Cyber Risk and Networked Medical Devices

Transcription

1 Cyber Risk and Networked Medical Devices Hot Topics Deloitte & Touche LLP February 2016

2 Copyright Scottsdale Institute All Rights Reserved. No part of this document may be reproduced or shared with anyone outside of your organization without prior written consent from the author(s). You may contact us at /

3 Mark Ford Advisory Principal Deloitte &Touche LLP Russell Jones Advisory Partner Deloitte & Touche LLP 3

4 Agenda What are we going to talk about today? Digital health: The cybersecurity landscape Hot topics Cybersecurity considerations for networked medical devices 4

5 Digital Health: The Cybersecurity Landscape

6 Set the Stage: Digital Health Defined Digital health is the convergence of the digital and genetics revolutions with health, healthcare, living, and society Digital health encompasses mhealth/ehealth, wireless health, big data, cloud computing and genomics (not an all-inclusive list) Examples of Digital Health Applications and Devices Implantables Capital Equipment Patient Monitoring Systems Genomic Management System Cloud Computing 6 Mobile Medical Apps (mhealth)

7 Digital Health: The Cybersecurity Landscape 75 percent Government web and mobile applications that failed initial security reviews, according to the State of Software Security report from Veracode 1 $9.48 billion The health care cloud computing market is expected to reach this amount by 2020, according to MarketsandMarkets Between 2006 and 2011, 5,294 recalls and approximately 1.2 million adverse events of medical devices were reported to the FDA s Manufacturer and User Facility Device Experience (MAUDE) database 1. Veracode. "Volume 6: Focus on Industry Verticals." State of Software Security 6 (June 2015). 7

8 Innovation like the Internet of Things (IoT) changes the way businesses look at cyber risk Connected devices need to be secured and some can also provide valuable telemetry to help protect an enterprise in conjunction with threat intelligence feeds and real-time network and system data monitoring How does Internet of Things (IoT) create cyber risk? IoT applications are changing healthcare strategy, business models, and operations sensors, networks, standards, augmented intelligence are helping to improve the patient journey. Proliferation of these end points and devices is also leading to an explosion of data and increasing risk. Potential risks include Lack of integration of IoT devices with legacy IT infrastructures leading to an insecure infrastructure Poor data governance what is collected, what can be (mis)used for advertising, location tracking, etc. Malicious or insecure third-party devices The automobile has evolved into a data center on wheels with many Internetconnected features. Data communication includes personal and sensitive information making security considerations required. Potential risks include Integration of large connected manufacturing and industrial systems such as power grids, transportation systems, and manufacturing plants provides heavier automation and efficiencies. However, some remote Industrial Control Systems (ICS) once isolated within a factory or out in the field, and now interconnected online have less mature cyber risk practices. Potential risks include ICS systems built on decades-old technology expose organization to attacks aimed at disrupting production Complex multi-vendor environments for managing vulnerabilities, attack vectors and points to monitor 8

9 Hot Topics

10 FDA Final Premarket Guidance on Cybersecurity Three specific takeaways from the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff Issued on October 2 nd, Manufacturers should address cybersecurity during the design and development of the medical device The scope of the Guidance covers the following: 510k, de novo submissions, pre-market approvals (PMAs), product development protocols, and humanitarian device exemption The FDA is looking for the following in their review of the above submissions: A specific list of all cybersecurity risks that were considered in the design of the device and a list, and justification for all cybersecurity controls that were established for the device; A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered; A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness; A summary describing controls that are in place to assure that the medical device software will remain free of malware from the point of origin to the point at which that device leaves the control of the manufacturer; and Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment. 10

11 FDA Draft Postmarket Guidance on Cybersecurity Specific takeaways from the Postmarket Management of Cybersecurity in Medical Devices: Drat Guidance for Industry and Food and Drug Administration Staff Issued on January 22 nd, 2016: A key concept is essential clinical performance which they define as performance that is required to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. The guidance outlines a risk scoring framework that includes Exploitability of the Vulnerability (H, M, L scale) on the Y axis and Severity Impact to Health based on ISO scale (Negligible, Minor, Serious, Critical, Catastrophic) on the X axis. The FDA has provided illustrative examples of what they define as a comprehensive cybersecurity program that device manufacturers should have in place to manage cyber risk to the medical device from design to obsolescence. As part of the cybersecurity program, the FDA is recommending that manufacturers establish both a vulnerability disclosure policy as well as vulnerability disclosure practices. The FDA will not enforce the reporting requirements under 21 CFR Part 806 if the manufacturers meet all of the following: There are no known serious adverse events or deaths associated with the vulnerability, Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and The manufacturer is a participating member of an ISAO, such as NH-ISAC; 11

12 FDA Medical Device Cybersecurity Workshop The FDA held a medical device cybersecurity workshop on January 20 21, 2016 Some of the specific discussion topics: How to incentivize medical device manufacturers to share vulnerability information with the healthcare community Coordinated vulnerability disclosure Leveraging cybersecurity device leading practices from other industries Medical device manufacturers collaborating with security researchers 12

13 Cybersecurity Considerations for Networked Medical Devices

14 Cybersecurity leading practices for digital health and medical devices Specific cybersecurity leading practices for consideration: Cyber hygiene Security risk management Medical device security requirements Security risk assessment Technical testing Security event handling Threat intelligence Patch and vulnerability management External Communications Vendor collaboration Information sharing Medical device security policy Medical device inventory 14

15 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a detailed description of DTTL and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited