the current state of cybersecurity in medical devices
play

The Current State of Cybersecurity in Medical Devices Medmarcs - PowerPoint PPT Presentation

Oct 30, 2023 •205 likes •613 views

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019 Vulnerable Devices Pacemakers / implantable defibrillators Insulin pumps Infusion pumps Mobile health technologies (mHealth

  1. The Current State of Cybersecurity in Medical Devices Medmarc’s Webinar Series August 22, 2019

  2. Vulnerable Devices • Pacemakers / implantable defibrillators • Insulin pumps • Infusion pumps • Mobile health technologies (mHealth Technology) • Patient monitors • Patient portals • Telemedicine • Ventilators / Life supporting devices • Imaging modalities • Hearing aids LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  3. Potential Loss Scenarios • Malware attacks • Software vulnerabilities • Faulty networks • Computer technology (IT services) • Hacking • Steal patient data • Commandeer medical devices for denial of service • Distributed denial of service • Cyber Extortion • Medical device vulnerabilities LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  4. Fundamental challenges • New features take priority over security • More commoditized hardware/software • Remote interface • Regulators are always playing catch up LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  5. Cyber security is • Confidentiality • Integrity • Availability LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  6. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  7. Medical device risks • Software defect • Incorrect network configuration • Security and privacy issues • Lack of data protection • Disposal or loss of the device • Malware, criminals LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  8. Cyber related design considerations • System testing • Secure IT systems • Regulatory compliance • Account for upgrades and unknowns • Design security into the product --Make products as updatable and adaptable as the internet itself. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  9. Malicious tampering What: Add or remove cancers from CT and MRI Why: Ransom in exchange for correction Create chaos and mistrust Missed diagnosis, failure to treat Insurance fraud LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  10. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  11. How is this possible? • PACS not encrypted • Health care industry focused on privacy rather than security • Physical or network access • Direct connection to internet or to hospital network LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  12. Prevention • End to end encryption • Digital signatures LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  13. Medtronic Implantable Cardiac Devices • FDA safety communication re wireless telemetry technology • Conexus uses wireless RF without encryption LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  14. Safety features as designed • Can only be activated by a health care provider at a clinic • Activation times vary • Hacker would have to be nearby when active -Replacement is not recommended at this time. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  15. Review the data lifecycle • Where is the data stored? • How is the data protected? • Who processes the data? • Who is responsible? • Who can access? LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  16. California Consumer Privacy Act Who? • Doing business in CA; revenue over $25 million; buy, sell, receive personal information of 50,000 or more devices or consumers or 50% plus revenue selling personal information What? • Right to access data, have data deleted, prevent data from being sold LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  17. California IoT Statute Reasonable security features appropriate to the nature and function of the device and information it collects, stores, or transmits. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  18. Man anufac acturer O Obli ligatio ions Premarket and Postmarket Reporting LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  19. Manufacturers: Premarket Reporting • FDA Guidance – Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices • http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocument s/u cm089543.htm • FDA Guidance to Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software • http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocument s/u cm077812.htm • FDA Guidance for Industry and Food & Drug Administration Staff – Content of Premarket Submissions for Management of Cybersecurity in Medical Devices • http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInform ation/default.htm LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  20. Manufacturers – Premarket Reporting • Effective cybersecurity management in premarket submissions • To reduce risk to patients • From compromise of device functionality by inadequate cybersecurity • Guidance covers premarket submissions for devices that contain software (including firmware) or programmable logic as well as software that is a medical device LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  21. Manufacturers – Premarket Obligations • Manufacturers should: • develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety. • address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks. • establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g). LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  22. Manufacturers – Premarket Obligations • Identify • Protect • Detect • Respond • Recover LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  23. Manufacturers – Postmarket Obligations • Formal and informal reporting obligations • 21 CFR § 806.1: requires manufacturers to report to FDA certain product corrections and removals • Risk-based framework for determining when a reportable change to a medical device for cybersecurity vulnerability has occurred • Routine updates and patches versus • Correction of cybersecurity vulnerability that poses risk to health LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  24. Manufacturers – Postmarket Obligations • Reporting requirements (continued) • 21 CFR § 803.10 (1) Reports of individual adverse events – 30 calendar days after becoming aware of a reportable death, serious injury, or malfunction (2) Reports of individual adverse events - 5 work days after becoming aware of: (i) Reportable event that requires remedial action to prevent an unreasonable risk of substantial harm to the public health, or (ii) A reportable event for which FDA made a written request. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  25. Manufacturers – Postmarket Obligations • FDA encourages: • The use and adoption of “Framework for Improving Critical Infrastructure Cybersecurity” https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurit y-framework021214.pdf • Information Sharing Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing • Information Sharing Analysis Organizations • EO 13691; https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order- promoting 7 - private-sector-cybersecurity-information-sharing) LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  26. FDA’s Role • Works with DHS, manufacturers, health care providers, and end users • QSRs • Pre- and post-market cybersecurity guidance LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  27. MEDICAL DEVICE CYBERSECURITY Regional Incident Preparedness and Response Playbook LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  28. Playbook - Stakeholders • FDA • Medical Device Manufacturers • Health Delivery Organizations (HDO’s) • Large and small hospitals, hospital systems, providers LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  29. Purpose of Medical Device Cybersecurity Playbook • Provide baseline medical device cybersecurity information that can be incorporated into an HDO’s emergency preparedness and response framework; • Outline roles and responsibilities for responders internal and external to the HDO to clarify lines of communication and concept of operations (CONOPs) across HDOs, medical device manufacturers (MDMs), state and local governments, and the federal government; • Describe a standardized approach to response efforts that would enable a unified response within HDOs and across regions as appropriate; LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  30. Purpose of Medical Device Cybersecurity Playbook • Serve as a basis for enhanced coordination activities among medical device cybersecurity stakeholders, including mutual aid across HDOs; • Inform decision making and the need to escalate response; • Identify resources HDOs may leverage as a part of preparedness and response activities; and • Serve as a customizable regional preparedness and response tool for medical device cyber resiliency that could be broadly implemented. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Current Situation of Medical Devices Industry in China September. 2018. Beijing CONTENTS

The Current Situation of Medical Devices Industry in China September. 2018. Beijing CONTENTS

The Current Situation of Medical Devices Industry in China September. 2018. Beijing CONTENTS Chapter1 About US Chapter2 The Current Situation About Us Chapter 1 China Association for Medical Devices Industry (CAMDI) is a national,

466 views • 17 slides
Revision of the EU legislation on medical devices and in vitro diagnostic medical devices IMDRF-4

Revision of the EU legislation on medical devices and in vitro diagnostic medical devices IMDRF-4

Revision of the EU legislation on medical devices and in vitro diagnostic medical devices IMDRF-4 Update on the revision of the MD regulatory framework in the European Union 20 March 2013 Nice Health and Consumers 26/9/2012: Medical devices

647 views • 18 slides
Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
circulation of medical devices 1 Starting from January 1 st 2013 In accordance with Art. 38 /

circulation of medical devices 1 Starting from January 1 st 2013 In accordance with Art. 38 /

MINISTRY OF HEALTH ROSZDRAVNADZOR Administration in the sphere of circulation of medical devices 1 Starting from January 1 st 2013 In accordance with Art. 38 / Federal law 323: State registration of medical devices Pre-market approval

280 views • 5 slides
Solid State Batteries for Medical Devices and Sensors Denis Pasero, Product Commercialisation

Solid State Batteries for Medical Devices and Sensors Denis Pasero, Product Commercialisation

Solid State Batteries for Medical Devices and Sensors Denis Pasero, Product Commercialisation Manager Medical Battery Conference 17 Nov 2017 Dsseldorf, Germany Presentation structure 1. Introduction 2. Challenges for Powering Medical

706 views • 31 slides
INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
Roundtable Discussion on Clinical Evidence Reports Requirements For Medical Devices Dr Amanda

Roundtable Discussion on Clinical Evidence Reports Requirements For Medical Devices Dr Amanda

Roundtable Discussion on Clinical Evidence Reports Requirements For Medical Devices Dr Amanda Cuss Senior Medical Advisor Devices Clinical Section, Medical Devices Branch Medical Devices and Product Quality Division, TGA 2018 ARCS Annual

270 views • 8 slides
Potential reforms for the regulation of system and procedure pack medical devices Stakeholder

Potential reforms for the regulation of system and procedure pack medical devices Stakeholder

Potential reforms for the regulation of system and procedure pack medical devices Stakeholder Workshop Dr. Tania Ahmed Devices Conformity Assessment Section Medical Devices Branch Medical Devices & Product Quality Division 8 February 2019

614 views • 29 slides
Update from the Medical Devices Branch Use of market authorisation evidence from comparable

Update from the Medical Devices Branch Use of market authorisation evidence from comparable

Update from the Medical Devices Branch Use of market authorisation evidence from comparable overseas regulators / assessment bodies for medical devices Irina Tsyganova Director, Devices Applications and Verification Medical Devices Branch

398 views • 25 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Medical Devices Single Audit Program MDSAP -

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Medical Devices Single Audit Program MDSAP -

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Medical Devices Single Audit Program MDSAP - Overview and Update Keith M Smith Senior Adviser and MDSAP Assessor Quality Audits and Assessments Section Medical Devices Branch Medical Devices

576 views • 43 slides
NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head

NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head

NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head of the Department of organization of state control and registration of medical devices of Roszdravnadzor The Law 323-FZ dated 21.11.2011 The Order

426 views • 8 slides
Increasing Post-Market Vigilance Requirements for Medical Devices Pam Carter Director Devices

Increasing Post-Market Vigilance Requirements for Medical Devices Pam Carter Director Devices

Increasing Post-Market Vigilance Requirements for Medical Devices Pam Carter Director Devices Vigilance and Monitoring, Medical Devices Branch Medical Devices and Product Quality Division, TGA 2017 ARCS Annual Conference August 2017

368 views • 33 slides
General Information Medical devices are regulated by the FDAs Center for Devices and

General Information Medical devices are regulated by the FDAs Center for Devices and

11/5/2015 General Information Medical devices are regulated by the FDAs Center for Devices and Radiologic Health FDA resources for reporting on (CDRH). Oversight breaks into two general medical devices categories: premarket review and

388 views • 3 slides
Regulation of In Vitro Diagnostic Medical Devices Update on Transition to the New IVD Regulatory

Regulation of In Vitro Diagnostic Medical Devices Update on Transition to the New IVD Regulatory

Regulation of In Vitro Diagnostic Medical Devices Update on Transition to the New IVD Regulatory Framework Michelle McNiven Devices Authorisation Branch 06 June 2015 Overview Background Current Regulatory Requirements IVD Reforms

449 views • 28 slides
Session B19: Regulatory updates from the TGA Medical Devices Branch Dr Elizabeth McGrath

Session B19: Regulatory updates from the TGA Medical Devices Branch Dr Elizabeth McGrath

Session B19: Regulatory updates from the TGA Medical Devices Branch Dr Elizabeth McGrath Director, Medical Devices Emerging Technologies Unit, Medical Devices Branch Mimi Chu-Gourlay Assistant Director, Medical Devices Reforms Unit, Medical

491 views • 11 slides
Regulation of Medical Devices: a Regional approach IMDRF Meeting Working Group on Medical

Regulation of Medical Devices: a Regional approach IMDRF Meeting Working Group on Medical

Regulation of Medical Devices: a Regional approach IMDRF Meeting Working Group on Medical Devices Established in July, 2012 with 12 countries; currently with 14 OBJECTIVE: To strengthen the regulatory capacity for medical devices in

626 views • 13 slides
500.000 recalled pacemakers 2 billion $ stock value loss - The story behind Tobias Zillner

500.000 recalled pacemakers 2 billion $ stock value loss - The story behind Tobias Zillner

500.000 recalled pacemakers 2 billion $ stock value loss - The story behind Tobias Zillner 2/26/19 2 whoami Tobias Zillner, BSc MMSc Lead IT Security Consultant | Co-Founder Expertise: Industrial Security IoT security /

1.1k views • 58 slides
CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and Implantable Cardiac Defibrillators Professor Adam Bates Fall 2016 Security & Privacy Research at Illinois (SPRAI) Oct 4th Deliverable

792 views • 20 slides
Implantable Cardiac Devices Pacemakers Correct for slow heart

Implantable Cardiac Devices Pacemakers Correct for slow heart

CPS: Beyond Usability: Applying Value Sensi8ve Design Based Methods to Inves8gate Domain Characteris8cs for Security for Implantable Cardiac Devices Tamara Denning

2.37k views • 48 slides
Addressing Disparities Advisory Panel Webinar October 21, 2015 2:00 PM 4:30 PM Welcome and

Addressing Disparities Advisory Panel Webinar October 21, 2015 2:00 PM 4:30 PM Welcome and

Addressing Disparities Advisory Panel Webinar October 21, 2015 2:00 PM 4:30 PM Welcome and Setting the Stage Romana Hasnain-Wynia, PhD, MS Grant Jones Program Director, Addressing Disparities Co-Chair, Addressing Disparities Advisory

864 views • 67 slides
This presentation is an outgrowth of work done under contract to the Institute for

This presentation is an outgrowth of work done under contract to the Institute for

This presentation is an outgrowth of work done under contract to the Institute for Telecommunication Sciences and does not represent the views or policies of the United States federal government. Mystery Mystery Signal Signal Challenge!

1.97k views • 178 slides
Cyber-Physical Systems Security IECE 553/453 Fall 2019 Prof. Dola Saha 1 Security Threats

Cyber-Physical Systems Security IECE 553/453 Fall 2019 Prof. Dola Saha 1 Security Threats

Cyber-Physical Systems Security IECE 553/453 Fall 2019 Prof. Dola Saha 1 Security Threats in the IoT Cyber attack on the Ukrainian power grid Power outage caused by hackers Security in the IoT is essential, not just for information

1.21k views • 76 slides
Transcript for Confirmation of Death Training To be read in conjunction with NHS Lothian Clinical

Transcript for Confirmation of Death Training To be read in conjunction with NHS Lothian Clinical

Transcript for Confirmation of Death Training To be read in conjunction with NHS Lothian Clinical Education and Training Department powerpoint presentation (if no sound available on computer) SLIDE 1 Title Slide Nurse Verification of Expected

301 views • 7 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11, 2013 Andrei Costin/Jonas Zaddach www.firmware.re 1/104 About Jonas Zaddach PhD. candidate on "Development of novel binary analysis

1.25k views • 104 slides

More recommend