Conducting due diligence and managing cybersecurity in medical technology investments



Similar documents
Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Into the cybersecurity breach

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Logging In: Auditing Cybersecurity in an Unsecure World

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Quantum Dawn 2 A simulation to exercise cyber resilience and crisis management capabilities. October 21, 2013

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Risk Considerations for Internal Audit

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

FINRA Publishes its 2015 Report on Cybersecurity Practices

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Big Data, Big Risk, Big Rewards. Hussein Syed

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Cybersecurity The role of Internal Audit

Key Cyber Risks at the ERP Level

Cybersecurity for Medical Devices

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Altius IT Policy Collection Compliance and Standards Matrix

Plan Sponsor s Guide to the HIPAA Security Rule

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

AlienVault for Regulatory Compliance

Bridging the HIPAA/HITECH Compliance Gap

Data Breach Response Planning: Laying the Right Foundation

Third Party Security: Are your vendors compromising the security of your Agency?

FDA Releases Final Cybersecurity Guidance for Medical Devices

Securing the Cloud Infrastructure

Consumer products analytics The three-minute guide

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

The HR Skinny: Effectively managing international employee data flows

Privacy and Data Breach Protection Modular application form

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

InfoGard Healthcare Services InfoGard Laboratories Inc.

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Cyber Risks in the Boardroom

Multiple Award Schedules A roadmap to getting a Federal Supply Schedule contract

Deloitte Analytics. Trusting big data: Perspective on data governance as a customer analytics investment

FinCEN Issues Notice of Proposed Rulemaking that Would Extend AML Requirements to Registered Investment Advisers

The digital grapevine Social media and the role of Internal Audit

Privacy and Security in Healthcare

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?

MEDICAL DEVICE Cybersecurity.

HIPAA Security Alert

NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA)

BUSINESS ASSOCIATE AGREEMENT. Recitals

Brief. The BakerHostetler Data Security Incident Response Report 2015

An Independent Member of Baker Tilly International

Legal billing and predictive coding A fresh way to assess your legal spend

February Audit committee performance evaluation

Perspectives on Cybersecurity and Its Legal Implications

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Privacy and Security Concerns for Employee Benefit Plans with Service Provider Relationships. Ann Killilea, Andrew C. Liazos, and Amy C.

Amit Garg BERKELEY RESEARCH GROUP, LLC 1800 M Street, N.W. 2 nd Floor Washington, D.C Direct: agarg@thinkbrg.

Information Life Cycle Management (ILM)

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Adopting a Cybersecurity Framework for Governance and Risk Management

Transcription:

Conducting due diligence and managing cybersecurity in medical technology investments 2015 McDermott Will & Emery LLP. McDermott operates its practice through separate legal entities in each of the countries where it has offices. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome.

M&A + information & technology risk implications Below are some key IT risk areas and potential impacts to consider during the pre / post and execution of transaction activities. Impacts Stock price fluctuation Customer turnover Key IT Risk Areas Brand Loss of business due to critical intellectual asset loss Cybersecurity & Privacy Business Continuity IT Compliance & Regulations Business Regulatory Operational Competitive disadvantage Customer disruption - lost business Response costs Legal costs Increased independent audits Regulatory fines Restriction on information sharing and use Additional cost to implement comprehensive security solutions Diversion of employees from strategic initiatives to work on M&A activities and other damage control Loss of business agility, opportunity and value Liabilities in licenses and third-party contracts

M&A + Information & Technology Risk Management -

What Deloitte is seeing in the field Regulatory Customer Expectations GAO Report The Government Accountability Office (GAO) drives the Food and Drug Administration (FDA) to sharpen focus on cyber security risk in connected medical devices. Veterans Affairs (VA) The VA has established a program to assess safety and security of medical devices and is requiring device manufacturers to meet rigorous security requirements (e.g. FISMA, VA Handbook 6500) Cyber Security Executive Order Requires entities to take steps to reduce cyber risks to critical infrastructure Dept of Defense (DoD) The DoD Military Health Systems has established a program to assess safety and security of medical devices (same as above) FDA Cyber Security Guidance The 2013 Final FDA Cyber Security Guidance document recommends that cyber security risk mitigation be integrated into the device lifecycle, security by design and documented in PMAs and 510k submissions. Customer Demand Public and large private Health Care Providers (HCPs) are increasingly requesting manufacturers provide cyber security related information (e.g., MDS2) or complete onerous security checklists as part of procurement process FDA Activity Global FDA letters require device manufacturers to demonstrate effective risk assessment process and ability to respond within 45 days The FDA has recently been incorporating the cybersecurity guidance into their review of PMAs/510Ks No specific medical device regulations covering medical device security at this point HIPAA FTC Breaches of PHI in medical technology must be reported to affected patients. Security Rule requires HCPs to implement reasonable technical, physical and administrative safeguards to secure EPHI in medical technology and information technology that interfaces with it. Section 5 of the FTC Act prohibits unfair or deceptive acts and practices. FTC has brought enforcement actions under Section 5 against organizations that have allegedly violated consumers privacy rights, or misled them by failing to maintain security for sensitive consumer information.

Cybersecurity Due Diligence with Medical Technology Investments Copyright 2015 Deloitte Development LLC. All rights reserved.

FDA Final Guidance on Cybersecurity Source: http://www.fda.gov/downloads/medicaldevices/deviceregulation andguidance/guidancedocuments/ucm356190.pdf Three key takeaways from the Guidance : Manufacturers should address cybersecurity during the design and development of the medical device The scope of the Guidance covers the following: 510k, de novo submissions, PMAs, product development protocols, and humanitarian device exemption The FDA is looking for the following in their review of the above submissions: 1. A specific list of all cybersecurity risks that were considered in the design of the device and a list, and justification for all cybersecurity controls that were established for the device; 2. A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered; 3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness; 4. A summary describing controls that are in place to assure that the medical device software will remain free of malware from the point of origin to the point at which that device leaves the control of the manufacturer; and 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment.

FDA Draft Post Market Guidance on Cybersecurity The FDA is currently working on a post market cybersecurity guidance document: The post market guidance may be published for public comment as soon as the end of December 2015 The scope will likely include addressing the security of legacy devices and information sharing of cyber threat indicators and cyber attack information

Medical Device Security Risk Domains 8

Addressing Risks within Product Design 9

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information