Conducting due diligence and managing cybersecurity in medical technology investments

Transcription

1 Conducting due diligence and managing cybersecurity in medical technology investments 2015 McDermott Will & Emery LLP. McDermott operates its practice through separate legal entities in each of the countries where it has offices. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome.

2 M&A + information & technology risk implications Below are some key IT risk areas and potential impacts to consider during the pre / post and execution of transaction activities. Impacts Stock price fluctuation Customer turnover Key IT Risk Areas Brand Loss of business due to critical intellectual asset loss Cybersecurity & Privacy Business Continuity IT Compliance & Regulations Business Regulatory Operational Competitive disadvantage Customer disruption - lost business Response costs Legal costs Increased independent audits Regulatory fines Restriction on information sharing and use Additional cost to implement comprehensive security solutions Diversion of employees from strategic initiatives to work on M&A activities and other damage control Loss of business agility, opportunity and value Liabilities in licenses and third-party contracts

3 M&A + Information & Technology Risk Management -

4 What Deloitte is seeing in the field Regulatory Customer Expectations GAO Report The Government Accountability Office (GAO) drives the Food and Drug Administration (FDA) to sharpen focus on cyber security risk in connected medical devices. Veterans Affairs (VA) The VA has established a program to assess safety and security of medical devices and is requiring device manufacturers to meet rigorous security requirements (e.g. FISMA, VA Handbook 6500) Cyber Security Executive Order Requires entities to take steps to reduce cyber risks to critical infrastructure Dept of Defense (DoD) The DoD Military Health Systems has established a program to assess safety and security of medical devices (same as above) FDA Cyber Security Guidance The 2013 Final FDA Cyber Security Guidance document recommends that cyber security risk mitigation be integrated into the device lifecycle, security by design and documented in PMAs and 510k submissions. Customer Demand Public and large private Health Care Providers (HCPs) are increasingly requesting manufacturers provide cyber security related information (e.g., MDS2) or complete onerous security checklists as part of procurement process FDA Activity Global FDA letters require device manufacturers to demonstrate effective risk assessment process and ability to respond within 45 days The FDA has recently been incorporating the cybersecurity guidance into their review of PMAs/510Ks No specific medical device regulations covering medical device security at this point HIPAA FTC Breaches of PHI in medical technology must be reported to affected patients. Security Rule requires HCPs to implement reasonable technical, physical and administrative safeguards to secure EPHI in medical technology and information technology that interfaces with it. Section 5 of the FTC Act prohibits unfair or deceptive acts and practices. FTC has brought enforcement actions under Section 5 against organizations that have allegedly violated consumers privacy rights, or misled them by failing to maintain security for sensitive consumer information.

5 Cybersecurity Due Diligence with Medical Technology Investments Copyright 2015 Deloitte Development LLC. All rights reserved.

6 FDA Final Guidance on Cybersecurity Source: andguidance/guidancedocuments/ucm pdf Three key takeaways from the Guidance : Manufacturers should address cybersecurity during the design and development of the medical device The scope of the Guidance covers the following: 510k, de novo submissions, PMAs, product development protocols, and humanitarian device exemption The FDA is looking for the following in their review of the above submissions: 1. A specific list of all cybersecurity risks that were considered in the design of the device and a list, and justification for all cybersecurity controls that were established for the device; 2. A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered; 3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness; 4. A summary describing controls that are in place to assure that the medical device software will remain free of malware from the point of origin to the point at which that device leaves the control of the manufacturer; and 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment.

7 FDA Draft Post Market Guidance on Cybersecurity The FDA is currently working on a post market cybersecurity guidance document: The post market guidance may be published for public comment as soon as the end of December 2015 The scope will likely include addressing the security of legacy devices and information sharing of cyber threat indicators and cyber attack information

8 Medical Device Security Risk Domains 8

9 Addressing Risks within Product Design 9

10 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.