Medical Device Cybersecurity: FDA Perspective

Similar documents
MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

FDA & Medical Device Cybersecurity

Comprehensive Cyber Security Risk Management: Know, Assess, Fix

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Managing Medical Device Cybersecurity Vulnerabilities

Cyber Risk and Networked Medical Devices

Medical Device Cybersecurity A Marriage of Safety and Security

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

DHS Cybersecurity: Services for State and Local Officials. February 2017

Navigating Regulatory Issues for Medical Device Software

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

The Next Frontier in Medical Device Security

Medical Device Vulnerability Management

Implementing Executive Order and Presidential Policy Directive 21

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

ISAO SO Product Outline

HPH SCC CYBERSECURITY WORKING GROUP

Addressing the elephant in the operating room: a look at medical device security programs

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

Medical Device Security: The Next Frontier

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

I. The Medical Technology Industry s Cybersecurity Efforts and Requirements

2017 ANNUAL CONFERENCE RECAP

Addressing Cybersecurity in Infusion Devices

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Consideration of Cybersecurity vs Safety Risk Management

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

DOD Medical Device Cybersecurity Considerations

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Cybersecurity and Hospitals: A Board Perspective

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Medical device security The transition from patient privacy to patient safety

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Cybersecurity for Health Care Providers

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

CHIME and AEHIS Cybersecurity Survey. October 2016

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

The NIS Directive and Cybersecurity in

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

National Policy and Guiding Principles

Control Systems Cyber Security Awareness

The NIST Cybersecurity Framework

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

Below we ve highlighted several of the key points from the final guidance document.

Cyber Security Program

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Homeland Security Perspectives: Oregon Fire District Directors Association October 25, 2018

Appendix A: Imperatives, Recommendations, and Action Items

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cyber Security Requirements for Supply Chain. June 17, 2015

Monthly Cyber Threat Briefing

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

The Office of Infrastructure Protection

Webcast title in Verdana Regular

Section One of the Order: The Cybersecurity of Federal Networks.

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Updates to the NIST Cybersecurity Framework

Executive Insights. Protecting data, securing systems

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

European Union Agency for Network and Information Security

Continuous protection to reduce risk and maintain production availability

Mr. Games, Thank you. Kent Landfield McAfee, LLC. [Attachment Copied Below]

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Cyber Security & Homeland Security:

FDA CDRH perspective on new technologies in inhaler products

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Future-Proof Security & Privacy in IoT

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Emergency Management Response and Recovery. Mark Merritt, President September 2011

ENISA EU Threat Landscape

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Emerging Issues: Cybersecurity. Directors College 2015

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

About Issues in Building the National Strategy for Cybersecurity in Vietnam

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

The Office of Infrastructure Protection

Language for Control Systems

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Why you should adopt the NIST Cybersecurity Framework

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Bradford J. Willke. 19 September 2007

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Information Security Continuous Monitoring (ISCM) Program Evaluation

MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

Transcription:

Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological Health (CDRH) Food and Drug Administration (FDA) Slide 1

Agenda Framing The Issue for Healthcare Public Health Timeline of FDA Activities Key Principles of Cybersecurity Premarket Guidance (FINAL issued Oct 2014) Key Principles of Postmarket Management of Cybersecurity in Medical Devices (DRAFT guidance January 2016) Summary & Next Steps in 2016 Slide 2

FRAMING THE ISSUE: ENVIRONMENT The health care and public health (HPH) sector represents a significant and large attack surface Intrusions and breaches occur through weaknesses in the system architecture Connected medical devices, like all other computer systems, are vulnerable to threats When medical device vulnerabilities are not addressed and remediated, they can serve as access points for entry into hospital/health care facility networks May lead to compromise of data confidentiality, integrity, and availability May serve as a safety issue Slide 3

Executive Orders (EO), Presidential Policy Directives (PPD), and Framework to Strengthen Critical Infrastructure Cybersecurity EO 13636 (Feb 2013) - Improving Critical Infrastructure Cybersecurity PPD 21 (Feb 2013) - Critical Infrastructure Security and Resilience NIST Voluntary Framework (Feb 2014) EO 13691 (Feb 2015) Promoting Private Sector Cybersecurity Information Sharing Slide 4

Medical Device Cybersecurity Background Contain configurable embedded computer systems Increasingly interconnected Wirelessly connected Legacy devices Varied responsibilities for purchase, installation and maintenance of medical devices, often silo-ed Variable control over what is placed on the network Inconsistent training and education on security risks 5

Medical Device Vulnerabilities Network-connected medical devices infected or disabled by malware Malware on hospital computers, smartphones/tablets, and other wireless mobile devices used to access patient data, monitoring systems, and implanted patient devices Uncontrolled distribution of passwords Open unused communication ports Failure to provide timely security software updates and patches Security vulnerabilities in off-the-shelf software designed to prevent 6 unauthorized device or network access

Timeline of Key FDA Activities 2013: Began coordination with Department Homeland Security Industrial Control Systems Cyber Emergency Response Team (DHS-ICS-CERT) in response to security researchers reporting of vulnerabilities Issued Safety Communication on shared ownership and shared responsibility among stakeholders, cyber hygiene Engaged in outreach, education, and building collaboration 2014: Executed Memorandum of Understanding with the National Health Information Sharing & Analysis Center (NH-ISAC) Final Premarket Cybersecurity Guidance Released http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedoc uments/ucm356190.pdf Convened workshop, Collaborative Approaches for Medical Device and Healthcare Cybersecurity 2015: Ongoing coordination with DHS-ICS-CERT, medical device manufacturers and security researchers on reported medical device vulnerabilities Fostered collaboration with multiple stakeholder groups across the ecosystem Issued product-specific safety communications on medical device vulnerabilities 2016: Draft Postmarket Cybersecurity Guidance Released (http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidance Documents/UCM482022.pdf) Slide 7

Key Take Home Messages - for Manufacturers Design & Develop devices that are securable throughout their product lifecycle Be mindful that there is an active adversary and that the device will need to be updated so that it can be secure Software updates for cybersecurity do not require pre-market review or recall (there are some exceptions) Understand & develop threat modeling for your device Understand the implications of your own supply chain Establish a Cybersecurity Risk Management Program Make cyber hygiene paramount Respond to and address security vulnerabilities that are identified for your marketed devices Vulnerability disclosure policy, coordinated disclosure and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole. Change the culture of engagement with all stakeholders Slide 8

Today s Key Take Home Messages for Healthcare Delivery Organizations (HDO s) Understand what you are purchasing and deploying Where feasible, include securability for the lifetime of your device in your procurement specs contract language Develop plan to work with your manufacturers and end users to meet your identified needs Educate and train your end users on the importance of maintaining system security Make cyber hygiene paramount Monitor your network and respond to security vulnerabilities and exploits Vulnerability disclosure policy, coordinated disclosure and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole. Change the culture of engagement with all stakeholders Slide 9

Key Take Home Messages for Security Researchers Engaging in good faith research towards promoting security and reducing risk of potential harm is very important to the medical device ecosystem Your technical expertise is of great value and should be leveraged Be proactive about gaining a better understanding and education of the clinical environment and the regulatory, risk-based framework Broad assumptions, perceptions and/or entrenched beliefs that stakeholders in healthcare are ignoring the researcher community and have known about these issues for years are just that Vulnerability disclosure policy, coordinated disclosure and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole Change the culture of engagement with all stakeholders Slide 10

Session Key Activities II Objectives intended to: Inform key concepts of FDA s current thinking with respect to premarket and post market management of medical device cybersecurity: Essential clinical performance and potential impact on patient safety Integration of threat modeling Information-sharing and timely remediation Discuss stakeholders interpretation and identify implementation challenges Obtain input from healthcare and public health sector stakeholders on information sharing needs Slide 11

Premarket Cybersecurity Guidance Draft June 2013 Final October 2014 Key Principles: #1 Shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices #2 Address cybersecurity during the design and development of the medical device #3 Establish design inputs for device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g) Slide 12

Premarket Cybersecurity Submission Expectations Risk Management (threat modeling) Inclusion of hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: A specific list of all cybersecurity risks that were considered in the design of your device; A specific list and justification for all cybersecurity controls that were established for your device. Traceability Inclusion of a traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered Slide 13

Premarket Cybersecurity Submission Expectations Lifecycle Plans Plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer Labeling Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. antivirus software, use of firewall) Slide 14

Key Principles of Postmarket Management of Cybersecurity in Medical Devices Collaborative approach to information sharing and risk assessment Articulate manufacturer responsibilities by leveraging existing Quality System Regulation and postmarket authorities Align with Presidential EOs and NIST Framework Incentivize the right behavior Risk-based approach to assuring risks to public health are addressed in a timely fashion Slide 15

Use of NIST Framework Both Guidance documents recommend use of NIST Cybersecurity Framework s 5 core functions Identify Protect and Detect Vulnerability assessment and risk analysis Respond and Recover Compensating controls, risk mitigation and remediation Slide 16

Postmarket Cybersecurity Guidance - DRAFT Cybersecurity risk management programs should include: Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk; Understanding, assessing and detecting presence and impact of a vulnerability; Establishing and communicating processes for vulnerability intake and handling; Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk; Adopting a coordinated vulnerability disclosure policy and practice; and Deploying mitigations that address cybersecurity risk early and prior to exploitation Slide 17

Information Sharing and Analysis Organizations (ISAO) The ISAO best practice models are intended to be: Inclusive - groups from any and all sectors, both non-profit and for-profit, expert or novice, should be able to participate in an ISAO; Actionable - groups will receive useful and practical cybersecurity risk, threat indicator, and incident information via automated, real-time mechanisms if they choose to participate in an ISAO; Transparent - groups interested in an ISAO model will have adequate understanding of how that model operates and if it meets their needs; and Trusted - participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation. See: http://www.dhs.gov/isao Slide 18

Medical Device Cybersecurity Risk Management Slide 19

Summary and Next Steps Medical device cybersecurity requires a total product life cycle approach: from design to obsolescence FDA s proposed regulatory policy incentivizes proactive behavior and good cyber hygiene Strengthening cybersecurity within the healthcare and public health sector is a collective effort amongst all stakeholders Development and validation of meaningful tools for assessment of vulnerabilities in the clinical environment is an area of focus going forward Slide 20

FDA Resources FDA Medical Device Cybersecurity Webpage: http://www.fda.gov/medicaldevices/digitalhealth/ucm37 3213.htm Postmarket management of cybersecurity in medical devices DRAFT Guidance: http://www.fda.gov/downloads/medicaldevices/devicere gulationandguidance/guidancedocuments/ucm482022.p df Slide 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback