Session 77X Patient Safety Partnership: Predicting and Preventing Threats
|
|
- Sharleen George
- 6 years ago
- Views:
Transcription
1 Prepared for the Foundation of the American College of Healthcare Executives Session 77X Patient Safety Partnership: Predicting and Preventing Threats Presented by: Debra Bruemmer Athar Mirza
2
3 Patient Safety Partnership: Predicting and Preventing Threats Disclosure of Relevant Financial Relationships The following faculty of this continuing education activity has no relevant financial relationships with commercial interests to disclose: Debra Bruemmer The following faculty of this continuing education activity has financial relationships with commercial interests to disclose: Athar Mirza Baxter Healthcare Salary Employee 2 1
4 Presenters Athar Mirza, Baxter Healthcare Corporation Debra Bruemmer, Mayo Clinic 3 Learning Objectives Illustrate the importance of making patient safety a priority in the new technology-dependent healthcare environment. Establish standard security testing processes that engage stakeholders with a focus on highpriority devices, which have the greatest potential to disrupt processes when security is breached. 4 2
5 Agenda Set the stage Cyber security and healthcare industry Securing Medical Devices Highlight the Mayo Clinic journey Share lessons learned Adjusting the course to drive change 5 Set the stage. 6 3
6 Healthcare is Targeted Cyberattack at Appalachian Regional Healthcare keeping EHR down after six days FBI Investigating: Hollywood hospital pays $17,000 in bitcoin to hackers FDA Safety Communication: Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System the product with the most vulnerabilities in the May-July period was healthcare software Philips Xper Connect, with 272 reported vulnerabilities. Healthcare is being targeted Computer Viruses Are "Rampant" on Medical Devices in Hospitals More than 40 viruses hit devices including X ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG. 7 Today s Hostile Environment Threat actors have multiple levels of skills Insiders (Current & Ex) Script Kiddies Hacktivists Organized Crime Nation State Active adversary must be assumed Unlimited time and resources Skill level to cause harm is going down Tools to compromise and harm systems are readily available and cheap (free) Harm or disruption could be deliberate or collateral We are way past strictly relying upon a firewall 8 4
7 Healthcare Environment Hospital Demographics ~ 5,800 hospitals in the US Average US hospital 160 beds Ripe for the picking $$ s are tight & resources are short $10.7 million profit Medical Devices Have publically known vulnerabilities Impacted by malware Warnings from FDA & ICS-CERT on vulnerable devices (wake up call) FBI issued public service announcement: isolate, patch/update, purchase from security conscious vendors Cybersecurity Preparations - Low Healthcare industry spends 4% to 6% of IT budget spent on security, Financial industry is 12% to 15% 94% of medical institutions say they have been victims of a cyber attack Security expert shared, cybercrime is now more lucrative than the illicit drug trade (CBS News, Sept. 2016) 9 Medical Devices Essential to Care Delivery Care is highly dependent upon technology Demand for connectivity continues to grow HITECH Act and increasing use of EHRs are driving device connectivity 1 in 4 medical devices are network connected Medical technology is used to: Improve patient outcomes Offset rising costs & decrease resource needs Decrease medical errors Improve access to care Deliver specialized knowledge at the bedside Healthcare is no longer possible without technology 10 5
8 Internet of Medical Devices United States healthcare is technology rich and diverse $110 billion spent each year on medical devices 7,000 device manufacturers Between 1995 and 2010 there has been a 62% increase in the number of devices per bed Mean number of devices per bed is Status Quo Continues. Despite cyber threat data and growing awareness, healthcare remains unprepared 72% of healthcare providers have less than 200 beds 80% of device vendors have less than 50 employees Industry continues to be an easy target for cyber attack Medical devices still sold with Windows XP - unsupported since 2014 Healthcare providers cannot manage medical devices like other technology Risks are managed through guidance and collaboration 12 6
9 Mayo s journey to understand and improve medical device security.. 13 Mayo Clinic Overview Made a strategic decision to dramatically increase it s security posture Over 1 million patients per year Paperless patient care ~230,000 active IP addresses High profile patients, significant intellectual property, and classified research Formed the Office of Information Security Reviewed surface area of environment ~10,000 Windows servers ~2,000 Linux servers ~80,000 workstations ~20, networked medical devices Found a significant number of networked devices not IT managed Formed team focused on medical device security Clinical Information Security 14 7
10 Clinical Information Security Team Director of CIS Senior Manager Deep technical skills Security Engineers 2 Principal Engineers 1 Senior Engineer 1 Engineer Security Analysts 3 Principal Analysts 2 Senior Analysts 2 Analysts Mix of org, PM & technical skills Focus on medical devices, facility systems, and clinical support systems Goals Serve as a trusted partner to the practice Identify vulnerabilities Recommend actions to remediate/mitigate vulnerabilities 15 Mayo Clinic s Journey Initial efforts Performed lite assessment on 40+ devices ~ preserved patient safety No direct vendor engagement ~ Mayo resources Found vulnerabilities in all devices ~ none passed Added resources to Clinical Information Security team ~ expand efforts Documented testing methodology and created templates Re-assessed 5 medical devices with greatest patient safety impact Performed in-depth assessment ~ preserved patient safety No direct vendor engagement ~ Mayo resources Discovered additional vulnerabilities Documented findings ~ details enabled recreating the vulnerability Communicated findings to the medical device vendors Provided detailed report Engaged to identify and apply actions to remediate/mitigate vulnerabilities Operationalized the assessment process 16 8
11 Mayo Clinic Philosophy Incorporate security into the procurement process RFP questions and standard security contract language Practice drives purchase decision, security enables secure execution Test medical devices, not waiting for vendors to identify and address issues new strategy is to move this testing to the vendors Document/Share test findings with the vendor Outline actions and timeline to address findings Prefer collaboration vs. public disclosure Goal: Partner with our vendors to have a safe outcome for our patients; this includes assisting vendors in providing us with a secure product Benefit society by using Mayo Clinic s influence Require changes are made to standard product Drive changes for long term vendor process improvements 17 Sharing lessons learned 18 9
12 Security Testing - Landscape Legacy devices and systems Upgrades and new versions Pre-purchases Remediated devices Medical Devices, Facility Systems, AND Clinical Support Systems Infant Protection System Nurse Call Temperature Monitoring Etc. Key: Push your security activities to the beginning of the purchase process 19 Security Testing System Thinking No device lives in isolation Need to asses the ecosystem a device lives in Many devices have control software that is vulnerable External access methods and processes require testing Map communication patterns to determine all possible threat vectors, test the whole communication chain End user processes can thwart security measures Include everything needed to support the device and provide patient care: Device Software Hardware Device Family Concept is Communication Important component 20 10
13 Security Testing Defined Process Focus on high priority devices Greatest potential to cause patient harm Greatest potential to widely disrupt patient care processes Impact to Mayo s over-arching network Engage all stakeholders Mayo (Clinical Users, HTM, IT, Facilities) Vendor Assess the whole device family Follow the data flow to include points of testing Workstations, servers, & endpoint Document demographic information, establish rules of engagement The Joint Commission Equipment Management Variables Clinical Application & Equipment Function 5,10 4,10 3,10 2,10 1,10 5,9 4,9 3,9 2,9 1,9 5,8 4,8 3,8 2,8 1,8 5,7 4,7 3,7 2,7 1,7 5,6 4,6 3,6 2,6 1,6 5,5 4,5 3,5 2,5 1,5 5,4 4,4 3,4 2,4 1,4 5,3 4,3 3,3 2,3 1,3 5,2 4,2 3,2 2,2 1,2 5,1 4,1 3,1 2,1 1,1 Equipment Function Clinical Application 21 Security Testing - Defined Process Testing includes Operational security review Vulnerability scanning using commercial and public scanners Fuzz testing Penetration testing - simulating multiple attack scenarios Assessing a subset of application code Testing Outcome Generate detailed vulnerability assessment report Review report with internal proponents Review report with vendor Outline and document actions and owner (vendor and Mayo) Track actions for closure Timeline = 3 x 3 x 3 Initial week of testing good to have a vendor rep on-site Remediation and mitigation efforts Network Endpoint & system ~ generally requires customization ~ Workflow Requires partnering with the vendor and internal staff 22 11
14 Security Testing Vulnerability Assessment Methodology Network vulnerability assessment Web application assessment Native software review Host configuration review Physical and hardware review Technical staff interviews 23 Security Testing Output Comprehensive test report Complete details enable vendor to reproduce the vulnerability Include screen prints, video, scripts, etc. Rate vulnerabilities as high / medium / low severity using CVSS Testing Axiom Visibility, Transparency, Moral High Ground NVC Common Vulnerability Scoring System Support v2 CVSS v
15 Security Testing - Common Medical Device Findings Operational security gaps Application vulnerabilities Configuration vulnerabilities Unpatched OS, middleware and commercial applications Lack of encryption 25 Security Testing - Statistics Performed in-depth Vulnerability Assessment > 50 Device / System Families 33 vendors engaged in an in-depth VA & remediation of findings Infusion pumps and formulary systems (multiple brands) CT MRI Infant Abduction Protection Building Automation Etc. Performed Security Design Analysis prior to purchase 124 completed in unique vendors engaged Issues Found Responsible 94% Vendor 6% Mayo 26 13
16 Collaboration Key to Ensure Patient Safety Requires collaboration beyond what is traditionally seen Vendors share product information not typically disclosed Providers rely on vendor partners to address security issues once identified Mutual transparency beyond rhetoric to achieve a shared focus on patient safety Exposes medical device to rigorous testing Beyond typical FDA requirements Typically uncovers previously unknown vulnerabilities Apply unique expertise from each organization Healthcare providers have clinical knowledge Vendors have product and technical knowledge ~ Seek vendors willing to collaborate on cyber security ~ 27 Adjusting the course to drive change 28 14
17 New Strategy for 2017 Medical Device Security Supported by executive leadership and practice Key aspects Perform a pre-purchase security assessment on all medical devices (scope is enterprise wide, estimate ~1,600 unique devices) Include security requirements in purchase contracts Challenges Mayo resources cannot scale to cover all devices Maintain appropriate level of rigor and consistency across devices Execution requires New internal processes Expanding procurement efforts Communicating to Mayo practice, other providers, and device vendors 29 New Strategy for 2017 Execution Establish new internal processes Document medical device standards (IEC / ISO 80001) Create new prioritization algorithm Do we care & How much do we care Develop minimum requirement 6 Nevers Create a scalable workflow Expand procurement efforts Engage early in the process - RFP questions Develop new Information Security Schedule - include in purchase contracts Communicate expectations to vendors Document Mayo testing methodology and templates Vendor Packet Require vendor to perform vulnerability assessment Require inclusion of Information Security Schedule 30 15
18 2017 Strategy - New Internal Processes Medical Device Standard Based on existing standards / capabilities ISO / IEC capabilities MDS 2 Form is tied to ISO capabilities Repackaging, not creating new 77 requirement criteria across the 19 capabilities 31 IEC / ISO Capabilities 1. Automatic logoff (ALOF) 2. Audit controls (AUDT) 3. Authorization (AUTH) 4. Configuration of security features (CNFS) 5. Cyber security product upgrades (CSUP) 6. Health data de-identification (DIDT) 7. Data backup and disaster recover (DTBK) 8. Emergency access (EMRG) 9. Health data integrity and authenticity (IGAU) 10. Malware detection/protection (MLDP) 11. Node authentication (NAUT) 12. Person authentication (PAUT) 13. Physical locks on device (PLOK) 14. Third-party components in product lifecycle roadmaps (RDMP) 15. System and application hardening (SAHD) 16. Security guides (SGUD) 17. Health data storage confidentiality (STCF) 18. Transmission confidentiality (TXCF) 19. Transmission Integrity (TXIG) 32 16
19 Standard based on ISO Capabilities Strategy - New Internal Processes Revised Prioritization Algorithm Information sources Vendor response to Medical Device Standard Workbook Mayo determination of patient care impact Emphasize patient safety 1 st and foremost Three components to the algorithm Compliance with Mayo policies 6 Nevers Impact to patient care safety and workflows Compliance with new standards (based ISO 80001) network impact Algorithm will determine path through new workflow Do we care How much do we care 34 17
20 2017 Strategy - New Internal Processes Minimum Requirement 6 Nevers 6 minimum requirements bar of goodness Runs supported OS Receives routine OS patches Has AV applied and updated Receives routine 3rd - party software patches Contains no default hardcoded passwords Complies with Mayo work Account standards Below the bar - work with vendor & practice 1st - Mitigate or remediate prior to purchase 2 nd - Commitment from vendor to address with set timeline 3 rd Exception from Mayo Clinic Security Committee (centralized risk acceptance) Strategy - New Internal Processes Scalable Workflow Mayo reviews for do we care, Vendor completes packet Review packet, Engage committee Apply algorithm, Audit vendor packet Proceed (mitigate or test) Mayo test 36 18
21 2017 Strategy - Expand Procurement Efforts RFP Process Incorporate security into the the process early, don t wait for the contract to be signed Provides vendor advance notice Educates buyer on security needs Cover security capabilities defined by the IEC / ISO RFP security questions Strategy - Expand Procurement Efforts Contract Language Refined existing security language Evolve as threat environment and security needs evolve Identify Mayo minimum requirements with respect to controls, practices and procedures Applies to all technology purchases, not just medical devices Two components Internal Written Security Program Product security requirements 38 19
22 2017 Strategy - Expand Procurement Efforts Written Security Program Roles and responsibilities of workforce who have direct or incidental access to Mayo Data or the Products Enacted, implemented, and adhered Access Who, controls (physical, electronic, passwords), Intrusion Detection and Prevention systems, Monitoring and logging, etc. Data Use, rest, and transition Disposal of Mayo data Files, media, or products Security Breach Notification and Procedures Etc. ~ SOC 2 Type II certification can replace WSP ~ Strategy - Expand Procurement Efforts Product Security Requirements FDA guidelines (i.e. fail safe features) Testing and scanning requirements Include SANS CWE Top 25 and/or OWASP Top 10 Perform at Mayo request, by tester mutually agreed to, or Mayo staff Meet Mayo testing methodology Installation standards (i.e. document needed ports/service, remove unneeded ports/services) Development standards Users and passwords (i.e. unique, no hardcoded, no persistent admin privilege) Security issues and response (i.e. communicate Known Vulnerability or Exploit (KVE) within 20-days, identify timeline and plan to remediate/mitigate, warrant all open source software is actively maintained) Penalty for failure to fix KVE Indemnification for cyber-security incidents caused by device 40 20
23 2017 Strategy - Communicate Expectations Vendor Education Session Invited targeted vendors to an education session in October 2016 Communicated Mayo s new strategy and expectations Require vendor to perform vulnerability assessment Require inclusion of Information Security Schedule Communicated new process Walked through the new process Reviewed Vendor Packet received during the RFP / pre-purchase process Deliverables MUST match the EXACT system version being purchased for Mayo Clinic Strategy - Communicate Expectations High Level Steps in New Process 1. Mayo Proponent sends vendor contact the Vendor Packet for Pre-Purchase Assessment. 2. Vendor contact completes the Vendor Packet for Pre-Purchase Assessment and returns the completed Vendor Packet for Pre-Purchase Assessment to Mayo Proponent. 3. Mayo Proponent submits the Vendor Packet for Pre-Purchase Assessment to Clinical Information Security (CIS). 4. CIS reviews the Vendor Packet for Pre-Purchase Assessment. 5. An Executive Summary is sent to the Proponent and funding committee for review prior to purchase
24 2017 Strategy - Communicate Expectations Vendor Packet Received during the RFP / pre-purchase process Included in the packet: Process instructions Medical device standard Information Security Schedule Testing methodology Approved testing vendors Templates Industry and security references Mayo contacts Strategy - Communicate Expectations Vendor Packet 44 22
25 2017 Strategy - Communicate Expectations Vendor Packet Strategy - Communicate Expectations Process Timeline Dependencies Timeliness of vendor to complete a vulnerability assessment of the system as well as all materials requested in the Vendor Packet for Pre-Purchase Assessment. Completeness of the provided Vendor Packet for Pre-Purchase Assessment allows the CIS team member to accurately and without delays review the materials. Any missing items or need for follow-up meetings could extend the timeline of the Pre- Purchase Assessment. Responsiveness of the vendor and Mayo Proponent to follow this provided procedure. Remember, all pre-purchase requests will be assessed for patient safety, device security, and network harm
26 Final Thoughts The technology and knowledge exist to fix the problem, but it s not always a technology problem While vendors have a responsibility to fix equipment, we both have a responsibility to protect patients This is a journey immediate attention is needed now with on-going, steady progress Collaboration & Transparency Feasible and the quickest and most effective way to protect patients 47 Presenter Biography & Contact Info Athar Mirza is the Director of Marketing at Baxter Healthcare. He leads the Infusion Systems business at Baxter that includes the Sigma Spectrum Infusion system and the Access business. Athar received his Bachelor of Science in Biological Sciences from University of Illinois at Chicago and an MBA from Loyola University, Chicago. Contact: Athar_Mirza@Baxter.com 48 24
27 Presenter Biography & Contact Info Debra Bruemmer is the Senior Manager of the Clinical Information Security team at Mayo Clinic in Rochester, Minnesota. She is part of the Office of Information Security. Debra received her Bachelor of Science in Finance from Winona State University, a Masters in Business Administration from Cardinal Stritch University, and is CISSP certified. She is accountable for leading a team to assess and improve the security of medical devices, facility systems and clinical support systems used within the Mayo Clinic environment. Her responsibilities include, understanding medical devices in the Mayo Clinic environment, assessing the vulnerability of medical devices, and partnering with vendors and internal staff to improve security. During her eighteen-year career at Mayo Clinic, Debra has worked in Finance, Information Technology, and the Office of Information Security. Bruemmer.debra@mayo.edu 49 Bibliography/References NVC Common Vulnerability Scoring System Support v2 CVSS v2 FDA Postmarket Management of Cybersecurity in Medical Devices, FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, pdf ISO/IEC/TR :2012, Application of risk management for IT-networks incorporating medical devices -- Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples, Manufacturer Disclosure Statement for Medical Device Security (MDS2), Security.aspx#download CWE/SANS TOP 25 Most Dangerous Software Errors, Open Web Application Security Project (OWASP), _2013.pdf 50 25
Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions
Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions Executive Summary Mayo Clinic s primary value is The needs of the patient come first. It is built into our daily
More informationThis is a preview - click here to buy the full publication
IEC/TR 80001-2-2 TECHNICAL REPORT Edition 1.0 2012-07 colour inside Application of risk management for IT-networks incorporating medical devices Part 2-2: Guidance for the disclosure and communication
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationBiomedical Device Security: New Challenges and Opportunities. Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2
Biomedical Device Security: New Challenges and Opportunities Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2 The evolution to today s reality in biomedical devices Number
More informationFDA & Medical Device Cybersecurity
FDA & Medical Device Cybersecurity Closing Keynote, February 19, 2017 Suzanne B. Schwartz, M.D., MBA Associate Director for Science & Strategic Partnerships Center for Devices and Radiological Health US
More informationMedical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare
May 5 & 6, 2017 Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare Marc Schlessinger, RRT, MBA, FACHE Senior Associate Applied Solutions Group Evolution of the Connected
More informationManufacturer Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION
Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION 3-Nov-17 Vitrea View 7.2 10-Nov-17 or Representative Contact Information Company Name Representative Name/Position Kim Stavrinakis
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationManufacturer Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION MANAGEMENT OF PRIVATE DATA
Page 17 Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION Device Model Software Revision Software Release Date Brevera 1.0.1.2 7/31/2017 Company Name Contact Information or David.Gilstrap@Hologic.com
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationManufacturer Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION MANAGEMENT OF PRIVATE DATA
A B C D HN 1-2013 Page 17,, See te Can this device display, transmit, or maintain private data (including electronic Protected Health Information [ephi])? Types of private data elements that can be maintained
More informationMEDICAL DEVICE CYBERSECURITY: FDA APPROACH
MEDICAL DEVICE CYBERSECURITY: FDA APPROACH CYBERMED SUMMIT JUNE 9TH, 2017 SUZANNE B. SCHWARTZ, MD, MBA ASSOCIATE DIRECTOR FOR SCIENCE & STRATEGIC PARTNERSHIPS CENTER FOR DEVICES AND RADIOLOGICAL HEALTH
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationManufacturer Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION MANAGEMENT OF PRIVATE DATA
Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION Device Model Company Name Software Revision or Representative Contact Information Hologic, Inc Representative Name/Position Chris
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationMeaningful Use or Meltdown: Is Your Electronic Health Record System Secure?
SESSION ID: PDAC-R03 Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure? Gib Sorebo Chief Cybersecurity Strategist Leidos @gibsorebo High Cost of Healthcare Data Breaches Source:
More informationPOSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, 2017 14TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS 1 Fact vs. Myth Let s Play: Fact vs. Myth The FDA is the federal entity
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationA Security Argument Pattern for Medical Device Assurance Cases
A Security Argument Pattern for Medical Device Assurance Cases Anita Finnegan, Fergal McCaffery Regulated Software Research Centre Dundalk Institute of Technology Dundalk, Ireland {anita.finnegan, fergal.mccaffery}@dkit.ie
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationManufacturer Contact Information 5850 Opus Parkway, Suite 300, Minnetonka, MN 55343, USA (952)
HN 1-2013 Device Category Manufacturer Document ID Document Release Date Clinical information archive Karos Health Incoropated 2017.09.037 5/27/2015 Manufacturer or Representative Contact Information Manufacturer
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationDOD Medical Device Cybersecurity Considerations
Enedina Guerrero, Acting Chief, Incident Mgmt. Section, Cyber Security Ops Branch 2015 Defense Health Information Technology Symposium DOD Medical Device Cybersecurity Considerations 1 DHA Vision A joint,
More informationManufacturer Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION MANAGEMENT OF PRIVATE DATA
te # Page 17 Device Model or Representative Contact Information Disclosure Statement for Medical Device Security MDS 2 Company Name Fujifilm SonoSite Rick Hippe, Sr Director, Medical Informatics Software
More informationAddressing Cybersecurity in Infusion Devices
Addressing Cybersecurity in Infusion Devices Authored by GEORGE W. GRAY Chief Technology Officer / Vice President of Research & Development Ivenix, Inc. INTRODUCTION Cybersecurity has become an increasing
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationSymantec Security Monitoring Services
24x7 real-time security monitoring and protection Protect corporate assets from malicious global threat activity before it impacts your network. Partnering with Symantec skilled and experienced analysts
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationSix Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP
Six Weeks to Security Operations The AMP Story Mike Byrne Cyber Security AMP 1 Agenda Introductions The AMP Security Operations Story Lessons Learned 2 Speaker Introduction NAME: Mike Byrne TITLE: Consultant
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationThe Next Frontier in Medical Device Security
The Next Frontier in Medical Device Security Session #76, February 21, 2017 Denise Anderson, President, NH-ISAC Dr. Dale Nordenberg, Executive Director, MDISS 1 Speaker Introduction Denise Anderson, MBA
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationProcurement Language for Supply Chain Cyber Assurance
Procurement Language for Supply Chain Cyber Assurance Procurement Language for Supply Chain Cyber Assurance Introduction For optimal viewing of this PDF, please view in Adobe Acrobat. This document serves
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationSecurity Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:
Position: Reports to: Location: Security Monitoring Engineer / (NY or NC) Director, Information Security New York, NY or Winston-Salem, NC Position Summary: The Clearing House (TCH) Information Security
More informationMarch 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices
March 6, 2019 Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices On July 21, 2016, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability
More informationDETAILED POLICY STATEMENT
Applies To: HSC Responsible Office: HSC Information Security Office Revised: New 12/2010 Title: HSC-200 Security and Management of HSC IT Resources Policy POLICY STATEMENT The University of New Mexico
More informationExecutive Insights. Protecting data, securing systems
Executive Insights Protecting data, securing systems February 2018 Protecting data, securing systems Product and information security is a combination of education, policies and procedures, physical security
More informationManufacturer Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION
Disclosure Statement for Medical Device Security MDS 2 DEVICE DESCRIPTION HN 1-2013 Page 17 Device Model Software Revision Software Release Date Company Name Contact Information or BioFire Diagnostics,
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationCyber Risk and Networked Medical Devices
Cyber Risk and Networked Medical Devices Hot Topics Deloitte & Touche LLP February 2016 Copyright Scottsdale Institute 2016. All Rights Reserved. No part of this document may be reproduced or shared with
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationMEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018
MEDICAL DEVICE SECURITY A Focus on Patient Safety February, 2018 WHO I AM Adam Brand I Am The Cavalry Director Privacy and Security, Protiviti Focus on Medical Device Healthcare Security Custom EEG Manufacturing,
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationCYBERSECURITY IN THE POST ACUTE ARENA AGENDA
CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More informationHIPAA Case Study. Implementing a Security Program at a Mid-size Hospital. Lehigh Valley Hospital and Health Network. Brian Martin
HIPAA Case Study Implementing a Security Program at a Mid-size Hospital Lehigh Valley Hospital and Health Network Brian Martin brian.martin@lvh.com 10/30/2002 1 LVHHN Medium healthcare organization 700+
More informationForging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health
Forging a Stronger Approach for the Cybersecurity Challenge Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health 1 Speaker Introduction Tom Stafford, Vice President & CIO Education: Bachelors
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationOne Hospital s Cybersecurity Journey
MAY 11 12, 2017 SAN FRANCISCO, CA One Hospital s Cybersecurity Journey SanFrancisco.HealthPrivacyForum.com #HITprivacy Introduction Senior Director Information Systems Technology, Children s Mercy Hospital
More informationCanada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?
Canada Highlights Cybersecurity: Do you know which protective measures will make your company cyber resilient? 21 st Global Information Security Survey 2018 2019 1 Canada highlights According to the EY
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationCertification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption
Certification Commission for Healthcare Information Technology CCHIT A Catalyst for EHR Adoption Alisa Ray, Executive Director, CCHIT Sarah Corley, MD, Chief Medical Officer, NextGen Healthcare Systems;
More informationPosition Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED
Position Description Computer Network Defence (CND) Analyst Position purpose: Directorate overview: The CND Analyst seeks to discover, analyse and report on sophisticated computer network exploitation
More informationPractical Guide to the FDA s Postmarket Cybersecurity Guidance
Practical Guide to the FDA s Postmarket Cybersecurity Guidance Presenter: Jarman Joerres Date: February 3, 2017 www.medacuitysoftware.com Agenda Introductions The Current Cybersecurity Landscape The FDA
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationx210 Michel Pawlicz / COO
Manufacturer Disclosure Statement for Medical Device Security MDS2 DEVICE DESCRIPTION Medical Device Class II Karos Health Incorporated 2015.05.024 2/21/2018 Manufacturer or Representative Contact Information
More informationInformation Governance, the Next Evolution of Privacy and Security
Information Governance, the Next Evolution of Privacy and Security Katherine Downing, MA, RHIA, CHPS, PMP Sr. Director AHIMA IG Advisors Follow me @HIPAAQueen 2017 2017 Objectives Part Part I IG Topic
More informationRFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template
RFP/RFI Questions for Managed Security Services Sample MSSP RFP Template Table of Contents Request for Proposal Template Overview 1 Introduction... 1 How to Use this Document... 1 Suggested RFP Outline
More informationInformation Security Controls Policy
Information Security Controls Policy Version 1 Version: 1 Dated: 21 May 2018 Document Owner: Head of IT Security and Compliance Document History and Reviews Version Date Revision Author Summary of Changes
More informationRIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015
www.pwc.com RIMS Perk Session 2015 - Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015 Los Angeles RIMS Agenda Introductions What is Cybersecurity? Crown jewels The bad
More informationNavigating Regulatory Issues for Medical Device Software
Navigating Regulatory Issues for Medical Device Software Michelle Jump, MS, MSRS, CHA Principal Regulatory Affairs Specialist Stryker Corporation IEEE Symposium on Software Reliability Engineering (Ottawa,
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationMedical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.
Medical Devices and Cyber Issues JANUARY 23, 2018 AHA and Cybersecurity Policy Approaches Role of the FDA FDA Guidance and Roles Pre-market Post-market Assistance during attack Recent AHA Recommendations
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationForeScout Extended Module for Splunk
Enterprise Strategy Group Getting to the bigger truth. ESG Lab Review ForeScout Extended Module for Splunk Date: May 2017 Author: Tony Palmer, Senior Lab Analyst Abstract This report provides a first look
More informationDevelopment of a Process Assessment Model for Assessing Security of IT Networks Incorporating Medical Devices against ISO/IEC
Development of a Process Assessment Model for Assessing Security of IT Networks Incorporating Medical Devices against ISO/IEC 15026-4 Anita Finnegan, Fergal Mc Caffery and Gerry Coleman Regulated Software
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More informationProtect Your Organization from Cyber Attacks
Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationISE North America Leadership Summit and Awards
ISE North America Leadership Summit and Awards November 6-7, 2013 Presentation Title: Presenter: Presenter Title: Company Name: Embracing Cyber Security for Top-to-Bottom Results Larry Wilson Chief Information
More informationBiomedical Device Security: New Challenges and Opportunities
Biomedical Device Security: New Challenges and Opportunities Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2 June 22, 2015 The evolution to today s reality in biomedical
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More information