Practical Guide to the FDA s Postmarket Cybersecurity Guidance

Transcription

1 Practical Guide to the FDA s Postmarket Cybersecurity Guidance Presenter: Jarman Joerres Date: February 3,

2 Agenda Introductions The Current Cybersecurity Landscape The FDA s Cybersecurity Intention Practical Strategy for Compliance Key Takeaways and Special Considerations Questions and Answers February 3,

3 Introductions MedAcuity Software Founded in 2007 with a different approach to software consulting Over 65 full-time, senior specialists who live, eat, breathe, and sleep MedTech software engineering and test Over 100 projects: Strategic/tactical; from firmware to IoT/cloud/mobile About Me MedAcuity Co-Founder Over 20 years experience architecting and implementing MedTech solutions A passion for cybersecurity architectures and strategies February 3,

4 The Current Cybersecurity Landscape Healthcare Organizations have a Bullseye on their Backs Inadequate IT security controls Unsecured legacy devices are everywhere Rich PHI data attracts sophisticated cybercriminals High-impact exploits draw attention/notoriety Current Trends Hacking medical devices for intellectual property Black market for undiscovered breaches Ransomware, phishing, dumpster-diving Typical Cybercriminal Motivations Money Notoriety Chaos February 3,

5 In The News Breaches Come from Everywhere 3.7 million accounts breached via an exploited food and beverage system Legacy Systems are Gateways Hackers infiltrated a facility with a state-of-the-art security system, using an unpatched legacy device Hackers infiltrated a facility and gained access to patient PHI, using an unpatched PACS The FDA is on the Prowl The FDA alerts users of the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems to security vulnerabilities with risks of significant patient harm February 3,

6 The Intent of the FDA s Guidance Security Throughout Product Development Lifecycle Bolted-on security doesn t work Understand Your Product s Assets and Vulnerabilities Asset evaluation, understand threats/vulnerabilities, mitigation strategy Proactive and Vigilant Surveillance and Response Proactive risk management using known frameworks (NIST Framework) Understand Your Responsibilities as a Medical Device Manufacturer Timely responses, notifications and reporting Communicate and Share findings Participate in the cybersecurity community Active participant in an ISAO (Information Sharing and Analysis Organization) see February 3,

7 Practical Compliance Strategy Phase 0 - Is Your Organization Ready? Gap analysis and roadmap from current state to future state Phase 1 - Establish Good Enough Discipline Establish initial secure SDLC program Ramp up training and education Perform risk analyses and establish discipline Initial reporting/notification and response processes Phase 2 - Evolve Disciplines Enhance and evolve Phase 1 initiatives Focus on efficient incident response and mitigations Proactive/ongoing security assessment /surveillance Test, test, and test again Community outreach February 3,

8 Strategies for Legacy Products Understand Product Roadmap and Lifecycle What is the product s future (internal and external)? Incorporate Secure SDLC Practices for Legacy Products Program Security Team, cybersecurity design reviews and code analysis, etc. Perform Premarket Cybersecurity Assessment Threat modeling/vulnerability assessment, 3 rd party assessments, etc. Proactive Continuous Cybersecurity Testing Develop a cybersecurity test plan and execute FDA is Providing Freedom Around Cybersecurity Mitigations Take advantage of the controlled risk update guidance Work with Customers to Define Compensatory Controls Compensatory controls can be a less costly option February 3,

9 Do the Guidelines Offer Everything You Need? FDA Guidance is Not Prescriptive It s only guidance - leaves significant freedom/interpretation Success requires translating guidance into an actionable plan Execution is Key Postmarket Process Execution is Vital Define, Defend, Identify, Respond You re exposed at the point the vulnerability is exploited a timely response is required to minimize damage You re Still a Business - Risks Beyond Patient Safety/Harm Intellectual property exposure / corporate espionage Business reputation risk Fees / fines due to privacy / confidentially exposures February 3,

10 Key Takeaways and Recommendations Integrate Cybersecurity within All Aspects of Product Lifecycle Establish a Project Security Team with secure SDLC and evolve Understand Your Notification and Reporting Requirements Controlled vs. uncontrolled risks Don t Limit Cybersecurity to Just Patient Harm/Safety You re still a business Develop Incident Response Team Initiatives for Timely Responses Key for limiting cyber exposure February 3,

11 Key Takeaways and Recommendations Proactively Test and Investigate Exploits Ensure testing includes Cybersecurity testing Educate and Train your Organization Majority of vulnerabilities are introduced accidentally Share your Experiences via an ISAO Patch and Secure your Legacy Products Thoughtfully February 3,

12 Thank You and Contact Information Thank you for attending the Cybersecurity Webinar Feel free to contact me with any questions Jarman Joerres February 3,