidance represents the FDA s current thinking on the subject of cybersecurity as it relates to medical devices. Although the guidance is not enforceable by law, medical device manufacturers should seriously consider the recommendations presented as the healthcare technology landscape continues to get more and more digitally connected. PLANTE MORAN 3

4 4 MEDICAL DEVICE CYBERSECURITY

5 Guidance. What the Guidance Calls For The FDA has recommended that medical device manufacturers consider the following five cybersecurity framework core functions: identify, protect, detect, respond, and recover. This framework is based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework based on existing standards, guidelines, and practices for reducing cyberrisks to critical infrastructure. IDENTIFY AND PROTECT A proper assessment of cybersecurity vulnerabilities can help identify controls that can protect against intentional or unintentional threats. Medical devices with digital connectivity capabilities are inherently more vulnerable to cybersecurity threats than devices not in scope for this guidance. The guidance recommends that the extent of security controls present for an in-scope device should depend on the following: the device s intended use the presence and intent of its electronic data interfaces its intended environment of use (e.g., home use vs. healthcare facility use) the type of cybersecurity vulnerabilities present PLANTE MORAN 5

6 the likelihood the vulnerability can be exploited (either intentionally or unintentionally) the probable risk of patient harm due to a cybersecurity breach It is also important to ensure the security controls in place do not unreasonably hinder the device s intended use. Careful consideration should be made between the safety provided by security controls and the usability aspects that may be impaired in emergency situations. The guidance provides the following broad security functions for manufacturers to consider when designing controls for their in-scope devices: Limit Access to Trusted Users Only including limiting access through user authentication, automatic timed session termination, strong password parameters, and appropriate physical security Ensure Trusted Content including restricting software or firmware updates to authenticated code and ensuring secure mediums for data transfer to and from the device DETECT, RESPOND, AND RECOVER It is important for medical device users to be able to effectively detect and respond to cybersecurity breaches and then recover. For this reason, the guidance provides the following guidelines for medical device manufacturers to consider including in their product design: Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use; Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event; Implement device features that protect critical functionality, even when the device s cybersecurity has been compromised; Provide methods for retention and recovery of device configuration by an authenticated privileged user. DOCUMENTATION The guidance also notes the following information related to cybersecurity that should be included by manufacturers during premarket submissions of their medical devices: 1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: A specific list of all cybersecurity risks that were considered in the design of your device with mitigations identified for each risk; 6 MEDICAL DEVICE CYBERSECURITY

7 A specific list and justification for all cybersecurity controls that were established for your device. 2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered. 3. A summary describing the plan for providing validated software updates and patches as needed throughout the product lifecycle of the medical device to continue to assure its safety and effectiveness. The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity. 4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g., remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacture. 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software, use of firewall). PLANTE MORAN 7

8 8 MEDICAL DEVICE CYBERSECURITY

9 Stakeholders. What This Means for Stakeholders So what does this mean for my organization and the healthcare value chain? This varies based on your role with medical devices that are in scope for the guidance. The FDA recognizes that medical device security is a shared responsibility among stakeholders, including healthcare facilities, patients, providers, and manufacturers. The brunt of the action called for by the guidance falls under the responsibility of the medical device manufacturers. However, it is just as important that all the aforementioned stakeholders be aware of their role in the cybersecurity of medical devices. MEDICAL DEVICE MANUFACTURERS The responsibility of medical device manufacturers, as it relates to cybersecurity, is defined by the FDA as follows: Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance. Medical device manufactures should implement an effective framework to PLANTE MORAN 9

10 mitigate cybersecurity risks. It is important to remember that the guidance is not law and only represents the FDA s current thinking on the topic of cybersecurity. The NIST Framework is touted as a prioritized, flexible, repeatable, and cost-effective approach to manage cybersecurity-related risks and would be an excellent option to reduce the possible increase in research and development costs associated with mitigating new and evolving cybersecurity risks. Wireless implantable medical devices Deep Brain Neurostimulators Gastric Neurostimulators Foot Drop Implants Cochlear Implants Cardiac Defibrillators/ Pacemakers Insulin Pumps Medical device manufacturers should work to implement a process to effectively identify and protect against cybersecurity vulnerabilities that could be present in their devices. Furthermore, they should ensure devices are designed to allow end users to properly detect, respond, and recover from a cybersecurity breach. Security is an on-going process that evolves as new vulnerabilities are identified. Medical device manufacturers will need to deploy patches just like antivirus updates for desktops or app updates on mobile devices. HEALTHCARE FACILITIES The responsibility of healthcare facilities, as it relates to cybersecurity, is defined by the FDA as follows: Hospitals and health care facilities should evaluate their network security and protect the hospital system. Patients will hold healthcare facilities responsible for security breaches while being cared for at a healthcare facility. Therefore, healthcare facilities should ensure they have a solid understanding of the cybersecurity risks that are posed by the medical devices they are using. It is important that the institution implement an effective due diligence and risk management framework to identify the threats posed to medical devices with data connectivity. Healthcare facilities should expect to see an increase in the security functionality and complexity of newly released medical devices; this may require additional training for system administrators and/or end users. The 10 MEDICAL DEVICE CYBERSECURITY

11 additional documentation called for in the guidance may be very helpful to healthcare facilities in appropriately implementing and maintaining cybersecurity controls to support their networked medical device infrastructure. PROVIDERS Providers should employ the same due care and procedures described above for healthcare facilities. Providers should be aware of the cybersecurity aspects of the devices they use to treat or prescribe to their patients. Again, patients will hold healthcare providers responsible for security breaches with medical devices recommended by their physicians. Health care providers should ensure patients are trained on the safe use and security aspects of the devices they prescribe. PATIENTS Patients should demand a complete understanding of the functionality of the medical devices they are using. Manufacturer provided documentation should be reviewed to solidify understanding. Additional questions around the sharing of medical data from the devices should be directed to an applicable healthcare provider or device manufacturer. PLANTE MORAN 11

12 AUTHOR KYLE MILLER plantemoran.com

FDA Releases Final Cybersecurity Guidance for Medical Devices

FDA Releases Final Cybersecurity Guidance for Medical Devices FDA Releases Final Cybersecurity Guidance for Medical Devices By Jean Marie R. Pechette and Ken Briggs Overview and General Principles On October 2, 2014, the Food and Drug Administration ( FDA ) finalized

More information

Cybersecurity for Medical Devices

Cybersecurity for Medical Devices Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick

More information

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013 New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices September 25, 2013 The Hartford Insuring Innovation Joe Coray Dan Silverman Providing insurance solutions

More information

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA 8 th Annual Safeguarding Health Information: Building Assurance through HIPAA Security HHS Office of Civil Rights and National Institute of Standards & Technology Wednesday September 2, 2015 Suzanne B.

More information

Risk Management and Cybersecurity for Devices that Contain Software. Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015

Risk Management and Cybersecurity for Devices that Contain Software. Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015 Risk Management and Cybersecurity for Devices that Contain Software Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015 Main Points Establish a Cybersecurity Risk Management Program

More information

LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015

LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015 LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015 Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA Uncertainty Complex

More information

Medical Devices. Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire

Medical Devices. Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire Medical Devices Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire Introduction This perspective paper aims to help organizations understand the emerging issue of security

More information

Best Practices: Securing Medical Devices Against Cyberthreats

Best Practices: Securing Medical Devices Against Cyberthreats BEST PRACTICES Best Practices: Securing Medical Devices Against Cyberthreats Lynne Dunbrack IDC HEALTH INSIGHTS OPINION Cyberattacks are on the rise, especially in healthcare because cybercriminals view

More information

HCCA Research Compliance Conference May 31-June 3, 2015

HCCA Research Compliance Conference May 31-June 3, 2015 Cybersecurity of Medical Devices and the Impact on Research Ken Briggs, Esq. Polsinelli PC, Phoenix kbriggs@polsinelli.com 602.650.2042 One East Washington St., Suite 1200 Phoenix, AZ 85004-2568 June 2015

More information

a Medical Device Privacy Consortium White Paper

a Medical Device Privacy Consortium White Paper a Medical Device Privacy Consortium White Paper Introduction The Medical Device Privacy Consortium (MDPC) is a group of leading companies addressing health privacy and security issues affecting the medical

More information

The U.S. FDA s Regulation and Oversight of Mobile Medical Applications

The U.S. FDA s Regulation and Oversight of Mobile Medical Applications The U.S. FDA s Regulation and Oversight of Mobile Medical Applications The U.S. FDA s Regulation and Oversight of Mobile Medical Applications As smart phones and portable tablet computers become the preferred

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

GAO MEDICAL DEVICES. FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. Report to Congressional Requesters

GAO MEDICAL DEVICES. FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. Report to Congressional Requesters GAO United States Government Accountability Office Report to Congressional Requesters August 2012 MEDICAL DEVICES FDA Should Expand Its Consideration of Information Security for Certain Types of Devices

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS October 21, 2015 CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS Cerone F. Cy Sturdivant Managing Consultant csturdivant@bkd.com 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls

More information

August 18, 2015. Re: Section 1201 Rulemaking Proposed Exemption for Medical Devices

August 18, 2015. Re: Section 1201 Rulemaking Proposed Exemption for Medical Devices DEPARTMENT OF HEALTH & HUMAN SERVICES Public Health Service Food and Drug Administration 10903 New Hampshire Avenue Silver Spring, MD 20993 August 18, 2015 Ms. Jacqueline C. Charlesworth General Counsel

More information

Data Security and Healthcare

Data Security and Healthcare Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

Submitted via www.regulations.gov. September 12, 2013

Submitted via www.regulations.gov. September 12, 2013 Submitted via www.regulations.gov September 12, 2013 Food and Drug Administration Center for Devices and Radiological Health c/o Division of Dockets Management (HFA-305) Food and Drug Administration 5630

More information

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES INTRODUCTION Cybersecurity has become an increasing concern in the medical device

More information

Cyber Security An Exercise in Predicting the Future

Cyber Security An Exercise in Predicting the Future Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures

More information

Cybersecurity. Are you prepared?

Cybersecurity. Are you prepared? Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data

More information

Medical Device Software Standards for Safety and Regulatory Compliance

Medical Device Software Standards for Safety and Regulatory Compliance Medical Device Software Standards for Safety and Regulatory Compliance Sherman Eagles +1 612-865-0107 seagles@softwarecpr.com www.softwarecpr.com Assuring safe software SAFE All hazards have been addressed

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Assessing the Effectiveness of a Cybersecurity Program

Assessing the Effectiveness of a Cybersecurity Program Assessing the Effectiveness of a Cybersecurity Program Lynn D. Shiang Delta Risk LLC, A Chertoff Group Company Objectives Understand control frameworks, assessment structures and scoping of detailed reviews

More information

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned

More information

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist Cyber- Attacks: The New Frontier for Fraudsters Daniel Wanjohi, Technology Security Specialist What is it All about The Cyber Security Agenda ; Protecting computers, networks, programs and data from unintended

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

More information

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh Effectively Completing and Documenting a Risk Analysis Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS Session Objectives Identify the difference between risk analysis and risk assessment

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015 Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Cyber Security Organisational Standards. Guidance

Cyber Security Organisational Standards. Guidance Cyber Security Organisational Standards Guidance April 2013 Contents Contents...2 Overview...3 Background...4 Definitions...5 Presentation and Layout...6 Submissions Guidance...7 Acceptance Criteria...8

More information

Defending against modern threats Kruger National Park ICCWS 2015

Defending against modern threats Kruger National Park ICCWS 2015 Defending against modern threats Kruger National Park ICCWS 2015 Herman Opperman (CISSP, ncse, MCSE-Sec) - Architect, Cybersecurity Global Practice Microsoft Corporation Trends from the field Perimeter

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

Conducting due diligence and managing cybersecurity in medical technology investments

Conducting due diligence and managing cybersecurity in medical technology investments Conducting due diligence and managing cybersecurity in medical technology investments 2015 McDermott Will & Emery LLP. McDermott operates its practice through separate legal entities in each of the countries

More information

Healthcare Information Technology A Risky Business? Healthcare Security Summit 12 March 2014

Healthcare Information Technology A Risky Business? Healthcare Security Summit 12 March 2014 Healthcare Information Technology A Risky Business? Healthcare Security Summit 12 March 2014 Disclaimers» This presentation is for educational purposes only.» This presentation does not constitute legal

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

Cyber Security Metrics Dashboards & Analytics

Cyber Security Metrics Dashboards & Analytics Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics

More information

IoT & SCADA Cyber Security Services

IoT & SCADA Cyber Security Services IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087, Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 4, 60 Edward St, Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au

More information

Implementing a Framework

Implementing a Framework Implementing a Framework 44th Tennessee Higher Education Information Technology Symposium 2015 Greg Jackson Cyber Security Analyst Dynetics Inc. Information Systems Assessment Services (ISAS) www.dynetics.com

More information

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! Cybersecurity is all over the news. Target, University of Maryland, Neiman

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS These Cybersecurity Testing and Certification Service Terms ( Service Terms ) shall govern the provision of cybersecurity testing and certification services

More information

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions Permeo Technologies WHITE PAPER HIPAA Compliancy and Secure Remote Access: Challenges and Solutions 1 Introduction The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 has had an

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Case Study: Fast Food Security Breach (Multiple Locations)

Case Study: Fast Food Security Breach (Multiple Locations) CASE STUDY Fast Food Security Breach (Multiple Locations) Case Study: Fast Food Security Breach (Multiple Locations) By Brad Cyprus, SSCP - Senior Security Architect, Netsurion Details Profile Case Study

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

MEDICAL DEVICE SECURITY

MEDICAL DEVICE SECURITY Medical devices should be secure. Doctors are gentlemen and therefore their computers are always secure. Dr. Ignaz Semmelweis 1818-1865 Dr. Charles Meigs 1792-1869 St. Jude Medical, the third major defibrillator

More information

Mission Assurance and Security Services

Mission Assurance and Security Services Mission Assurance and Security Services Dan Galik, Chief Federation of Tax Administrators Computer Security Officer Conference March 2007 Security, privacy and emergency preparedness issues are front page

More information

Cyber Security. John Leek Chief Strategist

Cyber Security. John Leek Chief Strategist Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity

More information

P01 - Information Security Policy

<COMPANY> P01 - Information Security Policy P01 - Information Security Policy Document Reference P01 - Information Security Policy Date 30th September 2014 Document Status Final Version 3.0 Revision History 1.0 09 November 2009: Initial release.

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

CONCEPTS IN CYBER SECURITY

CONCEPTS IN CYBER SECURITY CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness

More information

EVALUATION OF AUTOMATIC CLASS III DESIGNATION FOR STUDIO on the Cloud Data Management Software DECISION SUMMARY

EVALUATION OF AUTOMATIC CLASS III DESIGNATION FOR STUDIO on the Cloud Data Management Software DECISION SUMMARY A. DEN Number: DEN140016 EVALUATION OF AUTOMATIC CLASS III DESIGNATION FOR STUDIO on the Cloud Data Management Software B. Purpose for Submission: DECISION SUMMARY De novo request for adjunct data management

More information

An Independent Member of Baker Tilly International

An Independent Member of Baker Tilly International Healthcare Security and Compliance July 23, 2015 Presenters Kelley Miller, CISA, CISM - Principal Kelley.Miller@mcmcpa.com Barbie Thomas, MBA, CHC Barbie.Thomas@mcmcpa.com 2 Agenda Introductions Cybersecurity

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Securing Industrial Control Systems in the Chemical Sector. Roadmap Awareness Initiative Making the Business Case

Securing Industrial Control Systems in the Chemical Sector. Roadmap Awareness Initiative Making the Business Case Securing Industrial Control Systems in the Chemical Sector Roadmap Awareness Initiative Making the Business Case Developed by the Chemical Sector Coordinating Council in partnership with The U.S. Department

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

Through the Security Looking Glass. Presented by Steve Meek, CISSP

Through the Security Looking Glass. Presented by Steve Meek, CISSP Through the Security Looking Glass Presented by Steve Meek, CISSP Agenda Presentation Goal Quick Survey of audience Security Basics Overview Risk Management Overview Organizational Security Tools Secure

More information

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011 10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection September 2011 10 Potential Risks Facing Your IT Department: Multi-layered Security & Network Protection 2 It s

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

Evaluation Report. Office of Inspector General

Evaluation Report. Office of Inspector General Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Department of Management Services. Request for Information

Department of Management Services. Request for Information Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley

More information

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015 Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are

More information

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014 NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

WHITEPAPER: SOFTWARE APPS AS MEDICAL DEVICES THE REGULATORY LANDSCAPE

WHITEPAPER: SOFTWARE APPS AS MEDICAL DEVICES THE REGULATORY LANDSCAPE WHITEPAPER: SOFTWARE APPS AS MEDICAL DEVICES THE REGULATORY LANDSCAPE White paper produced by Maetrics For more information, please contact global sales +1 610 458 9312 +1 877 623 8742 globalsales@maetrics.com

More information

Cyber Security for your Connected Health Device

Cyber Security for your Connected Health Device Cyber Security for your Connected Health Device Agenda Cyber Security Emerging Threats Implications to Healthcare Healthcare Response OpenSky s timeline Service Evolution Launch IT Optimization 2014 Geographic

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

Patching & Malicious Software Prevention CIP-007 R3 & R4

Patching & Malicious Software Prevention CIP-007 R3 & R4 Patching & Malicious Software Prevention CIP-007 R3 & R4 Scope Compliance Assessment Summary Introspection & Analysis Program-In Review Maturity Model review Control Design review Process Components of

More information

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan Healthcare Cybersecurity Risk Management: Keys To an Effective Plan Anthony J. Coronado and Timothy L. Wong About the Authors Anthony J. Coronado, BS, is a biomedical engineering manager at Renovo Solutions

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

Managing Vulnerabilities For PCI Compliance

Managing Vulnerabilities For PCI Compliance Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name Network Assessment Prepared For: Prospect Or Customer Prepared By: Your Company Name Environment Risk and Issue Score Issue Review Next Steps Agenda Environment - Overview Domain Domain Controllers 4 Number

More information