Cyber Risk and Networked Medical Devices

Similar documents
Medical Device Cybersecurity: FDA Perspective

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

From Dabbling to Doing The Age of the Intuitive Enterprise

FDA & Medical Device Cybersecurity

MassMEDIC s 21st Annual Conference

Webcast title in Verdana Regular

Vulnerability Management. June Risk Advisory

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The New Healthcare Economy is rising up

Addressing the elephant in the operating room: a look at medical device security programs

Anticipating the wider business impact of a cyber breach in the health care industry

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Medical Device Vulnerability Management

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Comprehensive Cyber Security Risk Management: Know, Assess, Fix

Cyber Espionage A proactive approach to cyber security

Headline Verdana Bold

Autobot - IoT enabled security. For Private circulation only October Risk Advisory

Navigating Regulatory Issues for Medical Device Software

Consideration of Cybersecurity vs Safety Risk Management

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

The Next Frontier in Medical Device Security

Real estate predictions 2017 What changes lie ahead?

Building Resilience to Denial-of-Service Attacks

Cloud Computing Overview. The Business and Technology Impact. October 2013

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Medical device security The transition from patient privacy to patient safety

Cyber Security Incident Response Fighting Fire with Fire

Multi-factor authentication enrollment guide for Deloitte client or business partner user

Are we breached? Deloitte's Cyber Threat Hunting

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Internet of Things (IoT) Securing the Connected Ecosystem

CFOs in a new global environment Sandy Cockrell, Deloitte

Risk-based security in practice Turning information into smart screening. October 2014

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

MFA Enrollment Guide. Multi-Factor Authentication (MFA) Enrollment guide STAGE Environment

The Deloitte-NASCIO Cybersecurity Study Insights from

Emerging Technologies The risks they pose to your organisations

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

GDPR: A QUICK OVERVIEW

Cybersecurity and Data Protection Developments

I. The Medical Technology Industry s Cybersecurity Efforts and Requirements

Managing Medical Device Cybersecurity Vulnerabilities

Cyber Risks in the Boardroom Conference

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

The impact of digital transformation on industries

The Quest to Measure Strength of Function for Authenticators: SOFA, So Good

Information Security Controls Policy

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Risk Advisory Academy Training Brochure

CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

Cyber Security: Are digital doors still open?

Building and Testing an Effective Incident Response Plan

Future-Proof Security & Privacy in IoT

#DeloitteInnovation: In-Time Uncover the Potential of SAP HANA

MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Medical Device Cybersecurity A Marriage of Safety and Security

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Strategic & Operational Planning:

Regulators & Manufacturers (Ken) Hackers & Security Officers (Jon) Providers & Patients (Angel)

The NIS Directive and Cybersecurity in

Spiros Angelopoulos Principal Solutions Architect ForgeRock. Debi Mohanty Senior Manager Deloitte & Touche LLP

Privacy and Data Protection Draft Personal Data Protection Bill 2018: A Summary. For Private Circulation Only August 2018.

Global Mobile Consumer Survey, US Edition Overview of results

Center for Devices and Radiological Health Premarket Approval Application Critical to Quality

Bharath Chari Cyber Risk Sr. Manager, Deloitte & Touche LLP

Preface. Operations within the EU. Serving the EU customers. Third parties operating in the EU

ISACA Cincinnati Chapter March Meeting

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

Headline Verdana Bold. Internet of Things Cyber threat intelligence

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

HPH SCC CYBERSECURITY WORKING GROUP

Systemic Cyber Risk and Cyber Insurance. February 14, 2018

What It Takes to be a CISO in 2017

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Innovation policy for Industry 4.0

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Below we ve highlighted several of the key points from the final guidance document.

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

CENTER for REGULATORY STRATEGY AMERICAS. Global cybersecurity compliance integrity A daunting but manageable challenge

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

FDA CDRH perspective on new technologies in inhaler products

Cyber Security is it a boardroom issue?

Cyber risk Getting the boardroom focus right

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Transcription:

Cyber Risk and Networked Medical Devices Hot Topics Deloitte & Touche LLP February 2016

Copyright Scottsdale Institute 2016. All Rights Reserved. No part of this document may be reproduced or shared with anyone outside of your organization without prior written consent from the author(s). You may contact us at scottsdale@scottsdaleinstitute.org / 952.545.5880. 2

Mark Ford Advisory Principal Deloitte &Touche LLP mford@deloitte.com Russell Jones Advisory Partner Deloitte & Touche LLP rujones@deloitte.com 3

Agenda What are we going to talk about today? Digital health: The cybersecurity landscape Hot topics Cybersecurity considerations for networked medical devices 4

Digital Health: The Cybersecurity Landscape

Set the Stage: Digital Health Defined Digital health is the convergence of the digital and genetics revolutions with health, healthcare, living, and society Digital health encompasses mhealth/ehealth, wireless health, big data, cloud computing and genomics (not an all-inclusive list) Examples of Digital Health Applications and Devices Implantables Capital Equipment Patient Monitoring Systems Genomic Management System Cloud Computing 6 Mobile Medical Apps (mhealth)

Digital Health: The Cybersecurity Landscape 75 percent Government web and mobile applications that failed initial security reviews, according to the State of Software Security report from Veracode 1 $9.48 billion The health care cloud computing market is expected to reach this amount by 2020, according to MarketsandMarkets Between 2006 and 2011, 5,294 recalls and approximately 1.2 million adverse events of medical devices were reported to the FDA s Manufacturer and User Facility Device Experience (MAUDE) database 1. Veracode. "Volume 6: Focus on Industry Verticals." State of Software Security 6 (June 2015). http://www.veracode.com/resources/state-of-software-security. 7

Innovation like the Internet of Things (IoT) changes the way businesses look at cyber risk Connected devices need to be secured and some can also provide valuable telemetry to help protect an enterprise in conjunction with threat intelligence feeds and real-time network and system data monitoring How does Internet of Things (IoT) create cyber risk? IoT applications are changing healthcare strategy, business models, and operations sensors, networks, standards, augmented intelligence are helping to improve the patient journey. Proliferation of these end points and devices is also leading to an explosion of data and increasing risk. Potential risks include Lack of integration of IoT devices with legacy IT infrastructures leading to an insecure infrastructure Poor data governance what is collected, what can be (mis)used for advertising, location tracking, etc. Malicious or insecure third-party devices The automobile has evolved into a data center on wheels with many Internetconnected features. Data communication includes personal and sensitive information making security considerations required. Potential risks include Integration of large connected manufacturing and industrial systems such as power grids, transportation systems, and manufacturing plants provides heavier automation and efficiencies. However, some remote Industrial Control Systems (ICS) once isolated within a factory or out in the field, and now interconnected online have less mature cyber risk practices. Potential risks include ICS systems built on decades-old technology expose organization to attacks aimed at disrupting production Complex multi-vendor environments for managing vulnerabilities, attack vectors and points to monitor 8

Hot Topics

FDA Final Premarket Guidance on Cybersecurity Three specific takeaways from the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff Issued on October 2 nd, 2014. Manufacturers should address cybersecurity during the design and development of the medical device The scope of the Guidance covers the following: 510k, de novo submissions, pre-market approvals (PMAs), product development protocols, and humanitarian device exemption The FDA is looking for the following in their review of the above submissions: A specific list of all cybersecurity risks that were considered in the design of the device and a list, and justification for all cybersecurity controls that were established for the device; A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered; A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness; A summary describing controls that are in place to assure that the medical device software will remain free of malware from the point of origin to the point at which that device leaves the control of the manufacturer; and Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment. 10

FDA Draft Postmarket Guidance on Cybersecurity Specific takeaways from the Postmarket Management of Cybersecurity in Medical Devices: Drat Guidance for Industry and Food and Drug Administration Staff Issued on January 22 nd, 2016: A key concept is essential clinical performance which they define as performance that is required to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. The guidance outlines a risk scoring framework that includes Exploitability of the Vulnerability (H, M, L scale) on the Y axis and Severity Impact to Health based on ISO 14971 scale (Negligible, Minor, Serious, Critical, Catastrophic) on the X axis. The FDA has provided illustrative examples of what they define as a comprehensive cybersecurity program that device manufacturers should have in place to manage cyber risk to the medical device from design to obsolescence. As part of the cybersecurity program, the FDA is recommending that manufacturers establish both a vulnerability disclosure policy as well as vulnerability disclosure practices. The FDA will not enforce the reporting requirements under 21 CFR Part 806 if the manufacturers meet all of the following: There are no known serious adverse events or deaths associated with the vulnerability, Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and The manufacturer is a participating member of an ISAO, such as NH-ISAC; 11

FDA Medical Device Cybersecurity Workshop The FDA held a medical device cybersecurity workshop on January 20 21, 2016 Some of the specific discussion topics: How to incentivize medical device manufacturers to share vulnerability information with the healthcare community Coordinated vulnerability disclosure Leveraging cybersecurity device leading practices from other industries Medical device manufacturers collaborating with security researchers 12

Cybersecurity Considerations for Networked Medical Devices

Cybersecurity leading practices for digital health and medical devices Specific cybersecurity leading practices for consideration: Cyber hygiene Security risk management Medical device security requirements Security risk assessment Technical testing Security event handling Threat intelligence Patch and vulnerability management External Communications Vendor collaboration Information sharing Medical device security policy Medical device inventory 14

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback