the current state of cybersecurity in medical devices
play

The Current State of Cybersecurity in Medical Devices Medmarcs - PowerPoint PPT Presentation

Oct 30, 2023 •205 likes •613 views

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019 Vulnerable Devices Pacemakers / implantable defibrillators Insulin pumps Infusion pumps Mobile health technologies (mHealth

  1. The Current State of Cybersecurity in Medical Devices Medmarc’s Webinar Series August 22, 2019

  2. Vulnerable Devices • Pacemakers / implantable defibrillators • Insulin pumps • Infusion pumps • Mobile health technologies (mHealth Technology) • Patient monitors • Patient portals • Telemedicine • Ventilators / Life supporting devices • Imaging modalities • Hearing aids LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  3. Potential Loss Scenarios • Malware attacks • Software vulnerabilities • Faulty networks • Computer technology (IT services) • Hacking • Steal patient data • Commandeer medical devices for denial of service • Distributed denial of service • Cyber Extortion • Medical device vulnerabilities LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  4. Fundamental challenges • New features take priority over security • More commoditized hardware/software • Remote interface • Regulators are always playing catch up LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  5. Cyber security is • Confidentiality • Integrity • Availability LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  6. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  7. Medical device risks • Software defect • Incorrect network configuration • Security and privacy issues • Lack of data protection • Disposal or loss of the device • Malware, criminals LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  8. Cyber related design considerations • System testing • Secure IT systems • Regulatory compliance • Account for upgrades and unknowns • Design security into the product --Make products as updatable and adaptable as the internet itself. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  9. Malicious tampering What: Add or remove cancers from CT and MRI Why: Ransom in exchange for correction Create chaos and mistrust Missed diagnosis, failure to treat Insurance fraud LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  10. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  11. How is this possible? • PACS not encrypted • Health care industry focused on privacy rather than security • Physical or network access • Direct connection to internet or to hospital network LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  12. Prevention • End to end encryption • Digital signatures LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  13. Medtronic Implantable Cardiac Devices • FDA safety communication re wireless telemetry technology • Conexus uses wireless RF without encryption LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  14. Safety features as designed • Can only be activated by a health care provider at a clinic • Activation times vary • Hacker would have to be nearby when active -Replacement is not recommended at this time. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  15. Review the data lifecycle • Where is the data stored? • How is the data protected? • Who processes the data? • Who is responsible? • Who can access? LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  16. California Consumer Privacy Act Who? • Doing business in CA; revenue over $25 million; buy, sell, receive personal information of 50,000 or more devices or consumers or 50% plus revenue selling personal information What? • Right to access data, have data deleted, prevent data from being sold LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  17. California IoT Statute Reasonable security features appropriate to the nature and function of the device and information it collects, stores, or transmits. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  18. Man anufac acturer O Obli ligatio ions Premarket and Postmarket Reporting LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  19. Manufacturers: Premarket Reporting • FDA Guidance – Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices • http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocument s/u cm089543.htm • FDA Guidance to Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software • http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocument s/u cm077812.htm • FDA Guidance for Industry and Food & Drug Administration Staff – Content of Premarket Submissions for Management of Cybersecurity in Medical Devices • http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInform ation/default.htm LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  20. Manufacturers – Premarket Reporting • Effective cybersecurity management in premarket submissions • To reduce risk to patients • From compromise of device functionality by inadequate cybersecurity • Guidance covers premarket submissions for devices that contain software (including firmware) or programmable logic as well as software that is a medical device LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  21. Manufacturers – Premarket Obligations • Manufacturers should: • develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety. • address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks. • establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g). LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  22. Manufacturers – Premarket Obligations • Identify • Protect • Detect • Respond • Recover LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  23. Manufacturers – Postmarket Obligations • Formal and informal reporting obligations • 21 CFR § 806.1: requires manufacturers to report to FDA certain product corrections and removals • Risk-based framework for determining when a reportable change to a medical device for cybersecurity vulnerability has occurred • Routine updates and patches versus • Correction of cybersecurity vulnerability that poses risk to health LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  24. Manufacturers – Postmarket Obligations • Reporting requirements (continued) • 21 CFR § 803.10 (1) Reports of individual adverse events – 30 calendar days after becoming aware of a reportable death, serious injury, or malfunction (2) Reports of individual adverse events - 5 work days after becoming aware of: (i) Reportable event that requires remedial action to prevent an unreasonable risk of substantial harm to the public health, or (ii) A reportable event for which FDA made a written request. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  25. Manufacturers – Postmarket Obligations • FDA encourages: • The use and adoption of “Framework for Improving Critical Infrastructure Cybersecurity” https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurit y-framework021214.pdf • Information Sharing Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing • Information Sharing Analysis Organizations • EO 13691; https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order- promoting 7 - private-sector-cybersecurity-information-sharing) LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  26. FDA’s Role • Works with DHS, manufacturers, health care providers, and end users • QSRs • Pre- and post-market cybersecurity guidance LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  27. MEDICAL DEVICE CYBERSECURITY Regional Incident Preparedness and Response Playbook LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  28. Playbook - Stakeholders • FDA • Medical Device Manufacturers • Health Delivery Organizations (HDO’s) • Large and small hospitals, hospital systems, providers LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  29. Purpose of Medical Device Cybersecurity Playbook • Provide baseline medical device cybersecurity information that can be incorporated into an HDO’s emergency preparedness and response framework; • Outline roles and responsibilities for responders internal and external to the HDO to clarify lines of communication and concept of operations (CONOPs) across HDOs, medical device manufacturers (MDMs), state and local governments, and the federal government; • Describe a standardized approach to response efforts that would enable a unified response within HDOs and across regions as appropriate; LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

  30. Purpose of Medical Device Cybersecurity Playbook • Serve as a basis for enhanced coordination activities among medical device cybersecurity stakeholders, including mutual aid across HDOs; • Inform decision making and the need to escalate response; • Identify resources HDOs may leverage as a part of preparedness and response activities; and • Serve as a customizable regional preparedness and response tool for medical device cyber resiliency that could be broadly implemented. LORANCE CE THOM OMPSON ON A PROFESSIONAL CORPORATION

Recommend

The Current Situation of Medical Devices Industry in China September. 2018. Beijing CONTENTS

The Current Situation of Medical Devices Industry in China September. 2018. Beijing CONTENTS

The Current Situation of Medical Devices Industry in China September. 2018. Beijing CONTENTS Chapter1 About US Chapter2 The Current Situation About Us Chapter 1 China Association for Medical Devices Industry (CAMDI) is a national,

466 views • 17 slides
Revision of the EU legislation on medical devices and in vitro diagnostic medical devices IMDRF-4

Revision of the EU legislation on medical devices and in vitro diagnostic medical devices IMDRF-4

Revision of the EU legislation on medical devices and in vitro diagnostic medical devices IMDRF-4 Update on the revision of the MD regulatory framework in the European Union 20 March 2013 Nice Health and Consumers 26/9/2012: Medical devices

647 views • 18 slides
Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
circulation of medical devices 1 Starting from January 1 st 2013 In accordance with Art. 38 /

circulation of medical devices 1 Starting from January 1 st 2013 In accordance with Art. 38 /

MINISTRY OF HEALTH ROSZDRAVNADZOR Administration in the sphere of circulation of medical devices 1 Starting from January 1 st 2013 In accordance with Art. 38 / Federal law 323: State registration of medical devices Pre-market approval

280 views • 5 slides
Solid State Batteries for Medical Devices and Sensors Denis Pasero, Product Commercialisation

Solid State Batteries for Medical Devices and Sensors Denis Pasero, Product Commercialisation

Solid State Batteries for Medical Devices and Sensors Denis Pasero, Product Commercialisation Manager Medical Battery Conference 17 Nov 2017 Dsseldorf, Germany Presentation structure 1. Introduction 2. Challenges for Powering Medical

706 views • 31 slides
INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
Roundtable Discussion on Clinical Evidence Reports Requirements For Medical Devices Dr Amanda

Roundtable Discussion on Clinical Evidence Reports Requirements For Medical Devices Dr Amanda

Roundtable Discussion on Clinical Evidence Reports Requirements For Medical Devices Dr Amanda Cuss Senior Medical Advisor Devices Clinical Section, Medical Devices Branch Medical Devices and Product Quality Division, TGA 2018 ARCS Annual

270 views • 8 slides
Potential reforms for the regulation of system and procedure pack medical devices Stakeholder

Potential reforms for the regulation of system and procedure pack medical devices Stakeholder

Potential reforms for the regulation of system and procedure pack medical devices Stakeholder Workshop Dr. Tania Ahmed Devices Conformity Assessment Section Medical Devices Branch Medical Devices & Product Quality Division 8 February 2019

614 views • 29 slides
Update from the Medical Devices Branch Use of market authorisation evidence from comparable

Update from the Medical Devices Branch Use of market authorisation evidence from comparable

Update from the Medical Devices Branch Use of market authorisation evidence from comparable overseas regulators / assessment bodies for medical devices Irina Tsyganova Director, Devices Applications and Verification Medical Devices Branch

398 views • 25 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Medical Devices Single Audit Program MDSAP -

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Medical Devices Single Audit Program MDSAP -

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Medical Devices Single Audit Program MDSAP - Overview and Update Keith M Smith Senior Adviser and MDSAP Assessor Quality Audits and Assessments Section Medical Devices Branch Medical Devices

576 views • 43 slides
NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head

NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head

NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head of the Department of organization of state control and registration of medical devices of Roszdravnadzor The Law 323-FZ dated 21.11.2011 The Order

426 views • 8 slides
Increasing Post-Market Vigilance Requirements for Medical Devices Pam Carter Director Devices

Increasing Post-Market Vigilance Requirements for Medical Devices Pam Carter Director Devices

Increasing Post-Market Vigilance Requirements for Medical Devices Pam Carter Director Devices Vigilance and Monitoring, Medical Devices Branch Medical Devices and Product Quality Division, TGA 2017 ARCS Annual Conference August 2017

368 views • 33 slides
General Information Medical devices are regulated by the FDAs Center for Devices and

General Information Medical devices are regulated by the FDAs Center for Devices and

11/5/2015 General Information Medical devices are regulated by the FDAs Center for Devices and Radiologic Health FDA resources for reporting on (CDRH). Oversight breaks into two general medical devices categories: premarket review and

388 views • 3 slides
Regulation of In Vitro Diagnostic Medical Devices Update on Transition to the New IVD Regulatory

Regulation of In Vitro Diagnostic Medical Devices Update on Transition to the New IVD Regulatory

Regulation of In Vitro Diagnostic Medical Devices Update on Transition to the New IVD Regulatory Framework Michelle McNiven Devices Authorisation Branch 06 June 2015 Overview Background Current Regulatory Requirements IVD Reforms

449 views • 28 slides
Session B19: Regulatory updates from the TGA Medical Devices Branch Dr Elizabeth McGrath

Session B19: Regulatory updates from the TGA Medical Devices Branch Dr Elizabeth McGrath

Session B19: Regulatory updates from the TGA Medical Devices Branch Dr Elizabeth McGrath Director, Medical Devices Emerging Technologies Unit, Medical Devices Branch Mimi Chu-Gourlay Assistant Director, Medical Devices Reforms Unit, Medical

491 views • 11 slides
Regulation of Medical Devices: a Regional approach IMDRF Meeting Working Group on Medical

Regulation of Medical Devices: a Regional approach IMDRF Meeting Working Group on Medical

Regulation of Medical Devices: a Regional approach IMDRF Meeting Working Group on Medical Devices Established in July, 2012 with 12 countries; currently with 14 OBJECTIVE: To strengthen the regulatory capacity for medical devices in

626 views • 13 slides
Interface between medicinal product and medical devices development - Update on EMA

Interface between medicinal product and medical devices development - Update on EMA

Interface between medicinal product and medical devices development - Update on EMA implementation of the new medical devices legislation Combined medicines and devices developments SME info day, 26 October 2018 Presented by Armin Ritzhaupt

592 views • 27 slides
NEXUS Medical Devices USC I nitial Market Projections Definition of Medical Devices NEXUS

NEXUS Medical Devices USC I nitial Market Projections Definition of Medical Devices NEXUS

NEXUS NEXUS Medical Devices USC I nitial Market Projections Definition of Medical Devices NEXUS Diagnosis, prevention, monitoring, treatment or alleviation of a disease, an injury or a handicap. Investigation, replacement or

636 views • 22 slides
Medical Devices Manufacturer Evidence and applications for inclusion in the ARTG Susan Barker

Medical Devices Manufacturer Evidence and applications for inclusion in the ARTG Susan Barker

Medical Devices Manufacturer Evidence and applications for inclusion in the ARTG Susan Barker Devices Application and Verification Section Medical Devices Branch Devices Sponsor Information Day 11 October 2017 Purpose Facilitate better

449 views • 43 slides
Cybersecurity Workforce: The Current Landscape and Whats on the Horizon Representing Chief

Cybersecurity Workforce: The Current Landscape and Whats on the Horizon Representing Chief

Cybersecurity Workforce: The Current Landscape and Whats on the Horizon Representing Chief Information Officers of the States Speakers Meredith Ward Andy Hanks Director, Policy & Research CISO NASCIO State of Montana Representing

141 views • 12 slides
NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head

NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head

NEW ASPECTS IN MEDICAL DEVICES REGULATION IN RUSSIAN FEDERATION Ph.D., Elena Astapenko The Head of the Division of Organization of State Control and Registration of Medical Devices of Roszdravnadzor Russian Government Regulation No. 160 dated

111 views • 9 slides
Custom-made medical devices Information for the dental industry Valerie Mercer Director Medical

Custom-made medical devices Information for the dental industry Valerie Mercer Director Medical

Custom-made medical devices Information for the dental industry Valerie Mercer Director Medical Devices Information and Education Medical Devices Branch Therapeutic Goods Administration ADIA industry briefing 12-13 July 2016 Discussion topics

534 views • 28 slides
Medical devices vs 6 Cardinal Health 12.4 6 Broadcom 15.5 6 Philips HealthTech 12.4 7

Medical devices vs 6 Cardinal Health 12.4 6 Broadcom 15.5 6 Philips HealthTech 12.4 7

2019/2/26 Context Challenges in the Design of Integrated Circuits for Wireless Power Delivery Medical devices vs Semiconductors industries and Information Transfer in How to develop a medical instrument, equipment, or device Implantable

287 views • 16 slides
Current State of Technology Devices in WCSD WCSD Strategic Technology Planning Task Force

Current State of Technology Devices in WCSD WCSD Strategic Technology Planning Task Force

Current State of Technology Devices in WCSD WCSD Strategic Technology Planning Task Force December 3, 2019 General Themes Solid infrastructure Largest network in Northern Nevada WCSD has a large number of devices A large number

355 views • 33 slides

More recommend