Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Similar documents
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Addressing the elephant in the operating room: a look at medical device security programs

Medical Device Cybersecurity: FDA Perspective

Cyber Risk and Networked Medical Devices

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

FDA & Medical Device Cybersecurity

The Next Frontier in Medical Device Security

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

DOD Medical Device Cybersecurity Considerations

Continuous protection to reduce risk and maintain production availability

Security and Privacy Governance Program Guidelines

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Webcast title in Verdana Regular

HIPAA Privacy, Security and Breach Notification

Cybersecurity and Hospitals: A Board Perspective

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Avanade s Approach to Client Data Protection

DHS Cybersecurity: Services for State and Local Officials. February 2017

Emerging Technologies The risks they pose to your organisations

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

GDPR: A QUICK OVERVIEW

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Cybersecurity for Health Care Providers

Vulnerability Assessments and Penetration Testing

2017 BDO CYBER GOVERNANCE SURVEY

Protecting your data. EY s approach to data privacy and information security

Credit Card Data Compromise: Incident Response Plan

Cyber Risks in the Boardroom Conference

Cyber Security Program

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

CYBER RESILIENCE & INCIDENT RESPONSE

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

CYBER INSURANCE: MANAGING THE RISK

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Information Security Incident Response Plan

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Internet of Things Toolkit for Small and Medium Businesses

Sage Data Security Services Directory

Manchester Metropolitan University Information Security Strategy

locuz.com SOC Services

Incident Response Services

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Continuous Monitoring and Incident Response

Independent Accountant s Report

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

SOC for cybersecurity

Anticipating the wider business impact of a cyber breach in the health care industry

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

Cybersecurity, the Challenges Healthcare Faces AUGUST 17, 2018 BUILDING LEADERS TRANSFORMING HOSPITALS IMPROVING CARE HTS3 2018

Navigating Regulatory Issues for Medical Device Software

CYNERGISTEK NYSE AMERICAN: CTEK

Advanced Security Centers. Enabling threat and vulnerability services in a borderless world

BHConsulting. Your trusted cybersecurity partner

Information Security Incident Response Plan

Cybersecurity. Securely enabling transformation and change

Addressing Cybersecurity in Infusion Devices

Cyber Security For Business

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Vulnerability Management. June Risk Advisory

Designing Secure Medical Devices

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Are we breached? Deloitte's Cyber Threat Hunting

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

One Hospital s Cybersecurity Journey

Real estate predictions 2017 What changes lie ahead?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

HEALTHCARE IT NETWORK SURVEY REPORT

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Skybox Security Vulnerability Management Survey 2012

Transport and ICT Global Practice Smart Connections for All Sandra Sargent, Senior Operations Officer, Transport & ICT GP, The World Bank

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Cyber Espionage A proactive approach to cyber security

Information Security Controls Policy

CYBER SOLUTIONS & THREAT INTELLIGENCE

Department of Management Services REQUEST FOR INFORMATION

Medical Device Vulnerability Management

DETAILED POLICY STATEMENT

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

INTELLIGENCE DRIVEN GRC FOR SECURITY

with Advanced Protection

CENTER for REGULATORY STRATEGY AMERICAS. Global cybersecurity compliance integrity A daunting but manageable challenge

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

IT Consulting and Implementation Services

Cyber Security Strategy

BUSINESS CONTINUITY MANAGEMENT

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

CYBERSECURITY MATURITY ASSESSMENT

BHConsulting. Your trusted cybersecurity partner

Transcription:

Medical Devices and Cyber Issues JANUARY 23, 2018

AHA and Cybersecurity

Policy Approaches

Role of the FDA FDA Guidance and Roles Pre-market Post-market Assistance during attack Recent AHA Recommendations The FDA must provide greater oversight of medical device manufacturers with respect to the security of their products. Manufacturers must be held accountable to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge. We recommend that the FDA proactive set clear, measurable expectations for manufacturers before incidents and play a more active role during cybersecurity attacks. This active role could include, for example, issuing guidance to manufacturers outlining the expectations for supporting their customers to secure their products.

Laura Hars Senior Manager, Cyber BDO Advisory Services

Overview Introduction to medical device risk What can go wrong? Compliance Page 6

Overview Medical Devices What Are They? What Types? Page 7

Wireless Implantable Medical Devices Deep Brain Neurostimulators Cochlear Implants Gastric Stimulators Cardiac Defibrillators/ Pacemakers Insulin Pumps Foot Drop Implants Page 8

Medical Devices & Compliance Cybersecurity & Medical Devices Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. The pre- and post-market cybersecurity guidance provide recommendations for meeting QSRs. Page 9

Biggest Challenges of Securing Medical Devices Page 10

Medical Devices & Systems: How do they differ? Differences in Impact of Failure INFORMATION TECHNOLOGY MISSION CRITICAL MEDICAL TECHNOLOGY LIFE CRITICAL. Page 11 Security (i.e., data confidentiality, integrity or availability) compromise can have serious financial impact have serious operational impact have serious reputation & legal impact Security compromise of Medical Devices can result in death or serious injury

Medical Devices & Systems: Who Has Responsibility? Information Technology vs Clinical/Biomedical Engineering IT knows data security INFORMATION TECHNOLOGY BUT IT generally has limited knowledge of type, number and vulnerabilities associated with medical devices CE knows number/location of medical devices & misunderstands criticality, lifecycle, and supportability issues CLINICAL / BIOMEDICAL ENGINEERING BUT CE generally has limited knowledge of data security issues Page 12

Medical Devices & Systems: Shared Responsibility Degree of Integrated Support Currently 40% Networked (and rapidly growing) Systems of Systems Overlapping Responsibility? INFORMATION TECHNOLOGY CLINICAL / BIOMEDICAL ENGINEERING Still significant disconnect resulting in coverage gaps Page 13

Case Study Medical Device Concerns at a Large Healthcare Provider Network During a cybersecurity assessment the following concerns were noted: The IT department estimated the number of devices on the network to be approximately 61,000 based on the current asset inventory A scan of the network revealed slightly over 98,000 devices Through interviews with clinical personnel and examinations of manual inventories, it was determined that approximately 35,000 of the 98,000 devices were medical devices (infusion pumps, pacemakers etc.) The Clinical Engineering department maintained an inventory of device manufacturers and serial numbers of the devices but not their network address Although the IT department had to be contacted to enable the connectivity of the device on the hospital network, they also did not keep any inventory or notation of the devices network address Solution: The issue of tracking medical devices was solved by creating a business process that involved both departments using the IT Service Desk tool to track and record the purchase and registration of the devices on the network Page 14

FDA Guidance on Responsibility Manufacturers vs Providers Cyber Risk The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical product manufacturer. The medical device manufacturer is responsible for the validation of all software design changes, including computer software changes to address cybersecurity vulnerabilities. Cybersecurity routine updates and patches, are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under 21 CFR part 806. Page 15

Managing the Risk of Medical Devices Through Process and Planning Change Management Process Must Include Risk Assessment Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity. The FDA recognizes that Health care Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary. Page 16

Controlled Versus Uncontrolled Risk CONTROLLED UNCONTROLLED Threat x Vulnerability x Consequence = Risk Page 17

Steps to Cybersecurity for Internet of Things - Medical Devices 1. Categorize existing devices based on risk 2. Implement a clinical risk management framework 3. Ensure your organization follows basic security hygiene 4. Include security requirements in new device contracts or requests for proposals 5. Apply a zero trust networking architecture Page 18

Questions? Page 19

Webinar Series Page 20

Contact Information Laura Hars Senior Manager Cybersecurity BDO Advisory Services Direct: +1 732 734-3059 Mobile: +1 973 903-0453 Email: Lhars@bdo.com Page 21

About BDO Advisory BDO Consulting, a division of BDO USA, LLP, provides clients with Financial Advisory, Business Advisory and Technology Services in the U.S. and around the world, leveraging BDO s global network of more than 67,000 professionals. Having a depth of industry expertise, we provide rapid, strategic guidance in the most challenging of environments to achieve exceptional client service. BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 500 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 1,400 offices across 158 countries. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com. Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your firm s individual needs. Page 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback