SlideShare una empresa de Scribd logo

Cybersecurity and the FDA

Descargar como PPTX, PDF
Promenade Software
Promenade Software

The FDA's Post-Market Cyber-Security Draft Guidance has new recommendations for manufacturers. Here is a high-level overview of what medical device manufacturers should be doing to comply.

Tecnología
1 de 19
Cybersecurity and the FDA Overview for Medical Devices By Frances Cohen President Promenade Software Inc. Board Member MedISAO
My Background The highlights: • B.S. Geophysics – UCLA. Worked in the Dept. on an Apple IIe and 1st PC. (dinosaurs still roamed the earth but punch cards were going extinct) • Hated oil research – loved software. Got a BS Computer Engineering from the Technion – Israel Institute of Technology. • Chief Architect and core team manager at Phoenix BIOS back in the PC heyday of 286/386/486/Pentium, Windows 3.1 – XP. • Implemented and Managed development a GE Medical Hospital Defibrillator at Cardiac Science – first introduction to medical devices. • Directed software development at Source Scientific LLC, a medical device contract developer and manufacture for 9 years. • Current- President of Promenade Software Inc. – a medical device software service co. 3+ years.
Promenade Software Inc. • A service provider of Medical Device Software – ~15 software engineers – Full stack of software for devices and their associated eco-system • Embedded and User-facing software. • Mobile Apps and Cloud – Handle software regulatory submission – Cybersecurity solutions and services
Med ISAO • A medical device information sharing and analysis organization. – Provides ongoing cybersecurity information tailored to the medical device industry. – Alerts members of potential threats – Geared towards smaller manufacturers and startups.
Cybersecurity and Medical Devices Some Definitions • Cybersecurity – the procedure of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed , or transferred from a medical device to an external recipient. • Vulnerability – A weakness in a device’s cybersecurity (implementation or processes) that could be exploited.
Background • From Executive Order 13636 – Cyber threats to national security are among the most serious. • Thousands of medical devices have been shown to be vulnerable to hacking – Rising number of medical devices connected to the internet. – Insufficient security practices: ex: Fixed hardcoded passwords, or defaults not changed. Or no encryption. – From infusion pumps to CT scans, implantable defibrillators – many easily accessible from within the hospital, and some on the web or within Bluetooth reach. • Raising privacy concerns and safety concerns
Ex: GE’s Password Cloud Default passwords with an advisory not to change them in the manual – for service reasons.
Recent Issues • Hospira Symbiq Infusion System – July 2015 – FDA issued advisory to stop using due to cybersecurity risk • J&J Animas Insulin Pump – October 2016 – J&J advised to turn off wireless functions until patched – Attacker could command pump to dispense arbitrary amount of insulin from 25 feet away • St. Jude Pacemaker – August 2016 – Security firm reported ability to wirelessly control implanted pacemaker – St. Jude stock Dropped ~10% – Ongoing investigations on validity of claim
FDA Guidance - History • No initial mention in guidance material • Oct 2014 – FDA released the Guidance for “Premarket Submission for Management of Cybersecurity in Medical Devices” • Jan 2016 – FDA release a draft guidance “Postmarket Management of Cybersecurity in Medical Devices” – Talk of release by the end of the year.
Premarket Guidance Guidance follows standards for securing networked systems (ex: systems having to do with money…) • Identify and Protect – Limit Access to Trusted Users Only • Require authentication of users (ex: ID and password, or biometric). No hardcoded passwords. Use modern hashes • Use multi-factor authentication to privileged device access (service techs., system admins). • Require user authentication for upgrades. • Terminate sessions after a timeout, as appropriate. – Ensure trusted content • Upgraded code should be authenticated (e.g. signed) • Ensure secure data transfer to and from device, using encryption.
Premarket Guidance • Detect, Respond, Recover – Implement features allowing for detection of security compromises. – Implement features that protect critical functionality, even when cybersecurity has been compromised. – Provide method of recovery by an authenticated privileged user.
Premarket Guidance • Documentation – Include a Hazard Analysis with mitigations pertaining to cybersecurity risks. – Show traceability to requirements. – Describe plan for providing updates. – Provide instructions for recommended cybersecurity controls appropriate for the intended use.
Postmarket Guidance To address evolving cybersecurity risks, FDA identifies a number of critical components that should be included from the device manufacturer postmarket. – Monitor information sources for vulnerabilities – Assess presence and impact of a vulnerability – Establish and communicate process for vulnerability intake and handling – Define essential clinical performance • To develop mitigations to protect, respond and recover – Adopt a Coordinated Vulnerability Disclosure policy and practice – Deploy mitigations prior to exploitation.
Coordinated Disclosure • FDA recognizes IEC 29147:2014 – deals with the interface between vendors and those who find and report potential vulnerabilities – Could be external – how does a 3rd party report a vulnerability found? • Why have one? – FDA recommends it – Gives advanced notice of vulnerabilities  Makes patients safer  Better publicity control – More likely for security researchers to work with you instead of against you
Private Sector Information Sharing • Executive Order 13691 – Promotes private sector information sharing, encouraging ISAOs (information sharing analysis organizations) • ISAOs serve as focal points for cybersecurity information sharing and collaboration. • ISAOs protect privacy of individuals and preserve business confidentiality, safeguarding information being shared. • FDA considers participation in an ISAO a critical component of a medical device manufacturers’ comprehensive proactive approach to management of postmarket cybersecurity threats.
Advantage of ISAO Membership • Manufactures must report vulnerabilities to the FDA unless all of the following are met: – There are no known serious adverse events or deaths associated. – Manufacturer implements controls within 30 days – Manufacture is a participating member of an ISAO
Advantage of ISAO Membership From the guidance: “Participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002”
Summary • The Device Manufacturer has responsibility to implement cybersecurity risk management programs premarket and postmarket. • Information sharing is a critical part of postmarket cybersecurity programs The FDA now views cybersecurity risks just as seriously as defective product risks.
Need more Info? Contact Us For more information please feel free to contact Promenade Software Frances@promenadesoftware.com Daniel@promenadesoftware.com www.promenadesoftware.com

Recomendados

Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
 
Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...
Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...
Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...
Healthegy
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Dr Dev Kambhampati
 
EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...
Erik Vollebregt
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
Pam Gilmore
 

Recomendados

Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
 
Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...
Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...
Breakout Session: Is Off-Label Promotion Lawful After the Howard Root/Vascula...
Healthegy
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Dr Dev Kambhampati
 
EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...
Erik Vollebregt
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
Pam Gilmore
 
Webinar: Cybersecurity and the New Age of Hackers
Webinar: Cybersecurity and the New Age of HackersWebinar: Cybersecurity and the New Age of Hackers
Webinar: Cybersecurity and the New Age of Hackers
Modern Healthcare
 
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
U.S. News Healthcare of Tomorrow
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
grp362
 
Healthcare's Losing Battle Against the Hyper-Connected Machines
Healthcare's Losing Battle Against the Hyper-Connected MachinesHealthcare's Losing Battle Against the Hyper-Connected Machines
Healthcare's Losing Battle Against the Hyper-Connected Machines
Kurt Hagerman
 
A to z of Cyber Crime
A to z of Cyber CrimeA to z of Cyber Crime
A to z of Cyber Crime
Jessore University of Science & Technology, Jessore.
 
10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices
10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices
10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices
Extreme Networks
 
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannMedical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
Frank Siepmann
 
Securing Medical Devices From Cyber Threats
Securing Medical Devices From Cyber ThreatsSecuring Medical Devices From Cyber Threats
Securing Medical Devices From Cyber Threats
HCL Technologies
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
Andris Soroka
 
Medtec - Cyber-security Challenges on the Horizon
Medtec - Cyber-security Challenges on the HorizonMedtec - Cyber-security Challenges on the Horizon
Medtec - Cyber-security Challenges on the Horizon
team-WIBU
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Steve Fantauzzo
 
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
Health IT Conference – iHT2
 
Empower Business by Filling Gap of Cyber Security Skills
Empower Business by Filling Gap of Cyber Security SkillsEmpower Business by Filling Gap of Cyber Security Skills
Empower Business by Filling Gap of Cyber Security Skills
ClickSSL
 
Cybersecurity Trends and CyberVision : 2015 - 2025
Cybersecurity Trends and CyberVision : 2015 - 2025Cybersecurity Trends and CyberVision : 2015 - 2025
Cybersecurity Trends and CyberVision : 2015 - 2025
Dr David Probert
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
SynarionITSolutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 

Más contenido relacionado

Destacado

Medtec - Cyber-security Challenges on the Horizon
Medtec - Cyber-security Challenges on the HorizonMedtec - Cyber-security Challenges on the Horizon
Medtec - Cyber-security Challenges on the Horizon
team-WIBU
 

Destacado (16)

Webinar: Cybersecurity and the New Age of Hackers
Webinar: Cybersecurity and the New Age of HackersWebinar: Cybersecurity and the New Age of Hackers
Webinar: Cybersecurity and the New Age of Hackers
 
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
 
Healthcare's Losing Battle Against the Hyper-Connected Machines
Healthcare's Losing Battle Against the Hyper-Connected MachinesHealthcare's Losing Battle Against the Hyper-Connected Machines
Healthcare's Losing Battle Against the Hyper-Connected Machines
 
A to z of Cyber Crime
A to z of Cyber CrimeA to z of Cyber Crime
A to z of Cyber Crime
 
10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices
10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices
10 Ways to Mitigate the Risk and Effect of Cyber Attacks on Medical Devices
 
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannMedical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
 
Securing Medical Devices From Cyber Threats
Securing Medical Devices From Cyber ThreatsSecuring Medical Devices From Cyber Threats
Securing Medical Devices From Cyber Threats
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
 
Medtec - Cyber-security Challenges on the Horizon
Medtec - Cyber-security Challenges on the HorizonMedtec - Cyber-security Challenges on the Horizon
Medtec - Cyber-security Challenges on the Horizon
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
 
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
 
Empower Business by Filling Gap of Cyber Security Skills
Empower Business by Filling Gap of Cyber Security SkillsEmpower Business by Filling Gap of Cyber Security Skills
Empower Business by Filling Gap of Cyber Security Skills
 
Cybersecurity Trends and CyberVision : 2015 - 2025
Cybersecurity Trends and CyberVision : 2015 - 2025Cybersecurity Trends and CyberVision : 2015 - 2025
Cybersecurity Trends and CyberVision : 2015 - 2025
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Cybersecurity and the FDA

  • 1. Cybersecurity and the FDA Overview for Medical Devices By Frances Cohen President Promenade Software Inc. Board Member MedISAO
  • 2. My Background The highlights: • B.S. Geophysics – UCLA. Worked in the Dept. on an Apple IIe and 1st PC. (dinosaurs still roamed the earth but punch cards were going extinct) • Hated oil research – loved software. Got a BS Computer Engineering from the Technion – Israel Institute of Technology. • Chief Architect and core team manager at Phoenix BIOS back in the PC heyday of 286/386/486/Pentium, Windows 3.1 – XP. • Implemented and Managed development a GE Medical Hospital Defibrillator at Cardiac Science – first introduction to medical devices. • Directed software development at Source Scientific LLC, a medical device contract developer and manufacture for 9 years. • Current- President of Promenade Software Inc. – a medical device software service co. 3+ years.
  • 3. Promenade Software Inc. • A service provider of Medical Device Software – ~15 software engineers – Full stack of software for devices and their associated eco-system • Embedded and User-facing software. • Mobile Apps and Cloud – Handle software regulatory submission – Cybersecurity solutions and services
  • 4. Med ISAO • A medical device information sharing and analysis organization. – Provides ongoing cybersecurity information tailored to the medical device industry. – Alerts members of potential threats – Geared towards smaller manufacturers and startups.
  • 5. Cybersecurity and Medical Devices Some Definitions • Cybersecurity – the procedure of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed , or transferred from a medical device to an external recipient. • Vulnerability – A weakness in a device’s cybersecurity (implementation or processes) that could be exploited.
  • 6. Background • From Executive Order 13636 – Cyber threats to national security are among the most serious. • Thousands of medical devices have been shown to be vulnerable to hacking – Rising number of medical devices connected to the internet. – Insufficient security practices: ex: Fixed hardcoded passwords, or defaults not changed. Or no encryption. – From infusion pumps to CT scans, implantable defibrillators – many easily accessible from within the hospital, and some on the web or within Bluetooth reach. • Raising privacy concerns and safety concerns
  • 7. Ex: GE’s Password Cloud Default passwords with an advisory not to change them in the manual – for service reasons.
  • 8. Recent Issues • Hospira Symbiq Infusion System – July 2015 – FDA issued advisory to stop using due to cybersecurity risk • J&J Animas Insulin Pump – October 2016 – J&J advised to turn off wireless functions until patched – Attacker could command pump to dispense arbitrary amount of insulin from 25 feet away • St. Jude Pacemaker – August 2016 – Security firm reported ability to wirelessly control implanted pacemaker – St. Jude stock Dropped ~10% – Ongoing investigations on validity of claim
  • 9. FDA Guidance - History • No initial mention in guidance material • Oct 2014 – FDA released the Guidance for “Premarket Submission for Management of Cybersecurity in Medical Devices” • Jan 2016 – FDA release a draft guidance “Postmarket Management of Cybersecurity in Medical Devices” – Talk of release by the end of the year.
  • 10. Premarket Guidance Guidance follows standards for securing networked systems (ex: systems having to do with money…) • Identify and Protect – Limit Access to Trusted Users Only • Require authentication of users (ex: ID and password, or biometric). No hardcoded passwords. Use modern hashes • Use multi-factor authentication to privileged device access (service techs., system admins). • Require user authentication for upgrades. • Terminate sessions after a timeout, as appropriate. – Ensure trusted content • Upgraded code should be authenticated (e.g. signed) • Ensure secure data transfer to and from device, using encryption.
  • 11. Premarket Guidance • Detect, Respond, Recover – Implement features allowing for detection of security compromises. – Implement features that protect critical functionality, even when cybersecurity has been compromised. – Provide method of recovery by an authenticated privileged user.
  • 12. Premarket Guidance • Documentation – Include a Hazard Analysis with mitigations pertaining to cybersecurity risks. – Show traceability to requirements. – Describe plan for providing updates. – Provide instructions for recommended cybersecurity controls appropriate for the intended use.
  • 13. Postmarket Guidance To address evolving cybersecurity risks, FDA identifies a number of critical components that should be included from the device manufacturer postmarket. – Monitor information sources for vulnerabilities – Assess presence and impact of a vulnerability – Establish and communicate process for vulnerability intake and handling – Define essential clinical performance • To develop mitigations to protect, respond and recover – Adopt a Coordinated Vulnerability Disclosure policy and practice – Deploy mitigations prior to exploitation.
  • 14. Coordinated Disclosure • FDA recognizes IEC 29147:2014 – deals with the interface between vendors and those who find and report potential vulnerabilities – Could be external – how does a 3rd party report a vulnerability found? • Why have one? – FDA recommends it – Gives advanced notice of vulnerabilities  Makes patients safer  Better publicity control – More likely for security researchers to work with you instead of against you
  • 15. Private Sector Information Sharing • Executive Order 13691 – Promotes private sector information sharing, encouraging ISAOs (information sharing analysis organizations) • ISAOs serve as focal points for cybersecurity information sharing and collaboration. • ISAOs protect privacy of individuals and preserve business confidentiality, safeguarding information being shared. • FDA considers participation in an ISAO a critical component of a medical device manufacturers’ comprehensive proactive approach to management of postmarket cybersecurity threats.
  • 16. Advantage of ISAO Membership • Manufactures must report vulnerabilities to the FDA unless all of the following are met: – There are no known serious adverse events or deaths associated. – Manufacturer implements controls within 30 days – Manufacture is a participating member of an ISAO
  • 17. Advantage of ISAO Membership From the guidance: “Participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002”
  • 18. Summary • The Device Manufacturer has responsibility to implement cybersecurity risk management programs premarket and postmarket. • Information sharing is a critical part of postmarket cybersecurity programs The FDA now views cybersecurity risks just as seriously as defective product risks.
  • 19. Need more Info? Contact Us For more information please feel free to contact Promenade Software Frances@promenadesoftware.com Daniel@promenadesoftware.com www.promenadesoftware.com