The Current State of Cybersecurity in Medical Devices Medmarcs - - PowerPoint PPT Presentation

The Current State of Cybersecurity in Medical Devices

Medmarc’s Webinar Series August 22, 2019

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Vulnerable Devices

• Pacemakers / implantable defibrillators
• Insulin pumps
• Infusion pumps
• Mobile health technologies (mHealth Technology)
• Patient monitors
• Patient portals
• Telemedicine
• Ventilators / Life supporting devices
• Imaging modalities
• Hearing aids

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Potential Loss Scenarios

• Malware attacks
• Software vulnerabilities
• Faulty networks
• Computer technology (IT services)
• Hacking
• Steal patient data
• Commandeer medical devices for denial of service
• Distributed denial of service
• Cyber Extortion
• Medical device vulnerabilities

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Fundamental challenges

• New features take priority over security
• More commoditized hardware/software
• Remote interface
• Regulators are always playing catch up

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Cyber security is

• Confidentiality
• Integrity
• Availability

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Medical device risks

• Software defect
• Incorrect network configuration
• Security and privacy issues
• Lack of data protection
• Disposal or loss of the device
• Malware, criminals

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Cyber related design considerations

• System testing
• Secure IT systems
• Regulatory compliance
• Account for upgrades and unknowns
• Design security into the product
• -Make products as updatable and adaptable

as the internet itself.

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Malicious tampering What: Add or remove cancers from CT and MRI Why: Ransom in exchange for correction Create chaos and mistrust Missed diagnosis, failure to treat Insurance fraud

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

How is this possible?

• PACS not encrypted
• Health care industry focused on privacy

rather than security

• Physical or network access
• Direct connection to internet or to hospital

network

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Prevention

• End to end encryption
• Digital signatures

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Medtronic Implantable Cardiac Devices

• FDA safety communication re wireless

telemetry technology

• Conexus uses wireless RF without

encryption

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Safety features as designed

• Can only be activated by a health care

provider at a clinic

• Activation times vary
• Hacker would have to be nearby when

active

• Replacement is not recommended at

this time.

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Review the data lifecycle

• Where is the data stored?
• How is the data protected?
• Who processes the data?
• Who is responsible?
• Who can access?

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

California Consumer Privacy Act

Who?

• Doing business in CA; revenue over $25

million; buy, sell, receive personal information of 50,000 or more devices or consumers or 50% plus revenue selling personal information What?

• Right to access data, have data deleted,

prevent data from being sold

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

California IoT Statute

Reasonable security features appropriate to the nature and function of the device and information it collects, stores,

• r transmits.

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Man anufac acturer O Obli ligatio ions

Premarket and Postmarket Reporting

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers: Premarket Reporting

• FDA Guidance – Guidance for the Content of Premarket

Submissions for Software Contained in Medical Devices

• http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocument

s/u cm089543.htm

• FDA Guidance to Industry - Cybersecurity for Networked Medical

Devices Containing Off-the-Shelf (OTS) Software

• http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocument

s/u cm077812.htm

• FDA Guidance for Industry and Food & Drug Administration Staff –

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices

• http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInform

ation/default.htm

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers – Premarket Reporting

• Effective cybersecurity management in premarket submissions
• To reduce risk to patients
• From compromise of device functionality by inadequate

cybersecurity

• Guidance covers premarket submissions for devices that contain

software (including firmware) or programmable logic as well as software that is a medical device

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers – Premarket Obligations

• Manufacturers should:
• develop a set of cybersecurity controls to assure medical

device cybersecurity and maintain medical device functionality and safety.

• address cybersecurity during the design and development of

the medical device, as this can result in more robust and efficient mitigation of patient risks.

• establish design inputs for their device related to

cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g).

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers – Premarket Obligations

• Identify
• Protect
• Detect
• Respond
• Recover

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers – Postmarket Obligations

• Formal and informal reporting obligations
• 21 CFR § 806.1: requires manufacturers to report to FDA

certain product corrections and removals

• Risk-based framework for determining when a reportable

change to a medical device for cybersecurity vulnerability has occurred

• Routine updates and patches

versus

• Correction of cybersecurity vulnerability that poses risk to

health

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers – Postmarket Obligations

• Reporting requirements (continued)
• 21 CFR § 803.10

(1) Reports of individual adverse events – 30 calendar days after becoming aware of a reportable death, serious injury, or malfunction (2) Reports of individual adverse events - 5 work days after becoming aware of: (i) Reportable event that requires remedial action to prevent an unreasonable risk of substantial harm to the public health, or (ii) A reportable event for which FDA made a written request.

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers – Postmarket Obligations

• FDA encourages:
• The use and adoption of

“Framework for Improving Critical Infrastructure Cybersecurity”

https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurit y-framework021214.pdf

• Information Sharing

Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing

• Information Sharing Analysis Organizations
• EO 13691; https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-

promoting 7 - private-sector-cybersecurity-information-sharing)

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

FDA’s Role

• Works with DHS, manufacturers, health care

providers, and end users

• QSRs
• Pre- and post-market cybersecurity

guidance

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

MEDICAL DEVICE CYBERSECURITY Regional Incident Preparedness and Response Playbook

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Playbook - Stakeholders

• FDA
• Medical Device Manufacturers
• Health Delivery Organizations (HDO’s)
• Large and small hospitals, hospital systems, providers

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Purpose of Medical Device Cybersecurity Playbook

• Provide baseline medical device cybersecurity information that can

be incorporated into an HDO’s emergency preparedness and response framework;

• Outline roles and responsibilities for responders internal and external

to the HDO to clarify lines of communication and concept of

• perations (CONOPs) across HDOs, medical device manufacturers

(MDMs), state and local governments, and the federal government;

• Describe a standardized approach to response efforts that would

enable a unified response within HDOs and across regions as appropriate;

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Purpose of Medical Device Cybersecurity Playbook

• Serve as a basis for enhanced coordination activities among medical

device cybersecurity stakeholders, including mutual aid across HDOs;

• Inform decision making and the need to escalate response;
• Identify resources HDOs may leverage as a part of preparedness and

response activities; and

• Serve as a customizable regional preparedness and response tool for

medical device cyber resiliency that could be broadly implemented.

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Focus of Playbook

• THREATS OR VULNERABILITIES THAT ARE:
• Large scale
• Multi-patient impact
• Raise patient safety concerns
• CYBER SECURITY IS A “TEAM SPORT”
• Encourage information sharing
• Regions: geographic and/or organizational
• Mitigate emerging cyber risks
• PROVIDE TOOLS
• For HDO’s to respond to device cybersecurity incidents

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Preparedness

Assess and bolster cyber defensive measures Develop incident handling procedures

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Identify that an incident has occurred Validate - Is it real? Prioritize Report (if required) Document

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Halt the incident Fix the damage Restore services Monitor and record suspected criminal activity

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Assess lessons learned Forensic examination Update plan

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

*In the absence of incident information, HDOs may contact FDA for support at CyberMed@fda.hhs.gov.

Notification of aberrant device behavior; request for device help/info

Manufacturer

Device advisories, alerts, mitigations

• Incident notification
• Device adverse event reporting (when

applicable)

• Voluntary recalls
• Information gathering
• Benefit-risk analysis of MDM

proposed mitigations

HDO* FDA

Incident communication

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Manufacturers

• Collaborate in cybersecurity exercises
• Point of contact
• Monitor and assess
• Proactively disclose vulnerabilities and

mitigation

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

FDA w worksh shop, J January 2 2019: Content ent o

• f P

Prem emarket et S Submissions ns f for Mana nagem ement ent o

• f C

Cyber ersec ecur urity i in M Medi dical D Devices es

Handouts, presentations, and webcast recordings available:

https://www.fda.gov/medical-devices/workshops-conferences- medical-devices/public-workshop-content-premarket-submissions- management-cybersecurity-medical-devices-january-29-30

LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Questions?

Robert G. Smith, Jr. Lorance Thompson PC 2900 North Loop West, Suite 500 Houston, Texas 77092 Office: 713.868.5560 Mobile: 713.857.8281 rgs@lorancethompson.com Sharon Stuart Christian & Small LLP 505 North 20th Street Financial Center, Suite 1800 Birmingham, AL 35203 Office: 205.795.6588 sdstuart@csattorneys.com