Addressing the elephant in the operating room: a look at medical device security programs

Similar documents
Medical Device Cybersecurity: FDA Perspective

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

FDA & Medical Device Cybersecurity

Cyber Risk and Networked Medical Devices

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cybersecurity for Health Care Providers

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Medical device security The transition from patient privacy to patient safety

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

External Supplier Control Obligations. Cyber Security

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

HIPAA Security and Privacy Policies & Procedures

Cybersecurity and Hospitals: A Board Perspective

General Framework for Secure IoT Systems

Cybersecurity The Evolving Landscape

Cybersecurity and Nonprofit

EU data security and privacy trends

Protecting your next investment: The importance of cybersecurity due diligence

Big data privacy in Australia

Cybersecurity, safety and resilience - Airline perspective

Cybersecurity in Higher Ed

Webcast title in Verdana Regular

Protect Your End-of-Life Windows Server 2003 Operating System

Continuous protection to reduce risk and maintain production availability

Protect Your End-of-Life Windows Server 2003 Operating System

SOC for cybersecurity

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Why you should adopt the NIST Cybersecurity Framework

Cyber Risks in the Boardroom Conference

Information Governance, the Next Evolution of Privacy and Security

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

The University of Queensland

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

DOD Medical Device Cybersecurity Considerations

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Are we breached? Deloitte's Cyber Threat Hunting

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Protecting your data. EY s approach to data privacy and information security

SOLUTION BRIEF Virtual CISO

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

CYBER SECURITY AND MITIGATING RISKS

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

EY s data privacy service offering

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Introduction to Device Trust Architecture

GDPR: A QUICK OVERVIEW

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Digital innovation? Cyber secure? Digital security: a Financial Services perspective

The Common Controls Framework BY ADOBE

Innovation policy for Industry 4.0

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

What It Takes to be a CISO in 2017

Updates to the NIST Cybersecurity Framework

Business continuity management and cyber resiliency

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Express Monitoring 2019

Jeff Wilbur VP Marketing Iconix

Cybersecurity. Securely enabling transformation and change

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Statement for the Record

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

How to be cyber secure A practical guide for Australia s mid-size business

Recommendations for Implementing an Information Security Framework for Life Science Organizations

European Union Agency for Network and Information Security

DETAILED POLICY STATEMENT

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Cyber Security Program

Security and Privacy Governance Program Guidelines

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Intelligent Building and Cybersecurity 2016

Healthcare IT Modernization and the Adoption of Hybrid Cloud

Medical Device Vulnerability Management

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

MITIGATE CYBER ATTACK RISK

The NIS Directive and Cybersecurity in

Transcription:

Addressing the elephant in the operating room: a look at medical device security programs

Ernst & Young LLP Presenters Michael Davis Healthcare Leader Baltimore +1 410 783 3740 michael.davis@ey.com Esther Lee Healthcare Leader Atlanta +1 404 217 0052 esther.lee@ey.com EY Assurance Tax Transactions Advisory EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. This presentation is 2018 Ernst & Young LLP. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is in violation of US and international law. Ernst & Young LLP expressly disclaims any liability in connection with use of this presentation or its contents by any third party. Views expressed in this presentation are those of the speakers and do not necessarily represent the views of Ernst & Young LLP. These slides are for educational purposes only and are not intended, and should not be relied upon, as accounting advice. Page 2

Agenda Medical device security examined Medical device security approach Page 3

Medical device security examined Page 4

The opportunity We ve all read about the Internet of Things (IoT) but connected medical devices represent a unique subset of challenges for providers that have yet to be addressed holistically. Currently, no standards exist in the industry for medical device security throughout its life cycle, including manufacturing and maintenance. They are often used in life and death situations, which requires a less invasive approach to monitoring and patching than servers and other network devices. While connectivity and system complexity increase, medical device turnover and maintenance cycles remain slow. Provider organizations are finding it challenging to answer the following questions: What connected medical devices do we have? Who is accountable for the security of them and the data they hold? How can devices be monitored and protected without interrupting patient care? Provider organizations need to understand and remediate the risks created by these devices if not, the impact could be realized across the business and by the patient. The threat to patient safety and business continuity is increased by the rapid surge in connected medical devices and interconnectivity. Often solution provided by manufacturers is not available unless newer version is purchased. Providers need practical methods to security these devices. Page 5

Why is medical device security a challenge? Because medical devices lack the standardization of traditional workstations and cannot be secured in the same manner, we must consider their complexities and secure medical devices differently. Increasing connectivity and complexity in device ecosystems Network connectivity is routine via Wi-Fi, Bluetooth, Ethernet and proprietary frequencies. Ecosystems incorporate mobile applications, tablets, wearables and the Internet of Things. Legacy devices run proprietary firmware with limited security capabilities. Slow turnover and maintenance cycles Legacy systems and software continue to exist and must still be supported and protected. Device updates and patches must be approved by the vendor Customized security configuration is required during deployment. Increasing security concerns 87 87 Slow turnover with legacy systems and software Devices are portable and implantable Rapidly increasing complexity and connectivity Flaws in a device could affect patient safety Updates and patches are reliant on the vendor Page 6

Importance of securing medical devices Medical devices are constantly exposed to a variety of cybersecurity threats that may impact care delivery, result in loss of sensitive information or adversely impact the organization broadly. Patient satisfaction and safety Revenue and reputation Impacts Operational continuity Hacking Malware Misuse Environmental Physical Social Error! Top threats Device vulnerability exploitation, web application attacks, denial of service Ransomware, data exfiltration, backdoors, etc. Administrative abuse, policy violations, use of non-approved assets, etc. Power failures, electrical interference, pipe leaks, etc. Device theft, local device tampering, snooping, sabotage, etc. Credential compromise, deception, manipulation, forgery, scams, etc. Device programming errors, omissions, misconfigurations, malfunctions, etc. Organizational impact Patient safety Adverse effects to patient safety due to compromised or malfunctioning device Data breach Loss of sensitive patient information and regulatory fines Loss of customer trust Negative publicity in response to malfunctioning devices resulting in loss of trust Business and revenue collection disruption Malicious backdoors in systems resulting in widespread damage to business operations and potential impact to revenue collection Financial loss Loss of customers and market leadership due to brand and reputational damage Page 7

Increasing regulatory scrutiny by the FDA The FDA has released guidance around security for medical devices, which is anticipated to evolve into regulation that will clarify the accountability structure for device security. Executive order 13636/13691 Presidential policy directives to strengthen critical infrastructure cybersecurity: 1. Improving Critical Infrastructure Cybersecurity 2. Promoting Private Sector Cybersecurity Information Sharing FDA guidance pre-market approval The FDA intends to promote the development and availability of safe and effective interoperable medical devices: 1. FDA requires clinical trial 2. Focus on cybersecurity during the design stage 3. FDA levels of concern Regulatory guidance FDA guidance post-market management The FDA addresses the need for security throughout the life cycle of medical devices: 1. Connected medical device security 2. Security throughout product life cycle 3. Risk analysis 4. Proactive security 5. No need to recertify 6. Notification for serious vulnerabilities 7. Encourage use of NIST CSF 8. Timely response 9. Vulnerability disclosure Key takeaways The FDA is likely to solidify the guidance around security for medical device into regulations requiring approval for manufacturers. There will be an opportunity to strategically guide the development of leading practices if a fundamental understanding of the major issues is developed early. Current state (2016) Page 8

Medical device security approach Page 9

Approach to mitigating medical device cyber risk An established understanding of the driving business requirements is necessary for the development of a customized definition and approach for securing medical devices. How is medical device security realized? Understand the fundamental business drivers for the security of medical devices Identify medical device security gaps and the risk landscape Document control ownership and the deployment approach while documenting integration with existing security infrastructure Benefits of structured approach Reduced duplication of effort Clear identification of timeline overruns Decreased risk of misdirection Overall improved user experience Minimized cost Methodology overview Analysis Design Implementation 1 2 3 4 Design businessfocused cyber risk program Assess maturity of program based on framework Strategically target core capabilities and integration Establish compensating security capabilities 5 based Strategically deploy security protections on risk Page 10

Design a business-focused medical device cyber risk program How should we approach medical devices? Due to the many stakeholders involved in securely deploying medical devices, well-defined responsibilities are required. Components within the medical device ecosystem can be secured using a tiered, risk-based approach at varying FDA levels of concern. Anchor to existing industry standards Program requirements: NIST CSF Device security requirements: ANSI/IEC 80001-2-2 Threats: VERIS Framework Identify Protect Detect Respond Recover C S F Key considerations Establish program vision, goals and objectives Medical device security ecosystem goals Formalize stakeholder communication Vendor Accessibility Provide the right people with access to the right data Provide self-service access for users Reliability Secure sensitive data and leverage existing infrastructure Maintain data integrity Safety Minimize risk of security events that may impact care Minimize risk and ensure compliance through governance IT Cybersecurity Biomed Note: ANSI/IEC: American National Standards Institute/International Electrotechnical Commission, VERIS: Vocabulary for Event Recording and Incident Sharing. Page 11

Target foundational capabilities and integration points across stakeholders Foundational capabilities make up the core of the medical device security program and provide scaffolding infrastructure and processes to support the secure usage of medical devices. Foundational capabilities Risk management Inventory management Secure deployment Purpose Defines the core areas to support a large-scale medical device security program Provides a supporting framework for capabilities to protect devices and respond to security incidents by understanding devices and fostering communication at the program level Supports the centralized assessment of activities performed across all stakeholders and device protection activities Considerations Decommission Plan Biomedical device life cycle Design Procure Vulnerability and patch management Network segmentation Incident detection Incident response and mitigation Activities Capability maturity assessment covering foundational (Level 1) security capabilities Security capability-centric process elicitation covering activities across all involved stakeholders Development of a customized medical device procurement questionnaire to support secure deployment activities Use Onboard Medical device policy considerations Management of devices Acceptable use Storage of sensitive electronic protected health information (ephi) Access to devices Onboarding new devices Training and awareness Roles and responsibilities ephi loss disclosure Secure device disposal Page 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback