Cybersecurity for Medical Devices



Similar documents
Risk Management and Cybersecurity for Devices that Contain Software. Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

MEDICAL DEVICE Cybersecurity.

FDA Releases Final Cybersecurity Guidance for Medical Devices

Cybersecurity Awareness. Part 1

Billing Code: 3510-EA

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

How To Write A Cybersecurity Framework

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Cybersecurity: What CFO s Need to Know

No. 33 February 19, The President

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

NH-ISAC. Cybersecurity Resilience Securing the Infrastructures that Secure Healthcare & Public Health. The National Health ISAC

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Cybersecurity and Hospitals. Four Questions Every Hospital Leader Should Ask in Order to Prepare for and Manage Cybersecurity Risks

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Cybersecurity Framework: Current Status and Next Steps

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

a Medical Device Privacy Consortium White Paper

NIST Cybersecurity Framework What It Means for Energy Companies

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Cybersecurity. Are you prepared?

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Lessons from Defending Cyberspace

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

OCIE CYBERSECURITY INITIATIVE

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

Legislative Language

Cyber Security and Privacy - Program 183

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Attachment A. Identification of Risks/Cybersecurity Governance

Cybersecurity Awareness

Conducting due diligence and managing cybersecurity in medical technology investments

Framework for Improving Critical Infrastructure Cybersecurity

Capabilities for Cybersecurity Resilience

Middle Class Economics: Cybersecurity Updated August 7, 2015

Big Data, Big Risk, Big Rewards. Hussein Syed

DOD Medical Device Cybersecurity Considerations

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

The NIST Cybersecurity Framework

Critical Infrastructure Security and Resilience

Department of Homeland Security

Business Continuity for Cyber Threat

CYBER SECURITY GUIDANCE

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Information Security for Managers

Security Controls What Works. Southside Virginia Community College: Security Awareness

An Overview of Large US Military Cybersecurity Organizations

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Cyber Security Metrics Dashboards & Analytics

Information Security and Risk Management

PROTIVITI FLASH REPORT

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

GAO MEDICAL DEVICES. FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. Report to Congressional Requesters

Legislative Language

Webinar: Creating a Culture of Cybersecurity at Work

Cybersecurity for the C-Level

Data Breach Response Planning: Laying the Right Foundation

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

Information Technology Security Review April 16, 2012

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Click to edit Master title style

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

National Institute of Standards and Technology Smart Grid Cybersecurity

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

SECURITY. Risk & Compliance Services

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

CDM Hardware Asset Management (HWAM) Capability

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Why you should adopt the NIST Cybersecurity Framework

Office of Inspector General

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cyber Risks in the Boardroom

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Working with the FBI

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Transcription:

Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick that has increased our concern, said William H. Maisel, chief scientist at the FDA s Center for Devices and Radiological Health. The type and breadth of incidents has increased. He said officials used to hear about problems only once or twice a year, but now we re hearing about them weekly or monthly. Washington Post, June 13, 2013 1

Some Background: 2005 FDA Cybersecurity for Networked Medical Devices Containing OTS Software General principles applicable to software maintenance to address cybersecurity vulnerabilities Focus on safety and effectiveness of medical device Device manufacturer s ongoing responsibility End users should contact manufacturer, rather than fixing on their own Software patches not ordinarily reportable to FDA under 21 CFR Part 806. 2009 FDA Cybersecurity for Networked Medical Devices is a Shared Responsibility: FDA Safety Reminder Manufacturers and user facilities should work together to address cybersecurity threats in a timely manner. FDA typically does not need to review or approve medical device software changes made for cybersecurity reasons. All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices. 2013 White House Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. The term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters... 2

2013 White House Presidential Policy Directive 21 Critical Infrastructure Security and Resilience Directs the Executive branch to: Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time Understand the cascading consequences of infrastructure failures Evaluate and mature the public-private partnership Update the National Infrastructure Protection Plan Develop comprehensive research and development plan Information Sharing: August 2014 NH-ISAC Memorandum National Health Information Sharing & Analysis Center (NH-ISAC) and FDA FDA to develop mechanism to share cybersecurity information with NH-ISAC without compromising confidentiality, trade secrets. NH-ISAC to develop mechanism to share cybersecurity information with FDA without infringing existing agreements with NH-ISAC members. Establish interface for stakeholders to share with the FDA information on medical device or healthcare cybersecurity vulnerabilities. Develop a shared understanding of the risks posed to medical devices by cybersecurity vulnerabilities. Moving Forward: October 2014 FDA Guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Applies to: 510(k)s: Traditional, Special, Abbreviated, De Novo PMA, PDP, HDE Cybersecurity: Process of preventing: unauthorized access, modification, misuse or denial of use; or unauthorized use of information that is stored, accessed or transferred from device to external recipient 3

Collaboration is Key: October 2014 FDA, HHS, and DHS Public Workshop Collaborative Approaches for Medical Device and Healthcare Cybersecurity Purpose was to catalyze collaboration among all HPH Sector stakeholders. Discussion focused on: Identification of barriers to promoting medical device cybersecurity; innovative strategies to address challenges that may jeopardize critical infrastructure; and proactive development of analytical tools, processes, and best practices by all stakeholders in order to strengthen medical device cybersecurity. What Can We Learn: General Principles from Guidance Identify assets, threats, and vulnerabilities early on Assess impact of threats on device functionality and end users/patients Assess likelihood of threat and vulnerability being exploited Determine risk level and suitable mitigation strategies Assess residual risk and risk acceptance criteria. Cybersecurity Functions From NIST Framework Identify and Protect Level of security controls needed will depend on many factors Carefully consider balance between security and usability Justify security functions chosen (or not chosen?) Detect, Respond, Recover Implement features so security compromises can be recognized and acted upon Provide end user with information on appropriate actions to be taken Implement features to protect critical functionality, even in compromise Provide methods for retention and recovery of device configuration by authorized user 4

Recommended Inclusions in Premarket Submission Hazard analysis, mitigations, and design considerations specific list of all cybersecurity risks that were considered specific list and justification for established cybersecurity controls Traceability matrix linking controls with risks that were considered Summary of plan for providing software updates throughout device lifecycle Description of controls to ensure software integrity (e.g. free from malware) from point of origin to point when it leaves manufacturer s control Device instructions related to recommended cybersecurity controls in use environment (e.g., use of firewall) Some Questions to Consider: How broadly will FDA apply this guidance, including to legacy devices? What are the current reporting requirements and how does this guidance impact those? Will following this guidance automatically mitigate risks and make a device secure? How important is collaboration, and what are the risks of sharing information? What are the liability risks in following or not following the guidance? Thank you! Suzanne O Shea Suzanne.o shea@faegrebd.com 317-569-4649 Kathleen Rice Kathleen.rice@faegrebd.com 574-239-1958 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information