DOD Medical Device Cybersecurity Considerations

Similar documents
Risk Management Framework for DoD Medical Devices

FDA & Medical Device Cybersecurity

Medical Device Cybersecurity: FDA Perspective

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

INFORMATION ASSURANCE DIRECTORATE

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

The Next Frontier in Medical Device Security

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

HPH SCC CYBERSECURITY WORKING GROUP

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Addressing the elephant in the operating room: a look at medical device security programs

01.0 Policy Responsibilities and Oversight

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

Cybersecurity and Hospitals: A Board Perspective

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

NYDFS Cybersecurity Regulations

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Why you should adopt the NIST Cybersecurity Framework

Health Information Technology - Supporting Joint Readiness

Cybersecurity vs. Cyber Survivability: A Paradigm Shift

INFORMATION ASSURANCE DIRECTORATE

Medical device security The transition from patient privacy to patient safety

Putting It All Together:

Updates to the NIST Cybersecurity Framework

Statement for the Record

Cyber Security Program

Cybersecurity in Higher Ed

Information Technology Branch Organization of Cyber Security Technical Standard

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Risk and Networked Medical Devices

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Cybersecurity & Privacy Enhancements

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Assessing Medical Device. Cyber Risks in a Healthcare. Environment

JUST WHAT THE DOCTOR ORDERED: A SOLUTION FOR SMARTER THERAPEUTIC DEVICES PLACEHOLDER IMAGE INNOVATORS START HERE.

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Medical Device Vulnerability Management

Information technology Security techniques Information security controls for the energy utility industry

Addressing Cybersecurity in Infusion Devices

One Hospital s Cybersecurity Journey

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Information Security Continuous Monitoring (ISCM) Program Evaluation

Cybersecurity The Evolving Landscape

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

K12 Cybersecurity Roadmap

Managing Medical Device Cybersecurity Vulnerabilities

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Information Security Controls Policy

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

LESSONS LEARNED IN SMART GRID CYBER SECURITY

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Electric Sector Security & Privacy Plans for 2011

eplus Managed Services eplus. Where Technology Means More.

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

2015 HFMA What Healthcare Can Learn from the Banking Industry

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

The NIST Cybersecurity Framework

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

RiskSense Attack Surface Validation for IoT Systems

Cybersecurity for Health Care Providers

Information for entity management. April 2018

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Security and Privacy Governance Program Guidelines

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

HIPAA Privacy, Security and Breach Notification

SYSTEMS ASSET MANAGEMENT POLICY

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Solutions Technology, Inc. (STI) Corporate Capability Brief

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

DETAILED POLICY STATEMENT

Certification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption

NY DFS Cybersecurity Regulations August 8, 2017

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

INTELLIGENCE DRIVEN GRC FOR SECURITY

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Digital Health Cyber Security Centre

ISA99 - Industrial Automation and Controls Systems Security

Data to Decisions Terminate, Tolerate, Transfer, or Treat

Unique Device Identification (UDI) Updates on US Activities

Transcription:

Enedina Guerrero, Acting Chief, Incident Mgmt. Section, Cyber Security Ops Branch 2015 Defense Health Information Technology Symposium DOD Medical Device Cybersecurity Considerations 1

DHA Vision A joint, integrated, premier system of health, supporting those who serve in the defense of our country. 2

Learning Objectives Identify processes a medical device user community must apply to protect confidentiality and integrity of electronic information Recognize how Information Technology, Cyber Security and Clinical Engineering/Medical Logistics collaboration is critical to maintain an organization's protection posture Recognize the various protection postures an organization may implement with regards to medical devices host security and in compliance with a DHA Single Security Architecture 3

Agenda Background Directives for Securing Resources Three Part Problem Implementing a Different Approach Risk Assessment Threats High Level View The Process Conclusion 4

Background DHA Health Information Technology (HIT) Directorate in an effort to reduce variability by means of standardization Established a cross functional Integrated Project Team (IPT) to meet multiple technical needs and process initiatives in support of standardization of cybersecurity classifications, criteria and mitigations for Medical Devices mapped to the DHA network architecture. Developed a technical architecture available as part of the Medical Community of Interest (Med-COI) architecture Special Purpose Node (SSPN) delivering defense in depth protections Supports the alignment of process and implementation, but does not own the Medical Device implementation. 5

Directives for Securing Resources Executive Orders, Directives and Guidance Healthcare and Public Health part of Critical Infrastructure Sector (Presidential Policy Directive/PPD-21) National Infrastructure Protection Plan Healthcare and Public Health Sector Specific Plan Health Information Technology (HITECH) Act of 2009 provisions Health and Human Services (HHS) directives Food and Drug Administration (FDA) and HHS guidance 6

Department of Defense Instructions (DoDI) for Securing Resources DoDI 8510.01 Risk Management Framework (RMF), dated 12 March 2014 Platform Information Technology (PIT) / Industrial Control Systems (ICS) Cybersecurity Authorization Metrics Each system, and PIT must have Authorizing Official for authorizing the system s operation DoDI 8500.01 Cybersecurity, dated 14 March 2014 Comply with DoDI 8500 Cybersecurity & DoDI 8510 RMF All IT that receives, processes, stores, displays or transmits DoD information will.be consistent with applicable DoD cybersecurity policies, standards, and architectures. Examples of platforms that may include PIT are: medical devices and health information technologies 7

Three Part Problem The need: Increased need to share electronic patient data has increased number of networked medical devices and applications Medical devices are key tools used to diagnose and treat DOD beneficiaries The guidance: Public laws and DOD regulations provide general guidance on protection requirements, gaps remain for systems that cannot meet traditional cyber security measures FDA regulated devices for a specific purpose cannot be treated as regular information technology (IT) devices 8

Three Part Problem (con t) The challenge: Safety, effectiveness and data, and system security are key properties for connecting networked medical devices without compromising delivery of care and the organization Connecting a regulated medical device to an unregulated network results in a medical IT network with a new set of risks possibly affecting patient safety and medical efficacy Convergence of various medical devices built by multiple vendors on a single network increase number of security vulnerabilities likelihood of compromising data confidentiality, integrity, and availability 9

Implementing a Different Approach DHA HIT sponsored a DHA Medical Device Information Assurance (IA) Architecture and Standards Integrated Project Team to: Align and standardize cybersecurity architecture and mitigations for Medical Devices across DHA Stakeholders supporting: Clinical Functions DHA Consolidation, Med-COI Transition, and Defense Healthcare Management System Modernization (DHMSM) Delivery Acknowledge resource limitations leading to trade-offs Achieve dual goal: Improve patient outcomes and secure networks Maximize medical device vendor vulnerability management controls Leverage to maximum extent Med-COI Single Security Architecture (SSA) SSPN defense in-depth protections 10

Implementing a Different Approach (con t) DHA delivers a single, centrally managed directory and cyber security services infrastructure providing authentication and authorization to simplify and optimize resource access. 11

Risk Assessment Traditional published IT guidance provides a general framework Med-COI SPPN approach recognizes that Each healthcare activity is unique and must be evaluated as such An overarching or one size fits all type of assessment does not take into consideration the diversity of systems found in one location 12

Threats Reported cases Malware on Healthcare.gov health insurance marketplace (PCWorld, Sep 14) Possible vulnerabilities in two computerized drug infusion pumps manufactured by Hospira (AHA News, May 15) Community Health Systems Inc. data exfiltration affecting about 4.5 million patients (CIO Website, Aug 14) Healthcare and Public Health Sector Cyber Risk Framework 13

High Level View The Process In collaboration with Cyber Security Division (CSD), DHA MEDLOG, and Medical Services Identify medical device DOD RMF system and information type categorization From categorization generate Request for Information/Query (RFI/RFQ) Vendor Cyber security questionnaire Initiate Authorization or Risk Assessment process approved for Medical Devices deployed in a Med- COI SSPN 14

High Level View The Process (con t) Evaluation of aggregate system components increase impact of configuration changes Interconnection points and dependencies require evaluation to avoid outages Requires analysis beyond what is required in traditional networks Cybersecurity support for medical devices is the responsibility of IT and Cybersecurity Staff Support cybersecurity processes, IT patches and network resources Clinical Engineering and BioMed staff Management & scheduling of medical device maintenance Oversight of safe use of all medical devices Medical Device Vendor Warranty and contract support for medical devices 15

Conclusion Healthcare practitioners and business partners will rely on digital communications and shared data Policies, laws, and regulatory guidance provide a framework for security and privacy needs DHA desired end state for medical devices Assured delivery of Medical Device data across devices and infrastructure Standardized infrastructure protections Standardized classification, controls criteria and mitigations Standardized risk review, Authorization and Connection Approval process 16

Contact Information Enedina Dina Guerrero Acting Chief, Incident Management/SOC Liaison Section Cyber Security Operations Branch, Cyber Security Division 17

Questions? 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback