Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Similar documents
Medical Device Cybersecurity: FDA Perspective

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

FDA & Medical Device Cybersecurity

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

The Next Frontier in Medical Device Security

Comprehensive Cyber Security Risk Management: Know, Assess, Fix

Managing Medical Device Cybersecurity Vulnerabilities

Cyber Risk and Networked Medical Devices

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

Why you should adopt the NIST Cybersecurity Framework

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

DHS Cybersecurity: Services for State and Local Officials. February 2017

Statement for the Record

Cybersecurity Risk Management:

National Preparedness System. Update for EMForum June 11, 2014

Control Systems Cyber Security Awareness

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Cyber Security & Homeland Security:

HPH SCC CYBERSECURITY WORKING GROUP

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

Cyber Resilience. Think18. Felicity March IBM Corporation

Medical Device Vulnerability Management

Emergency Management Response and Recovery. Mark Merritt, President September 2011

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

STRATEGIC PLAN. USF Emergency Management

Implementing Executive Order and Presidential Policy Directive 21

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Updates to the NIST Cybersecurity Framework

PIPELINE SECURITY An Overview of TSA Programs

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

I. The Medical Technology Industry s Cybersecurity Efforts and Requirements

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

June 5, 2018 Independence, Ohio

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

The Office of Infrastructure Protection

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Medical Device Cybersecurity A Marriage of Safety and Security

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

The Office of Infrastructure Protection

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

THE POWER OF TECH-SAVVY BOARDS:

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

The NIST Cybersecurity Framework

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

National Policy and Guiding Principles

DOD Medical Device Cybersecurity Considerations

Overview of the Federal Interagency Operational Plans

February 21, pm ET

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Cybersecurity and Hospitals: A Board Perspective

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Department of Homeland Security Updates

Security and resilience in Information Society: the European approach

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Incident Response Services

Navigating Regulatory Issues for Medical Device Software

Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure Protection

Appendix A: Imperatives, Recommendations, and Action Items

Addressing the elephant in the operating room: a look at medical device security programs

National Cybersecurity Center of Excellence

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Long-Term Power Outage Response and Recovery Tabletop Exercise

Industry role moving forward

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

The Office of Infrastructure Protection

Water Information Sharing and Analysis Center

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

Overview of the Cybersecurity Framework

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Discussion on MS contribution to the WP2018

Securing Europe's Information Society

NATIONAL CAPITAL REGION HOMELAND SECURITY STRATEGIC PLAN SEPTEMBER 2010 WASHINGTON, DC

The Office of Infrastructure Protection

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Bradford J. Willke. 19 September 2007

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

POSITION DESCRIPTION

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

MULTI-YEAR TRAINING AND EXERCISE PLAN. Boone County Office of Emergency Management

Transcription:

Preventing the Unthinkable: Issues in MedTech Cyber Security Trends and Policies MassMEDIC Cambridge, Mass Thursday Oct 1, 2015 Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Imagination will often carry us to worlds that never were. But without it we go nowhere. - Carl Sagan 2

3

Did you know that October is National Cybersecurity Awareness Month? Awareness Preparedness Collaboration Slide 4

Why does FDA care about Cybersecurity? Networked medical devices facilitate care Networked medical devices introduce new risks Centers for Disease Control and Prevention (CDC) estimates of annual patient encounters 35 million hospital discharges 100 million hospital outpatient visits 900 million physician office visits Billions of prescriptions Most of these encounters likely include a networked medical device Slide 5

Also the President said so Presidential Policy Directive 8 (PPD-8): National Preparedness Post-Katrina: federal departments and agencies to work with the whole community to develop a national preparedness goal and a series of frameworks and plans related to reaching specified goals. PPD-21: Critical Infrastructure Security and Resilience Executive Order 13636: Improving Critical Infrastructure Cybersecurity a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure Executive Order 13691: Promoting Private Sector Cybersecurity Information Sharing (2/13/2015) https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-privatesector-cybersecurity-information-shari Slide 6

CDRH/FDA Goals Meet our mission: safe and effective devices Raise cyber-security awareness leverage knowledge from other industry sectors Promote safety and security by design by clear regulatory expectation Promote coordinated vulnerability disclosure & proactive vulnerability management Minimize reactive approaches Foster whole of community approach 7

Today s Key Takeaways FDA seeks to foster a whole of community approach Establish a Cybersecurity Risk Management Program Make cyber hygiene paramount Create a trusted environment for information sharing Software updates for cybersecurity do not require premarket review or recall (there are some exceptions) FDA will not be prescriptive with risk analyses Vulnerability disclosure policy, coordinated disclosure and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole. Slide 8

How might we transform the culture with respect to medical device vulnerability disclosures and what impediments preclude this from happening that we, as a collective, need to address? Slide 9

Roadmap for Today s Discussion The Year in Reflection CDRH/FDA Medical Device Cybersecurity Current Efforts Our Vision Ahead 10

But First, A Word About Vulnerabilities Vulnerabilities are ubiquitous Vulnerability finders are not adversaries Shared interest in protecting against harm Coordinated disclosure relies on mutual respect and understanding of each party s needs and constraints Leverage informational standards: ISO/IEC 29147 Vulnerability Disclosure ISO/IEC 30111 Vulnerability handling Processes Vulnerability Coordination Maturity Model (VCMM) https://hackerone.com/blog/vulnerabilitycoordination-maturity-model 11

CDRH/FDA Activities Guidance Premarket (Final 2014) Wireless Technology (2013) CS for Networked Devices with OTS Software (2005) Standards Cybersecurity (2013 and 2015) Interoperability (2013) Public Communication Safety Communication to Stakeholders (June 2013, May 2015 and July 2015) CS for networked medical devices shared responsibility (2009) Organization Established CSWG of Subject Matter Experts (2013) Stood up Cyber Incident Response Team under EMCM (2013) 12

CDRH/FDA Collaborations Partnering with Department of Homeland Security Coordinating vulnerability assessment and incident response with ICS-CERT Jointly participating in outreach opportunities (conference panels) Enhanced communication & partnering with HHS Critical Infrastructure Protection, CTAC ONC, OCR Strengthen collaboration with NIST through standards, CSF Working Group, infusion pump use case Engaging proactively with Diverse Stakeholders Outreach to hospital, healthcare, medical device & information security researcher community MOU with NH-ISAC NH-ISAC and MDISS collaboration DTSec Project - developing security standards for diabetes devices 13

CDRH/FDA and MITRE Advance the CDRH Medical Device Security Vision via - Stakeholder Engagement Develop Vulnerability Ecosystem Roadmap Analyze and design a trusted environment for collecting, analyzing, and sharing (possibly sensitive) medical device vulnerability and security information. Slide 14

FDA Public Workshop: Collaborative Approaches for Medical Device and Healthcare Cybersecurity October 21-22 2014 Co-sponsored with HHS and DHS 1300 total participants included onsite and remote Broad range of stakeholders Goals: Catalyze collaboration among all HPH stakeholders Identify barriers that impede efforts towards promoting cybersecurity Advance the discussion on innovative approaches for building securable medical devices Slide 15

FDA Public Workshop continued Focus Areas: Increasing awareness Understanding cybersecurity gaps and challenges Legacy devices Exploring tools and standards Leveraging expertise Establishing a collaborative model for information sharing and a shared risk-assessment framework Slide 16

Systemic Challenges Growing cyber threat Cybersecurity may not be on the radar of the C-suite No safe space for information-sharing Lack of a common lexicon Lack of standards for device integration and maintenance No one-size fits all solution Cybersecurity isn t just a design issue; it s a lifecycle issue Incomplete rules of engagement Slide 17

Stakeholder Challenges Lack of trust Many stakeholders addressing cybersecurity in silos Some may not understand the clinical environment Cyber-researchers bring disruption to the community A lot of smaller organizations without the cybersecurity resources or expertise Slide 18

Stakeholder Challenges continued Stakeholders don t know how to prioritize vulnerabilities Stakeholders may not know all of the standards and tools that exist and which are best What is the value proposition? Slide 19

Handshake Virtual Collaboration Tool Goal: Keep promise made at public workshop to provide a virtual space to continue the conversation MITRE hosts a business networking site to support relationships and collaboration among MITRE, government sponsors, industry, and academia Slide 20

Handshake Site hosted by MITRE Medical Device & Healthcare Cybersecurity Created site Top-level group and sub-groups Initial content Drafted a FAQ with rules of engagement Sent invitation email to the 1300 workshop participants on December 18 Individual requests account MITRE sends invitation Individual responds and creates account Individual joins Handshake 21

A Few Words about our Premarket Guidance. (Final Published on 10/2/2014) Shared responsibility between stakeholders Address during design and development Baked in not bolted on Secure design starts with a good process Cybersecurity vulnerability and management approach established as part of software validation and risk analysis as required by 21 CFR 820.30(g) Alignment with NIST Cybersecurity Framework 5 core functions: identify, protect, detect, respond and recover FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity Slide 22

Cybersecurity Risk Management Program Step 1: Adopt a Cybersecurity Culture Premarket Identification of assets, threats, and vulnerabilities; Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; Assessment of the likelihood of a threat and of a vulnerability being exploited; Determination of risk levels and suitable mitigation strategies; Assessment of residual risk and risk acceptance criteria. Post Market Engage in post market surveillance and Information Sharing and Analysis Organizations (ISAOs) Assess the impact of vulnerabilities and exploits on essential clinical performance of the device Address the risk; actions taken should be commensurate with the risk Disseminate, Incorporate and Iterate 23

What documentation is FDA looking for? Hazard Analyses Evaluate both intentional and unintentional cybersecurity risk Provide information on the risk analyzed Controls established to mitigate risk Provide information on the controls put in place Provide information on the appropriateness of the controls to mitigate identified risk Matrix that links cybersecurity controls to the risk being mitigated Summary documentation on Plan to provide validated patches / updates Plan to assure device integrity Cybersecurity control instructions pertaining to use environment A systematic plan for providing patches and updates to operating systems or medical device software. 24

Best Practices and Tools Adopt a Cybersecurity Culture (Start with NIST): Robust Cybersecurity cultures exist across multiple economic sectors including the financial, utility, and defense sectors. Risk mitigation during total product life cycle from conception to obsolescence Information Sharing (with all stakeholders) Identify, Protect, Detect, Response, Recover Integrate and Iterate Hire/contract with, appropriate personnel Security first, implement design features as well as compensating controls Cyber hygiene (configuration, access control, etc.) http://www.counciloncybersecurity.org/critical-controls/ http://www.fda.gov/medicaldevices/productsandmedicalprocedures/connectedhealth/ucm373213.htm Slide 25

Campaign for Cyber Hygiene Cyber hygiene is a state of diligent control of a device s operation, exercised in the use environment and considered best practice by the security community. This best practice is comprised of safe and proper configuration of available features, least privilege access to control functions and cybersecurity routine servicing. These practices are undertaken in order to maintain and improve cybersecurity. Additional cyber hygiene controls are identified by FDA in the cybersecurity premarket guidance. http://www.counciloncybersecurity.org/critical-controls/ Slide 26

What s Next? Articulating Postmarket Expectations for Medical Device Cybersecurity Total Product Lifecycle Approach for Safety and Security!! Adapting the NIST Framework for the Medical Device Ecosystem Translating the Common Vulnerability Scoring System for medical devices and the clinical use environment Promoting adoption of vulnerability disclosure policy with coordinated vulnerability disclosure & proactive vulnerability management Slide 27

In Summary - Today s Key Takeaways Establish a Cybersecurity Risk Management Program Make cyber hygiene paramount Create a trusted environment for information sharing FDA seeks to foster a whole of community approach Software updates for cybersecurity do not require premarket review or recall (there are some exceptions) FDA will not be prescriptive with risk analyses Vulnerability disclosure policy, coordinated disclosure and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole Slide 28

CDRH/FDA Forward Looking Vision Post market surveillance Regulatory clarity Premarket expectations Post market expectations Stake holder collaboration Device industry Healthcare organization Federal partners Researchers & experts Enable a platform for maintaining Cybersecurity Awareness Intentional and unintentional threats 29

Logic will get you from A to B. Imagination will take you everywhere. - Albert Einstein 30

THANK YOU! QUESTIONS? Suzanne.Schwartz@fda.hhs.gov 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback