Integration Roundup- Standards and Safety
|
|
- Mitchell Wiggins
- 6 years ago
- Views:
Transcription
1 Integration Roundup- Standards and Safety Erin Sparnon, MEng Engineering Manager (610) , ext ECRI Institute
2 Today s Agenda Using Standards to achieve Integration (20 min) Tales from the Field- stories of integration safety (10 min) Medical Device Security (10 min) Q and A 2010 ECRI Institute
3 About your Speakers Erin Sparnon, ECRI Institute Axel Wirth, Symantec 2010 ECRI Institute
4 What is IHE? Integrating the Healthcare Enterprise (IHE) is an International Standards Profiling Organization Vision: To enable seamless and secure access to information whenever and wherever it is needed Mission: To improve healthcare by providing specifications, tools and services for interoperability
5 IHE Enables Interoperability by: Developing consensus-based, open source Technical Frameworks (specifications) and Integration Profiles, and making them available in the public domain Coordinating the use of established standards, such as CDA or FHIR (HL7), DICOM (within IHE Radiology and Pathology Profiles), LOINC & CDISC (for Laboratory Orders and Reporting), or IEEE x (for mhealth, Medical and Personal Health Devices) to address clinical needs, in support of optimal, organized, and safe patient care Facilitating product conformance testing to elicit feedback and demonstrate adherence of products to IHE specifications Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively
6 Where does IHE fit in the HIT Standards ecosystem? Standards Development Organizations Standards, Content, Messages, Architectures (e.g., HL7 2.x messaging, 3.x transport, FHIR, C-CDA, DICOM) Framework/Profiling Organizations Building Blocks/Architectures Into Assemblies that Solve Specific Interoperability Needs (e.g., IHE PIX, PDQ, XDS, DEC) Projects All of the above combined into functional interoperability solutions constrained to meet the needs of a country or health system or other related need
7 The impact and goal of IHE since 1997! Develop, demonstrate, and disseminate trusted, workflow-driven, standardsbased interoperability solutions freely available in IHE Technical Frameworks and Integration Profiles IHE uses a globally trusted open ballot process for review IHE specifications are vetted through the international ISO process Download all specification documents free Removed barriers to creating seamless and secure access to and exchange of - health data Reduces costs by eliminating or reducing the need for proprietary interfaces between systems
8 IHE International is a 501(c)(3) independent non-profit organization IHE International Elected Co-Chairs: David Mendelson, MD Elliot Sloane, PhD IHE International Board is fairly large, with broad representation - One member from each Global Development Domain - One member from each National Deployment Committee - Two At-Large members from the above communities - Two Emeritus members from prior Board membership > 21 Societies Serving as Sponsors Over 650 Contributing Vendors & Organizations
9 Finland Israel Poland UNDER WAY Belgium India Switzerland Malaysia New Zealand Saudi Arabia Colombia Brazil South Africa
10 IHE USA Participation in the IHE International Cycle Putting the D in Deployment Proposal, Development, Validation, Certification, Deployment Implement/ Extension Testing and Certification Implement/ Roadmap Implement/ Ask IHE USA Education
11 Automated, secure data capture and exchange IHE Interoperability Domains 18 Years of Steady Evolution Worldwide! Pathology since 2006 Endoscopy since 2010 Pharmacy since 2009 Eye Care since 2006 Surgery since 2012 Dentistry since 2010 Quality Research & Public Health since 2006 Mobile devices Under way for 2015! Radiology since 1998 (Healthcare) IT Infrastructure since 2003 Patient Care Devices since 2005 Cardiology since 2004 User driven & vendor neutral; based on HL7, ICD, and similar global stds. Laboratory since 2004 Radiation Oncology since 2004 Patient Care Coordination since 2004 Now including home care devices, telehealth, and PHRs Look carefully: MOST Domains capture device AND workflow data; data 11 transfer is accurate and near-immediate.
12 Profiles of Interest- Consistent Time [CT] Enables system clocks and time stamps of computers in a network to be synchronized (median error less than 1 second). Example: Data from a patient s ventilator, monitor, and infusion pump all reach the EMR in a synchronized manner to allow a fuller picture of the patient s condition 2010 ECRI Institute
13 Profiles of Interest- Device Enterprise Communication [DEC] Transmits information from medical devices at the point of care to enterprise applications. Examples of information sent to EMR: A physiologic monitor sends a snippet of an ECG waveform An infusion pump server reports that a pump has gone to KVO because it has reached its volume too be infused 2010 ECRI Institute
14 Profiles of Interest- Point of Care Infusion Verification [PIV] Communicates medication orders to an infusion pump or pump server Example Nurse has come into the room and used the bedside barcode scanning system to scan and associate the patient, pumping channel, and medication bag. The enterprise system then sends the medication order to the pump server using PIV, which routes it to the appropriate pump channel ECRI Institute
15 Profiles of Interest- Alert Communication Management [ACM] Communicates alerts (alarms - physiological or technical, or advisories), ensuring the right alert with the right priority gets to the right individuals with the right content. Examples of information sent to secondary alarm notification systems or middleware: Physiologic monitor communicates an arrhythmia alarm Infusion pump server communicates an air-in-line alarm 2010 ECRI Institute
16 How can I tell if a system supports IHE profiles? Ask to see an Integration Statement for the profile you re interested in If an integration statement is unavailable, request conformance in an RFP Look for drop-in RFP language in the PCD User Guide 2010 ECRI Institute
17 Lessons from the Trenches What has ECRI heard? And what can we do? ECRI Institute
18 1. Access Point failure takes down Tele A call went in to Welch Allyn that a care area s guest-services wireless network was down. A switch in their Cisco network switch had failed and central monitoring wasn t being passed through either Remarkable that the problem was first discovered as an outage in guest network tail.cfm?mdrfoi ID= ECRI Institute
19 What can you do? Monitor AP function and create a notification and escalation scheme for outages Technical escalation within IT Clinical escalation within CE and Nursing 2010 ECRI Institute
20 2. Firewall turned on inappropriately Staff were setting up for a procedure and received an error message on their bronchoscopy navigation system, which had recently received antivirus software During installation of the anti-virus software, the IT staff turned on the Windows firewall, disrupting communication Once the firewall was turned off, the system once again operated normally FM?MDRFOI ID= ECRI Institute
21 What can you do? Make sure decisions for firewall and security settings are documented and available to staff responsible for software updates (IT of Clinical Engineering) Trial an update in a controlled environment like a test lab After updating any device, validate device function before releasing for clinical use 2010 ECRI Institute
22 3. Do you want Windows 10? Microsoft is offering Windows 10 upgrades freeof-charge for devices using Windows 7, 8 and 8.1. Computers using these OS may prompt users to upgrade, and some users have admin rights Installing new OS can cause the failure of medical devices or software running on the computers (awaiting publication in Health Devices Alerts) 2010 ECRI Institute
23 What can you do? Strictly control admin privileges Do Not upgrade computer OS without written assurance from suppliers that medical devices or software will still work If an unapproved upgrade happens, follow Microsoft instructions to restore the system ECRI Institute
24 4. Third-Party Vulnerability Scanning During an unannounced black box test, telemetry kept rebooting and was down for 2 hours Facility had forgotten to provide an exclusion list to the security firm No tech support in the middle of the night Security firm forgot to exclude medical systems in the next test and the problem recurred ertdisplay.aspx?aid= ECRI Institute
25 What can you do? Institute an approval plan for vulnerability scans Try out the scan in a test environment Work with vendors Initial implementation Keeping device security settings current Incident reporting and support 2010 ECRI Institute
26 Thank you! ECRI Institute
27 The time is ripe to stop admiring the problem Suzanne Schwartz, MD, MBA EMCM / FDA CDRH Medical Device Cybersafety a Pragmatic Approach Axel Wirth, CPHIMS, CISSP, HCISPP National Healthcare Architect Distinguished Systems Engineer December 16, 2015
28 What do these two gentlemen have in common? Both made medical decisions based out of concern that their implanted medical device could be hacked! Copyright 2015 Symantec Corporation 28
29 Medical Device Cybersecurity Introduction to the Problem Space Risks: Patient safety (lives) Operational / Downtime Data Breaches / Fines Revenue / Financial Patient trust & Staff morale National security Threats: Targeted attacks Collateral damage Malware remediation Theft / Loss Compliance violation Lateral attack / weakest link exploitation Hacktivism, terrorism Vulnerability: Tightly regulated turn-key systems Long useful life Poorly protected & patched No detection & alerting Ecosystem Complexity Vulnerability of device, hospital, & health system Copyright 2015 Symantec Corporation 29
30 Medical Device Security - Separating Hype from Reality Reality Hype Hypothetical What we know Headline Material Futures Malware outbreaks Operational impact: care delivery downtime Devices are attacked Research & security testing Vulnerabilities are: common broad easy to exploit Dick Cheney s pacemaker Predictions of murder & assassination TV shows (CSI Cyber, Homeland) National security & critical infrastructure: Cyber-Hacktivism Cyber-Terrorism Cyber-Warfare Risk of an actual patient safety incident: Patient harm Treatment decisions Reputation Unintended consequences In this discussion we need to focus on Reality, but be prepared for the Hypothetical. In Cybersecurity, any single event can change the Paradigm! (unlike traditional hazard analysis linear and predictable) 30 Copyright 2015 Symantec Corporation 30
31 Medical Device Security not just a Healthcare Topic 31
32 FDA Position evolving, yet often misunderstood FDA applies Regulatory Controls based on Patient Safety Risk Class I (low risk), Class II (medium risk), Class III (high risk or no precedent) Not all devices require formal FDA approval - filing or listing with FDA is sufficient for many device types Initially treated software just like any other component (1999) Include in Engineering Hazard Analysis, test, document residual risks, etc. Recognized Software unique needs (2005/2009) Security requires lifecycle management under Manufacturer Quality System Security patches and upgrades do not require FDA approval or notification, but need to be documented and undergo verification & validation testing This is why hospitals can t install security software w/o approval Evolving Security Understanding Software as a System (2014) Cybersecurity is a manufacturer responsibility Part of premarket documentation and filing / approval Demonstrate (and document) that you considered cybersecurity risks Expected Statement about Postmarket Responsibility (Jan. 2016) Changing view: intended use to intended use in a hostile (cyber) environment Cybersecurity in the context of a total product life-cycle approach, from design to obsolescence Copyright 2015 Symantec Corporation 32
33 ationandguidance/guidancedocuments/ucm pdf FDA Guidance (Oct. 2014): Identify & Protect Limit access to trusted users Ensure trusted content Detect, Recover, Respond Detect, recognize, log, and act upon security incidents Actions to be taken Protect critical functionality Recover device configuration Cybersecurity documentation Hazard analysis, mitigation, design considerations Traceability matrix (cybersecurity controls to risks) Update and patch management Manufacturing integrity Recommended security controls Copyright 2015 Symantec Corporation 33
34 What can Possibly Go Wrong? Device hack (research only, so far) Device loss/theft (PHI breach) Drug abuse Patch deployment failure Reports on device testing with disastrous results ICS-CERT and FDA warnings FDA, DHS, FBI regulatory action Copyright 2015 Symantec Corporation 34
35 Medical Devices Now Targeted and Exploited! MedJack: Medical Device Hijack APT exploit of medical devices 3 hospitals, 3 different medical devices (reported May 2015): Blood Gas, X-Ray, PACS) Undetected, difficult to remediate Near perfect target : Limited IT visibility Unprotected / unpatched Entry point to the network Common, widespread vulnerabilities This is not hypothetical anymore; devices are being exploited! Pivot point to enter network Invisible to IT security Malware detected: Zeus, Conficker Citadel (Ransomware!) Copyright 2015 Symantec Corporation 35
36 and as of September, reported at Derbycon Copyright 2015 Symantec Corporation Exposed 68,000 Medical Devices from a large, unnamed US health group. Discoverable via Shodan Search Engine. Thousands of misconfigurations and direct attack vectors, incl. Win XP. Allows for detailed mapping of network, including devices. MRI and Defibrillator honeypots. 55,416 login attempts over 6 months. 299 attempts to install malware. 24 exploits of Conficker vulnerability Conclusion: Medical Devices are a recognized target! Most likely because they are vulnerable, not because of what they are. We have to assume that there are many owned devices out there. 36
37 Solutions Approach Key Elements Manufacturer Provider (procedural) Provider (technical) Organizational: Define responsibilities Security training Establish best practices Design into your device (based on risk and use): Cybersecurity (update-less) PHI Encryption Authentication, esp. for remote access Platform hardening Critical file and function protection Document: Device security properties Risks assessed Maintain: Security posture Documentation Stop stupid, cooperate! Organizational: Security responsibility Security training Procurement: Specify security req s in RFP and contracts Request MDS 2 Establish security obligations and contacts Asset Management: Complete inventory Including security & privacy properties Risk Management: Include medical devices Supply chain risks HIPAA (PHI Risk Analysis), Joint Commission (Med. Equipment Safety) ISO/IEC series Risk Mitigation Defense in Depth Device Security: Manufacturer guidance Patching Security software (as appropriate) Device Handling: Configuration & Change Management New device onboarding EOL (esp. PHI handling) Loaners/leased devices USB device usage Network Architecture: Understand dependencies (device to network gear) Wireless best practices Biomed VLAN Security Gateway Note: References for MDS 2, IEC 80001, VLAN Architecture, etc. are provided in the Appendix Copyright 2015 Symantec Corporation 37
38 Embedded Systems Security the right approach On-device security: HIDS / HIPS Ease Lifecycle Management and Patch pressures Provide EOL OS lifeline App & Process Whitelisting Common Use Scenarios: Process/Port control System administration FDA-regulated Medical Device: Example: Imaging, Diagnostics Manufacturer approval / implementation Supporting IT System: Workstation, Server Software-only Medical Device: Example: PACS workstation Protect platform (install on workstation) Non-Medical Device: Example: pharmacy robots, building systems, nurse call, etc. Install on Device as permitted by Contract/Warranty Note: check with manufacturer on device FDA status Copyright 2015 Symantec Corporation Company Confidential! 38
39 Access & Authentication Encryption & Data Privacy Device Certificates, Code Signing Platform and Critical System Protection Security Capabilities (detection, logging) Cybersecurity Documentation & Updates Procurement & Contract Management Processes & Workflows Asset Management Risk Analysis & Management Network Security & Architecture Cybersafety It s a shared Responsibility Increasing and Sophisticated Cyber Threats Growing Regulatory Pressure & Compliance Risks Shared Problem Complex and Highly Integrated Ecosystem of Vulnerable Devices Coordinated Solutions Approach Device Manufacturers Healthcare Providers Copyright 2015 Symantec Corporation 39
40 Good security advise: Don t rely on the kindness of strangers; think as if they are out to get you because they are! Thank you! Axel Wirth axel_wirth@symantec.com (617) Copyright 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
41 FDA References Information for Healthcare Organizations about FDA's "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software (updated July 2015) Cybersecurity for Networked Medical Devices is a Shared Responsibility: FDA Safety Reminder (updated Oct. 2014) Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Offthe-Shelf (OTS) Software (Jan. 2005) nts/ucm htm Off-The-Shelf Software Use in Medical Devices (Sept. 1999)
42 IEEE: Building Code for Medical Device Software Security Nov Workshop Released May 2015 Addressing device manufacturers secure SW design needs. Key Elements: Avoid vulnerabilities Cryptography SW integrity Impede attackers Enable detection Safe degradation Restoration Maintain operations Support privacy 42
43 IHE International - PCD MEM Patient Care Device Domain, Medical Equipment Management MEM Whitepapers: Cybersecurity (2011: Education & Problem Baseline) Cybersecurity Best Practices (2015) Medical Device Patching (2015) co-authored by MDISS and IHE Copyright 2015 Symantec Corporation 43
44 Asset & Supply Chain Management Manufacturer Disclosure Statement for Medical Devices Security (MDS 2 ) Medical Device Security should be part of the Procurement Process: - RFP Language - Request NEMA MDS 2 Developed in cooperation by HIMSS and NEMA New version Oct More detailed (2 -> 6 pages) Now harmonized with IEC technical controls Copyright 2015 Symantec Corporation 44
45 IEC Series Application of Risk Management for IT-Networks Incorporating Medical Devices IEC : Part 1: Roles, responsibilities and activities IEC : Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples IEC : Part 2-2: Guidance for the communication of medical device security needs, risks and controls IEC : Part 2-3: Guidance for wireless networks IEC : Part 2-4: General implementation guidance for Healthcare Delivery Organizations IEC : Part 2-5: Application guidance -- Guidance for distributed alarm systems IEC : Part 2-6: Application guidance -- Guidance for responsibility agreements IEC : Part 2-7: Application guidance for healthcare delivery organizations (HDOs) on how to self-assess their conformance with IEC IEC Part 2-8: Application guidance -- Guidance on standards for establishing the security capabilities identified in IEC IEC Part 2-9: Application guidance -- Guidance for use of security assurance cases to demonstrate confidence in IEC/TR security capabilities 45
46 Segregation (VLAN Network, Access Control) From: VA Medical Device Protection Program (MDPP), presented at the NIST Health Security Conference, May 11,
47 Symantec Internet Security Threat Report, Vol Copyright 2015 Symantec Corporation 47
Integrating the Healthcare Enterprise Patient Care Devices
Integrating the Healthcare Enterprise Patient Care Devices Anything can be integrated Un-Interoperability: Highest Cause of Health IT project failures Base Standards The Hospital EHRs, CMMS, other ehealth
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationMedical Device Cybersafety A Pragmatic Approach to Solving a Complex Problem
The time is ripe to stop admiring the problem Suzanne Schwartz, MD, MBA EMCM / FDA CDRH Medical Device Cybersafety A Pragmatic Approach to Solving a Complex Problem David Clapp, ITIL, TOGAF, HCISPP Principal
More informationMedical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare
May 5 & 6, 2017 Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare Marc Schlessinger, RRT, MBA, FACHE Senior Associate Applied Solutions Group Evolution of the Connected
More informationAddressing the elephant in the operating room: a look at medical device security programs
Addressing the elephant in the operating room: a look at medical device security programs Ernst & Young LLP Presenters Michael Davis Healthcare Leader Baltimore +1 410 783 3740 michael.davis@ey.com Esther
More informationBiomedical Device Security: New Challenges and Opportunities
Biomedical Device Security: New Challenges and Opportunities Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2 June 22, 2015 The evolution to today s reality in biomedical
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationSuzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA
Preventing the Unthinkable: Issues in MedTech Cyber Security Trends and Policies MassMEDIC Cambridge, Mass Thursday Oct 1, 2015 Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations &
More informationMEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018
MEDICAL DEVICE SECURITY A Focus on Patient Safety February, 2018 WHO I AM Adam Brand I Am The Cavalry Director Privacy and Security, Protiviti Focus on Medical Device Healthcare Security Custom EEG Manufacturing,
More informationFDA & Medical Device Cybersecurity
FDA & Medical Device Cybersecurity Closing Keynote, February 19, 2017 Suzanne B. Schwartz, M.D., MBA Associate Director for Science & Strategic Partnerships Center for Devices and Radiological Health US
More informationInnovation policy for Industry 4.0
Innovation policy for Industry 4.0 Remarks from Giorgio Mosca Chair of Cybersecurity Steering Committee Confindustria Digitale Director Strategy & Technologies - Security & IS Division, Leonardo Agenda
More informationPOSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, 2017 14TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS 1 Fact vs. Myth Let s Play: Fact vs. Myth The FDA is the federal entity
More informationMedical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.
Medical Devices and Cyber Issues JANUARY 23, 2018 AHA and Cybersecurity Policy Approaches Role of the FDA FDA Guidance and Roles Pre-market Post-market Assistance during attack Recent AHA Recommendations
More informationThe Next Frontier in Medical Device Security
The Next Frontier in Medical Device Security Session #76, February 21, 2017 Denise Anderson, President, NH-ISAC Dr. Dale Nordenberg, Executive Director, MDISS 1 Speaker Introduction Denise Anderson, MBA
More informationNuts-n-Bolts of Product Testing and Certification Session #112, March 7, 2018 Steven Posnack MS MHS, Dir. Office of Standards and Technology, ONC, US
Nuts-n-Bolts of Product Testing and Certification Session #112, March 7, 2018 Steven Posnack MS MHS, Dir. Office of Standards and Technology, ONC, US Dept of Health and Human Services John Donnelly MS
More informationNavigating Regulatory Issues for Medical Device Software
Navigating Regulatory Issues for Medical Device Software Michelle Jump, MS, MSRS, CHA Principal Regulatory Affairs Specialist Stryker Corporation IEEE Symposium on Software Reliability Engineering (Ottawa,
More informationDOD Medical Device Cybersecurity Considerations
Enedina Guerrero, Acting Chief, Incident Mgmt. Section, Cyber Security Ops Branch 2015 Defense Health Information Technology Symposium DOD Medical Device Cybersecurity Considerations 1 DHA Vision A joint,
More informationInformation Governance, the Next Evolution of Privacy and Security
Information Governance, the Next Evolution of Privacy and Security Katherine Downing, MA, RHIA, CHPS, PMP Sr. Director AHIMA IG Advisors Follow me @HIPAAQueen 2017 2017 Objectives Part Part I IG Topic
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More information3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today
www.pwc.com Medical device security The transition from patient privacy to patient safety Scott Erven Who i am Scott Erven - Managing Director Healthcare Industries Advisory Cybersecurity & Privacy Medical
More informationMedical device security The transition from patient privacy to patient safety
www.pwc.com Medical device security The transition from patient privacy to patient safety Scott Erven Who i am Scott Erven - Managing Director Healthcare Industries Advisory Cybersecurity & Privacy Medical
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More informationMEDICAL DEVICE CYBERSECURITY: FDA APPROACH
MEDICAL DEVICE CYBERSECURITY: FDA APPROACH CYBERMED SUMMIT JUNE 9TH, 2017 SUZANNE B. SCHWARTZ, MD, MBA ASSOCIATE DIRECTOR FOR SCIENCE & STRATEGIC PARTNERSHIPS CENTER FOR DEVICES AND RADIOLOGICAL HEALTH
More informationCyber Risk and Networked Medical Devices
Cyber Risk and Networked Medical Devices Hot Topics Deloitte & Touche LLP February 2016 Copyright Scottsdale Institute 2016. All Rights Reserved. No part of this document may be reproduced or shared with
More informationThe National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne
The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne Schwartz, Assoc. Dir., CDRH, FDA Denise Anderson, MBA, President,
More informationTHREAT REPORT Medical Devices
THREAT REPORT Medical Devices Detailed analysis of connected medical devices across 50 hospitals in 2017 THREAT REPORT In this Threat Report Introduction 3 About This Report 3 Device Deployments 4 Most
More informationCyber Security for Process Control Systems ABB's view
Kaspersky ICS Cybersecurity 2017, 2017-09-28 Cyber Security for Process Control Systems ABB's view Tomas Lindström, Cyber Security Manager, ABB Control Technologies Agenda Cyber security for process control
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationSYMANTEC DATA CENTER SECURITY
SYMANTEC DATA CENTER SECURITY SYMANTEC UNIFIED SECURITY STRATEGY Users Cyber Security Services Monitoring, Incident Response, Simulation, Adversary Threat Intelligence Data Threat Protection Information
More informationMeaningful Use or Meltdown: Is Your Electronic Health Record System Secure?
SESSION ID: PDAC-R03 Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure? Gib Sorebo Chief Cybersecurity Strategist Leidos @gibsorebo High Cost of Healthcare Data Breaches Source:
More informationHealthcare Hacked. Mayra Rosario Fuentes/Numaan Huq Forward Looking Threat Research (FTR) Sr. Threat Researcher
Healthcare Hacked Mayra Rosario Fuentes/Numaan Huq Forward Looking Threat Research (FTR) Sr. Threat Researcher mayra_rosario@trendmicro.com Introduction Who Am I? Information Assurance (IA) Booz Allen
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationMedical Device Vulnerability Management
Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015 Market-based public health: collaborative acceleration Objectives Define a trusted and repeatable process
More informationCyber Security Requirements for Supply Chain. June 17, 2015
Cyber Security Requirements for Supply Chain June 17, 2015 Topics Cyber Threat Legislation and Regulation Nuts and Bolts of NEI 08-09 Nuclear Procurement EPRI Methodology for Procurement Something to think
More informationThe Intersection of Patient Safety and Medical Device Cybersecurity
The Intersection of Patient Safety and Medical Device Cybersecurity Session CYB4, March 5, 2018 Kevin A. McDonald Director, Clinical Information Security, Mayo Clinic Axel Wirth Distinguished Healthcare
More informationPractical Guide to the FDA s Postmarket Cybersecurity Guidance
Practical Guide to the FDA s Postmarket Cybersecurity Guidance Presenter: Jarman Joerres Date: February 3, 2017 www.medacuitysoftware.com Agenda Introductions The Current Cybersecurity Landscape The FDA
More informationSecuring Wireless Medical Infusion Pumps A Use Case
Securing Wireless Medical Infusion Pumps A Use Case Session 168, February 22, 2017 Gavin O Brien, Computer Scientist, NCCoE/NIST Rob Skelton, Program Manager, BD (Becton, Dickinson and Co.) 1 Speaker Introduction
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationA Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface
A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface ORGANIZATION SNAPSHOT The level of visibility Tenable.io provides is phenomenal, something we just
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationI. The Medical Technology Industry s Cybersecurity Efforts and Requirements
701 Pennsylvania Avenue, NW Suite 800 Washington, D.C. 20004 2654 Tel: 202 783 8700 Fax: 202 783 8750 www.advamed.org June 12, 2018 U.S. House of Representatives Committee on Energy and Commerce 2125 Rayburn
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationTransforming Security Part 2: From the Device to the Data Center
SESSION ID: SP01-R11 Transforming Security Part 2: From the Device to the Data Center John Britton Director, EUC Security VMware @RandomDevice The datacenter as a hospital 3 4 5 Digital transformation
More informationDesigning Secure Medical Devices
Rick Brooks Director of Systems, Software, and Electrical Engineering Designing Secure Medical Devices 1 Copyright 2018 Battelle Memorial Institute. Permission granted to INCOSE to publish and use. About
More informationIHE Technical Frameworks General Introduction
Integrating the Healthcare Enterprise 5 IHE Technical Frameworks General Introduction 10 15 20 Revision 1.0 July 1, 2014 25 Please verify you have the most recent version of this document, which is published
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationAddressing Cybersecurity in Infusion Devices
Addressing Cybersecurity in Infusion Devices Authored by GEORGE W. GRAY Chief Technology Officer / Vice President of Research & Development Ivenix, Inc. INTRODUCTION Cybersecurity has become an increasing
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationREAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY
SEPTEMBER 11 13, 2017 BOSTON, MA REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY HealthcareSecurityForum.com/Boston/2017 #HITsecurity Brian Selfridge Partner, Meditology Services https://www.meditologyservices.com/
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationCHIME and AEHIS Cybersecurity Survey. October 2016
CHIME and AEHIS Cybersecurity Survey October 2016 Fielding and Reponses Responses: 190 Survey fielded: Approximately a month (8/29-9/30) Demographics In what state or U.S. territory do you currently work?
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationSecuring Industrial Control Systems
L OCKHEED MARTIN Whitepaper Securing Industrial Control Systems The Basics Abstract Critical infrastructure industries such as electrical power, oil and gas, chemical, and transportation face a daunting
More informationAchieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)
Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Florida Hospital Association Welcome! John Wilgis Director, Emergency Management Services Florida Hospital Association
More informationSecuring Biomedical Devices. IT Challenges - A View from the Trenches
Securing Biomedical Devices IT Challenges - A View from the Trenches Background Lead newly formed medical device security (MDS) team Previously clinical/research/teaching activities Extensively collaborated
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationApril 28, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852
701 Pennsylvania Avenue, NW Suite 800 Washington, D.C. 20004 2654 Tel: 202 783 8700 Fax: 202 783 8750 www.advamed.org Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers
More informationCybersmart Buildings: Securing Your Investments in Connectivity and Automation
Cybersmart Buildings: Securing Your Investments in Connectivity and Automation Jason Rosselot, CISSP, Director Product Cyber Security, Johnson Controls AIA Quality Assurance The Building Commissioning
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationThe Evolution of Data Center Security, Risk and Compliance
#SymVisionEmea #SymVisionEmea The Evolution of Data Center Security, Risk and Compliance Taha Karim / Patrice Payen The Adoption Curve Virtualization is being stalled due to concerns around Security and
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationSECURITY PLATFORM FOR HEALTHCARE PROVIDERS
SECURITY PLATFORM FOR HEALTHCARE PROVIDERS Hundreds of hospitals, clinics and healthcare networks across the globe prevent successful cyberattacks with our Next-Generation Security Platform. Palo Alto
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationConCert FAQ s Last revised December 2017
ConCert FAQ s Last revised December 2017 What is ConCert by HIMSS? ConCert by HIMSS is a comprehensive interoperability testing and certification program governed by HIMSS and built on the work of the
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationMission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS
Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS Stephanie Poe, DNP, RN-BC CNIO, The Johns Hopkins Hospital and Health System Discussion Topics The Age of Acceleration Cyber
More informationManaging Medical Device Cybersecurity Vulnerabilities
Managing Medical Device Cybersecurity Vulnerabilities Session 11, March 6, 2018 Seth Carmody, CDRH Cybersecurity Program Manager, FDA Center for Devices and Radiological Health (CDRH) Penny Chase, IT and
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationSECURING DEVICES IN THE INTERNET OF THINGS
SECURING DEVICES IN THE INTERNET OF THINGS WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe consequences, including
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationTesting for Reliable and Dependable Health Information Exchange
Testing for Reliable and Dependable Health Information Exchange Presented by Didi Davis, Testing Programs Director 1 Copyright 2016 The Sequoia Project. All rights reserved. Discussion Topics 1. ehealth
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationForcare B.V. Cross-Enterprise Document Sharing (XDS) Whitepaper
Cross-Enterprise Document Sharing (XDS) Copyright 2010 Forcare B.V. This publication may be distributed in its unmodified whole with references to the author and company name. Andries Hamster Forcare B.V.
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationIncident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles
Incident Response Lessons From the Front Lines Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles 1 Conflict of Interest Nolan Garrett Has no real or apparent conflicts of
More informationArt of Performing Risk Assessments
Clinical Practice Compliance Conference Art of Performing Risk Assessments October 2016 Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Member FBI InfraGard AGENDA Cyber Risk = Disruptive Business Risk Breaches:
More informationCertification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption
Certification Commission for Healthcare Information Technology CCHIT A Catalyst for EHR Adoption Alisa Ray, Executive Director, CCHIT Sarah Corley, MD, Chief Medical Officer, NextGen Healthcare Systems;
More informationClinical Engineering, ehealth, and ICT Global Overview A242-1
Clinical Engineering, ehealth, and ICT Global Overview A242-1 Elliot B. Sloane, PhD, CCE - Elected Fellow of ACCE, AIMBE, and HIMSS President and Founder Center for Healthcare Information Research and
More informationAn Introduction to the ISO Security Standards
An Introduction to the ISO Security Standards Agenda Security vs Privacy Who or What is the ISO? ISO 27001:2013 ISO 27001/27002 domains Building Blocks of Security AVAILABILITY INTEGRITY CONFIDENTIALITY
More informationFDA CDRH perspective on new technologies in inhaler products
2017 IPAC RS/ISAM Joint Workshop New Frontiers in Inhalation Technology FDA CDRH perspective on new technologies in inhaler products Linda Ricci Associate Director ODE DH Office of Device Evaluation Center
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationMike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS
Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS Can You Answer These Questions? 1 What s my company s exposure to the latest industrial cyber threat? Are my plants
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationCybersecurity Roadmap: Global Healthcare Security Architecture
SESSION ID: TECH-W02F Cybersecurity Roadmap: Global Healthcare Security Architecture Nick H. Yoo Chief Security Architect Disclosure No affiliation to any vendor products No vendor endorsements Products
More informationCopyright 2018 by Boston Scientific, Inc.. Permission granted to INCOSE to publish and use. #hwgsec
Balancing Safety, Security and Usability in the Design of Secure Medical Devices Ken Hoyme Director, Product Security Boston Scientific Ken.hoyme@bsci.com Copyright 2018 by Boston Scientific, Inc.. Permission
More informationManaging SaaS risks for cloud customers
Managing SaaS risks for cloud customers Information Security Summit 2016 September 13, 2016 Ronald Tse Founder & CEO, Ribose For every IaaS/PaaS, there are 100s of SaaS PROBLEM SaaS spending is almost
More informationSECURING DEVICES IN THE INTERNET OF THINGS
SECURING DEVICES IN THE INTERNET OF THINGS EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe consequences, including steep financial losses, damage
More informationLESSONS LEARNED IN SMART GRID CYBER SECURITY
LESSONS LEARNED IN SMART GRID CYBER SECURITY Lynda McGhie CISSP, CISM, CGEIT Quanta Technology Executive Advisor Smart Grid Cyber Security and Critical Infrastructure Protection lmcghie@quanta-technology.com
More informationSecurity Standardization and Regulation An Industry Perspective
Security Standardization and Regulation An Industry Perspective Dr. Ralf Rammig Siemens AG Megatrends Challenges that are transforming our world Digitalization In the future, we ll be living in a world
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationClinical Segmentation done right with Avaya SDN Fx for Healthcare
Clinical Segmentation done right with Avaya SDN Fx for Healthcare The stark reality is that patients are at grave risk as malicious attacks on exposed medical equipment increase. Table of Contents Highlights...
More information