Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Requirements/Expectations of Biomedical Devices

Similar presentations


Presentation on theme: "Security Requirements/Expectations of Biomedical Devices"— Presentation transcript:

1 Security Requirements/Expectations of Biomedical Devices
Assurance and Advisory Business Services April 1, 2017 Security Requirements/Expectations of Biomedical Devices December 5, 2013 Start Time: 9AM US Pacific, 12PM US Eastern, 5PM London Staff operator to read the following: Welcome to the ISSA Web Conference: Security Requirements/Expectations of Biomedical Devices To explore more of ISSA’s educational offerings and benefits visit our website at ISSA.org. If you are not currently a member, we encourage you to join ISSA. Please feel free to ask questions during the presentation.  To ask a question of the speaker, simply type your question in the provided area in the upper right hand corner of your screen.  You may need to click on the double arrows to open this function. After the live event today, the presentation slides and a recorded version of the webcast will be available on the ISSA Web Conference page. Within 24 hours after this event you will receive an containing a link to the post-event quiz. After the successful completion of the quiz, you will be given the opportunity to print a certificate of attendance for you to submit for CPE credits in accordance with various certifying bodies. Staff operator to introduce conference Moderator.

2 Welcome Conference Moderator
Assurance and Advisory Business Services April 1, 2017 Welcome Conference Moderator Michael Boyd Portland, USA Chapter Chief Information Security Officer & Director of Information Security Management Providence Health & Services Staff to introduce Moderator: At this time I would like to introduce the moderator of this program: Moderator Biography: Mike Boyd’s background includes security engineering and risk management work in the fields of media and entertainment, insurance and financial services, higher education and more than a decade working in healthcare information security and risk management. Mike has been with Providence Health & Services for five years and currently serves as the Chief Information Security Officer and Director of Information Security Management. Providence is a not-for-profit Catholic healthcare system that includes 32 hospitals, 350 physician clinics, senior services, supportive housing and many other health and educational services. The health system employs more than 65,000 people across five states – Alaska, California, Montana, Oregon and Washington. Mike’s responsibilities include oversight of information security risk assessment, security incident management, and integration of security risk management within Providence’s environment including information technology, supply chain, revenue cycle, human resources and healthcare operations. Previously Mike served as the Information Security Officer for Oregon Health & Science University and oversaw the security engineering team at Pacific Life Insurance. Mike is also the past president of the Portland chapter of the Information Systems Security Association (ISSA) and a former Captain in the United States Marine Corps. Mike holds the Certified Information Systems Security Professional (CISSP) certification and a Bachelor of Science in Computer Science from the United States Naval Academy in Annapolis, Maryland. Welcome everyone – Mike, if you would, please begin the presentation.

3 Assurance and Advisory Business Services
April 1, 2017 Agenda Speakers Kevin McDonald Clinical Information Security, Mayo Clinic Office of Information Security Dale Nordenberg Executive Director and Co-Founder, Medical Device Innovation, Safety and Security Consortium (MDISS) Roy Wattanasin Information Security Officer, MITM Closing Remarks Moderator: Biomedical equipment undergoes crucial FDA certification prior to being deemed fit for use. However, after the certification process is complete, there are still many questions among healthcare security professionals as to how to maintain the security of these devices and stay in line with the expectations of the FDA. Find out what healthcare organizations are doing to ensure their biomedical equipment is protected from security threats without interfering with critical functionality. I’d like to introduce them now: Kevin McDonald-Clinical Information Security, Mayo Clinic Office of Information Security Dale Nordenberg-Executive Director and Co-Founder, Medical Device Innovation, Safety and Security Consortium (MDISS) Moderator: Move to next slide and introduce the first Speaker…(Kevin McDonald)

4 Medical Device Security in a Connected World
Assurance and Advisory Business Services April 1, 2017 Medical Device Security in a Connected World Kevin McDonald Clinical Information Security Mayo Clinic Moderator: Kevin McDonald– Clinical Information Security, Mayo Clinic Office of Information Security Kevin McDonald has over 35 years of healthcare experience in various roles. He holds degrees in Nursing, Education and Information Systems. His work experience includes direct patient care, management, electronic medical record implementation, and information technology and security. Kevin's current role at Mayo Clinic is Director of Clinical Information Security in the Office of Information Security, with one of his primary responsibilities being the security of medical devices. Moderator: Turn over presentation to Kevin.

5 Secure CAT Scanner At least with this cat scanner if there is any hacking we only need to worry about hairballs!

6 Topics Mayo Clinic Overview Working in a Hostile Environment
Medical Device Security in the News Medical Device Vendors Regulatory Environment Mayo’s Response Clinical Information Security CIS Activities and Planning Next Steps and Other Opportunities

7 Mayo Clinic Overview Provides Patient Care, Education and Research
65,000 Employees 4,100 Employed physicians & scientist 3,500 Residents & students Large group practices in MN, AZ, FL 70 Health system sites across upper Midwest Over 1 million patients per year Technology dependent Paperless patient care Interconnected systems and devices ~200,000 active IP addresses Committed to a 6 billion dollar investment in Minnesota

8 Working in a Hostile Environment
“Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted.” “We only need to be lucky once. You need to be lucky every time.” “Another way to lose control is to ignore something when you should address it” “We have only two modes - complacency and panic.”

9 Medical Devices in a Hostile Environment
Medical devices are becoming more connected and technology dependent, thus more vulnerable Patient care is dependent on technology No network can be assumed to be secure anymore Skill level to cause harm is going down Tools to compromise and harm systems are readily available and cheap (free) Devices can be in use for > 10 years We are way beyond just firewalls & anti-virus

10 In The News Veterans Affairs Department Deloitte Brief - 2013
“Among the unintended consequences of health care’s digitization and increased networked connectivity are the risks of being hacked, being infected with malware, and being vulnerable to unauthorized access.” Gartner – Top Industry Predicts 2013 “By 2016, patients will be harmed or placed at risk by a medical device security breach.” Veterans Affairs Department Experienced 122 virus / malware infections in medical devices the last 14 months that had potential to harm patients Launched an initiative to isolate 50,000 networked devices

11 In The News (cont.) Department of Homeland Security – Industrial Control Systems Cyber Emergency Team Alert “…reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors.” Newspaper Articles Wall Street Journal “Potential Cyber attacks on Medical Devices Draw Attention” Reuters “FDA urges protection of medical devices from cyber threats” Washington Post “FDA, facing cyber security threats, tightens medical-device standards” Healthcare Information Security (Nov. 2013) Michael McNeil, Global Security and Privacy Leader at Medtronic, says “it's vital for all medical device manufacturers learn from independent security experts and ethical hackers, such as Jay Radcliff of consulting firm InGuardians, and the late Barnaby Jack of vendor IOActive and before that, McAfee, who have, for example, demonstrated how they can remotely access web-enabled medical equipment, such as wireless insulin pumps, to deliver potentially dangerous doses of drugs.”

12 Medical Device Vendors
Security as an “afterthought” (or no thought) Poor coding and configuration practices Hard coded password Inability to run basic anti-virus software Default settings Elevated privileges Unencrypted data Dependent upon older OS, software and technologies with no upgrade paths Devices subject to a number of vulnerabilities Denial of service Password guessing Old published exploits Remote exploitation Vendors hide behind FDA re-certification Vendors Generally “Clueless”

13 Regulatory Environment
FDA is becoming concerned “We are aware of hundreds of devices involving dozens of manufacturers that have been affected by cyber security vulnerabilities or incidents” FDA published draft guidance for device security Limit access to trusted users only Ensure trusted content Use fail safe and recover features FDA published recommendations for healthcare facilities Restrict access Keep AV and Firewalls up to date Protect network components – evaluations, patches, disabling ports & services Develop strategies to maintain service Very (very) basic requirements

14 FDA Q&A Who is responsible for ensuring the safety and effectiveness of medical devices that incorporate OTS software? You (the device manufacturer who uses OTS software in your medical device) bear the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device. Is FDA premarket review required prior to implementation of a software patch to address a cyber security vulnerability? Usually not. In general, FDA review is necessary when a change or modification could significantly affect the safety or effectiveness of the medical device

15

16 Reporting Cyber-security Issues
Lack of reported issues MAUDE – Mandatory device reporting database No issues found for “Computer Security Issue” FDA Reporting Mandatory reporting for manufacturers and healthcare providers in case of a death or injury – Form 3500A Voluntary reporting by consumers and healthcare professionals for adverse events or problems – Form 3500B Device Vulnerabilities ICS-CERT – by or phone Processes and forms not tailored for cyber-security issues

17 Mayo’s Medical Device Environment
Medical Devices 97,000 medical devices, ~15,000 devices attached to the network Varied responsibilities for purchase, installation and maintenance of medical equipment Biomed, departments, IT, vendors Poor control over some types of equipment purchases Difficulty finding business owners for some devices Little control over what is placed on the network Lack of training and education on security risks Security of devices and response to incidents not integrated into overall Mayo’s enterprise processes Need strategy to address legacy devices Cost of just replacing all XP devices $300M (not affordable) Typical of today’s environment

18 ~Needs of the Patient Comes First~
Mayo’s Response ~Needs of the Patient Comes First~ Hired a Chief Information Security Office (CISO) Jim Nelms Formed the Office of Information Security (OIS) Vision Information Security is here not to prevent, but rather to make possible Mission Enabling people, process and technology through secure techniques to deliver the Mayo Clinic strategic and operational objectives Created structure for Clinical Information Security Dedicated to clinical and research device security Director – Kevin McDonald Principle Security Analyst – Debra Bruemmer Principle Security Engineers – tbn Additional Engineers & Analyst in 2014

19 Clinical Information Security (CIS)
Enable Mayo Clinic initiatives by supporting a secure environment for clinical and research devices by Developing a secure technical architecture for medical & research devices Developing mitigation & management strategies for vulnerable devices Providing processes & specialized knowledge to enable the purchase, evaluation and secure maintenance of clinical & research devices Integrating medical & research devices into the overall security strategy, risk management, incident response & monitoring processes

20 Activities and Planning
Validation of security concerns Multi-year plan to improve the security posture of medical devices Partnering with Biomed, Clinical Departments, IT Includes People Processes Technology (may be the easiest) Five security levels Basic fundamentals to world class We know security, not equipment Maslow’s Hierarchy of Needs

21 Validation of Security Concerns
Vulnerability assessment and penetration testing for 45 medical devices over 5 days 12 to 14 experts each day from 4 external vendors Initial concerns (and more) were confirmed: Hardcoded, default, weak or no passwords Backdoor accounts Unencrypted data and communications Weak input validation and fragile applications Use of remote access software and services Unneeded services running – VNC, Telnet, FTP, etc. Susceptibility to fuzzing and denial of service Surprising results Availability of equipment on secondary market to reverse engineer Social engineering of vendor support Access to client support sites with manuals, firmware, etc.

22 Basic Capabilities Inventory completion & validation
Risk stratification Education Solution set development & implementation Incident response process (medical devices) Targeted security monitoring Medical device hardware & software standards Patch and update processes Device vulnerability assessments

23 Intermediate Capabilities
Procurement, accreditation and retirement processes Solution set maintenance and compliance Responsibility and accountability matrix Enterprise device scanning External communication limitations Device security governance Regulatory and vendor involvement

24 Mature Capabilities Account management Endpoint protection
Secure coding standards

25 Advanced Capabilities
Organizational changes to improve support processes Ongoing testing processes: Static / Dynamic / Penetration Security research program

26 Superior Capabilities
Full integration into enterprise operational activities Regulatory body influence Vulnerability management program Vendor management program Operational processes reviews Security metrics

27 Next steps Mitigate vulnerabilities identified
Identify other high risk system that may need short term mitigations Complete detailed planning and resource needs for basic and intermediate capabilities Partner with interested groups to promote medical device security

28 Other Opportunities Support and Departmental Systems Security
Temperature monitoring Infant abduction Pharmacy automation Patient tracking Nurse call systems + many more we don’t know about OWE (other weird equipment) Hyperbaric chamber Traveling gamma camera Pneumatic tube system Home grown stuff

29 Summary The full eco-system is broken
Systems development & architecture Testing Patching & updates Maintenance Regulation Support and incident response We will be living with this problem for at least a decade While the vendors have a responsibility to fix their equipment we have a responsibility to protect our patients The technology and knowledge are available to fix the problem Being “secure” is currently not a business differentiator It’s only a matter of time…

30 FDA & ICS-CERT References
Cybersecurity for Medical Devices and Hospital Networks Draft Guidance - Premarket Submissions for Management of Cybersecurity in Medical Devices MedWatch https://www.accessdata.fda.gov/scripts/medwatch/ MAUDE – Manufacturers and User Facility Device Experience New MDS2 for review of medical devices Industrial Control Systems Cyber Emergency Response Team Draft Guidance for Industry & FDA

31 Assurance and Advisory Business Services
April 1, 2017 Question and Answer Kevin McDonald Clinical Information Security Mayo Clinic Moderator: Thank Kevin for his presentation and ask for the first audience question. NEXT (after the answer to final audience question), move to introduce the next speaker (Dale Nordenberg) 27 31

32 Public Health Through Procurement
Assurance and Advisory Business Services April 1, 2017 Public Health Through Procurement Dale Nordenberg MDISS Executive Director & Co-Founder Medical Device Innovation, Safety and Security Consortium Moderator: Dale Nordenberg– Executive Director & Co-Founder of MDISS (Medical Device Innovation, Safety & Security Consortium) Dr. Nordenberg is president of Novasano Health and Science and also the co-founder and executive director for the Medical Device Innovation, Safety, and Security Consortium (MDISS.) Prior to launching MDISS and Novasano, Dr. Nordenberg was a managing director in the health care practice of PricewaterhouseCoopers. From , Dr. Nordenberg held various positions at CDC including Associate Director and Chief Information Officer (CIO), National Center for Infectious Diseases (NCID) and Senior Advisor for Strategic Planning, Office of the CIO, CDC. Dr. Nordenberg has been a member of the Science and Technology Subcommittee of the Science Advisory Board of the FDA, 2007 and 2009, which was tasked with the evaluation of science and technology at the FDA. He provided Congressional testimony in early 2008 based on the 2007 FDA evaluation. Dr. Nordenberg is a board certified pediatrician. He received a BS in Microbiology from the University of Michigan, his medical degree from Northwestern University, and completed his training in pediatrics at McGill University, Montreal Children’s Hospital. He completed his fellowship in epidemiology and public health in the Epidemic Intelligence Services Program at the Centers for Disease Control. Moderator: Turn over presentation to Dale. 32

33 Content Defining a medical device
Defining and scoping a public health problem Overview of medical device safety Introduction to MDISS.ORG Consortium Market versus regulatory driven change Highlight key regulatory and standards initiatives Highlight key MDISS initiatives

34 Medical Device “A medical device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of it's primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes." Quoted: FDA -

35 Medical Device Classes
“FDA classifies medical devices based on the risks associated with the device. Devices are classified into one of three categories—Class I, Class II, and Class III. Class I devices are deemed to be low risk and are therefore subject to the least regulatory controls. For example, dental floss is classified as Class I device. Class II devices are higher risk devices than Class I and require greater regulatory controls to provide reasonable assurance of the device’s safety and effectiveness. For example, condoms are classified as Class II devices.  Class III devices are generally the highest risk devices and are therefore subject to the highest level of regulatory control. Class III devices must typically be approved by FDA before they are marketed. For example, replacement heart valves are classified as Class III devices.” Quoted: FDA-

36 Medical Device Data System (MDDS)
“Medical Device Data Systems (MDDS) are hardware or software products that transfer, store, convert formats, and display medical device data. An MDDS does not modify the data or modify the display of the data, and it does not by itself control the functions or parameters of any other medical device. MDDS are not intended to be used for active patient monitoring. Examples of MDDS include: software that stores patient data such as blood pressure readings for review at a later time; software that converts digital data generated by a pulse oximeter into a format that can be printed; and software that displays a previously stored electrocardiogram for a particular patient. The quality and continued reliable performance of MDDS are essential for the safety and effectiveness of health care delivery. Inadequate quality and design, unreliable performance, or incorrect functioning of MDDS can have a critical impact on public health.” Quoted: FDA

37 Medical Device, Accessory, Component

38 Mobile Medical App Mobile platform: “For purposes of this guidance, “mobile platforms” are defined as commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity, that are handheld in nature. Examples of these mobile platforms include mobile computers such as smart phones, tablet computers, or other portable computers.” Mobile app: “For purposes of this guidance, a mobile application or “mobile app” is defined as a software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off-the-shelf computing platform , with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.” Mobile medical app: “For purposes of this guidance, a “mobile medical app” is a mobile app that meets the definition of device in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act); and either is intended (1) to be used as an accessory to a regulated medical device; or (2) to transform a mobile platform into a regulated medical device.”

39 mHealth Market In Q1 2013, more than 27,000 mhealth apps with a growth rate of about 500 per month Of these mhealth apps, only about 80 had gone through the FDA 510(k) process at the time of the survey. March 2013

40 Mobile Medical Apps: Regulatory Categories

41 Basic Regulatory Requirements
Establishment registration Medical device listing Premarket notification (510k) or premarket approval (PMA) Investigational device exemption (IDE) for clinical studies Quality system (QS) regulation Labeling requirements Medical device reporting (MDR)

42 FDA Recommendations The following FDA slides contain content quoted from: Safety communication, June, 2013 Cybersecurity Guidance, Sept, 2013

43 FDA: Identified Risks Network-connected/configured medical devices infected or disabled by malware; The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices; Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel); Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)

44 FDA: Recommendations to Manufacturers
Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards. Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity. Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.” Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

45 FDA: Guidance to Manufacturers (con’t)
Manufacturers should define and document the following components of their cybersecurity risk analysis and management plan as part of the risk analysis required by 21 CFR (g)2: Identification of assets, threats, and vulnerabilities; Impact assessment of the threats and vulnerabilities on device functionality; Assessment of the likelihood of a threat and of a vulnerability being exploited; Determination of risk levels and suitable mitigation strategies; Residual risk assessment and risk acceptance criteria

46 FDA Recommendations to Health Systems
Restricting unauthorized access to the network and networked medical devices. Making certain appropriate antivirus software and firewalls are up-to-date.
  Monitoring network activity for unauthorized use. Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services. Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution. Developing and evaluating strategies to maintain critical functionality during adverse conditions

47 Public Health Perspective
Three parameters define the importance of a public health problem Breadth of exposure, e.g. incidence/prevalence Depth if impact, e.g. morbidity and mortality Preventability

48 Medical Device Exposure
Centers for Disease Control and Prevention (CDC) estimates annual patient encounters 35 million hospital discharges 100 million hospital outpatient visits 900 million physician office visits Billions of prescriptions Most of these encounters likely include a networked medical device

49 Medical Device Market Overall market estimated to be $100 - $300 billion dollars Digitally enabled devices represent about $25B to $75B or 25% of the market. An estimate in 2009 The U.S. medical devices sector includes surgical and medical instruments, orthopedic, prosthetic, and surgical appliances and supplies; dental equipment and supplies; x-ray apparatus, tubes, related irradiation apparatus; electrotherapy and electromedical apparatus; ophthalmic equipment; and in-vitro diagnostic substances. Annual Survey of Manufacturers, 2006, U.S. Census Bureau, Department of Commerce

50 Medical Device Adverse Events
Many devices can cause serious harm if they malfunction Linear accelerators Infusion pumps Defibrillators Insulin pumps Difficult to identify security related malfunction as a root cause

51 Preventable Risk There are many important security related best practices and security technologies that are available but that are not being deployed to secure medical devices Opportunity exists to integrate improved security functions in medical devices This renders medical device security a preventable risk

52 Innovation Imbalance HIT innovation and adoption is rapid, accelerating, and includes networked medical devices HIT interoperability is accelerating The rate of innovation and application for ICT security is lagging significantly behind HIT innovation The gap contributes to a major public health risk ICT – Information and Communication Technologies

53 The ‘Hand Off’ A Black Hole Where Risk Lives
Handoff strategies in settings with high consequences for failure: lessons for health care operations Objective. To describe strategies employed during handoffs in four settings with high consequences for failure. Design. Analysis of observational data for evidence of use of 21 handoff strategies. Setting. NASA Johnson Space Center in Texas, nuclear power generation plants in Canada, a railroad dispatch center in the United States, and an ambulance dispatch center in Toronto. Main measure. Evidence of 21 handoff strategies from observations and interviews. Results. Nineteen of 21 strategies were used in at least one domain, on at least an ‘as needed’ basis. Conclusions. An understanding of how handoffs are conducted in settings with high consequences for failure can jumpstart endeavors to modify handoffs to improve patient safety. Reference: Quoted from Int J Qual Health Care (2004) 16 (2): doi: /intqhc/mzh026 MDISS Consortium

54 Point of Care Risk in the Health Enterprise Hiding Behind Every Handoff
Medical Technologists Mobile Devices Information Technology Clinical Informatics Therapists Computers Information Security Medical Devices Nurses Biomedical Engineers Physicians Quality of Care Patient Risk Laboratorians Enterprise Risk Data Systems Industrial Control Systems

55 Origins of Risk: Industry Handoff Gaps Crossing the Cultural Chasm
Manufacturers Regulators Technology Build Infrastructure Hospitals Operate Integrate

56 Who’s Responsible Origins, Destinations, Directions
Congress and GAO Manufacturers 800001 NIST Hospitals MDISS Risk Assessment MDS2 FDA MDISS Consortium

57 Medical Device Innovation, Safety and Security Consortium
Medical Device Safety Background Medical Device Innovation, Safety and Security Consortium

58 Cardiac Implantable Devices: Overview
FDA recalled 23 types of implantable products in the first half of 2010 In 2008, approximately 350,000 pacemakers and 140,000 ICDs were implanted in the United States, according to a forecast on the implantable medical device market published earlier this year Sanket S. Dhruva et al., Strength of Study Evidence Examined by the FDA in Premarket Approval of CardiovascularDevices, 302 J. Am. Med. Ass'n 2679 (2009). Nation-wide demand for all IMDs is projected to increase 8.3 percent annually to $48 billion by 2014 while cardiac implants in the U.S. will increase 7.3 percent annually representing approximately $16.7 billion in 2014 Freedonia Group, Cardiac Implants, Rep. Buyer, Sept. 2008, healthcare/medical devices/cardiac implants.html. From 1997 to 2003, approximately 400,000 to 450,000 ICDs were implanted globally, the majority of these implants were done in the USA, and there were at least 212 deaths attributed to failure of these ICDs Robert G. Hauser & Linda Kallinen, Deaths Associated With Implantable Cardioverter Debrillator Failure and Deactiva-tion Reported in the United States Food and Drug Administration Manufacturer and User Facility Device Experience Database, 1 Heart Rhythm 399, t Medical Device Innovation, Safety and Security Consortium

59 Medical Device Software Failures
Between 1983 to 1997, 2,792 quality problems that resulted in recalls of medical devices and of problems, 383 were related to device software Of the recalled devices, 21 percent were cardiac 98 percent of the software failures analyzed were detectable by best practice quality assurance methods Dolores R. Wallace & D. Richard Kuhn, Failure Modes in Medical Device Software: An Analysis of 15 Years of Recall Data, 8 Int'l J. Reliability Quality Safety Eng'g 351 (2001), available at Medical Device Innovation, Safety and Security Consortium

60 Infusion Pumps Software Failure
Between 2005 and 2009, the FDA received approximately 56,000 infusion pump-related adverse event reports Many of these were associated with significant morbidity and mortality Software malfunction was a frequent cause for infusion pump malfunction Hundreds of thousands of infusion pumps were recalled and scores of models were implicated FDA is providing support to manufacturers Review of code submitted by manufacturers Collaborative development of open source safety models and reference standards White Paper: Infusion Pump Improvement Initiative April 2010, Center for Devices and Radiological Health U.S. Food and Drug Administration, Medical Device Innovation, Safety and Security Consortium

61 Linear Accelerators Software Related Deaths
Therac-25 machines Software problems lead to 6 well known cases of death or severe adverse events between resulting in machine recall Catalyzed safety concerns and resulted in initiatives to improve safety profile of linear accelerators An Investigation of the Therac-25 Accidents, Nancy Leveson, IEEE Computer, Vol. 26, No. 7, July 1993, pp Radiation related adverse events are likely underestimated Many adverse events are difficult to detect because many are initially subclinical, e.g. increased exposures leading to malignancy “My suspicion is that maybe half of the accidents we don’t know about,” said Dr. Fred A. Mettler Jr. Radiation Offers New Cures, and Ways to Do Harm, NY Times, January 23, 2010 Medical Device Innovation, Safety and Security Consortium

62 Risk Reality Check - Hacking Machines vs. People
In 2007 and 2008, health related websites were hacked with the intent to cause harm Coping with Epilepsy website Epilepsy Foundation website In both instances, computer animations were posted that triggered migraines and seizures among visitors with epilepsy variants associated with photosensitivity Hacking of ‘medical devices’ to intentionally cause harm will occur Medical Device Innovation, Safety and Security Consortium

63 Medical Device Innovation, Safety and Security Consortium
Silicon-Based Defects Etiology of Carbon-Based Diseases Implanted medical devices have enriched and extended the lives of countless people, but device malfunctions and software glitches have become modern `diseases' that will continue to occur. The failure of manufacturers and the FDA to provide the public with timely, critical information about device performance, malfunctions, and ’fixes' enables potentially defective devices to reach unwary consumers.” Capitol Hill Hearing Testimony of William H. Maisel, Director of Beth Israel Deaconess Medical Center, May 12, 2009 Medical Device Innovation, Safety and Security Consortium

64 Medical Device Vulnerability Patient Safety
“These [medical device] infections have the potential to greatly affect the world-class patient care that is expected by our customers. In addition to compromising data and the system, these incidents are also extremely costly to the VA in terms of time and money spent cleansing infected medical devices.” Roger Baker Assistant Secretary for Information and Technology Department of Veterans Affairs Medical Device Innovation, Safety and Security Consortium

65 Medical Device Safety Act
Controversy regarding medical device safety Medical devices and pharmaceuticals are treated differently Medical Device Safety Act (MDSA) seeks to overturn a 2008 Supreme Court decision based on the 1976 Medical Device Act that essentially states that manufacturers can’t be held at risk for adverse health events due to FDA approved products Editorial: The Medical Device Safety Act of 2009, Gregory D. Curfman, M.D., Stephen Morrissey, Ph.D., and Jeffrey M. Drazen, M.D., N Engl J Med 2009; 360: , April 9, 2009

66 Medical Device Security Challenges
The national biomedical device network remains a largely unrecognized entity Multidisciplinary expertise is required to understand medical device risks and consequently design, implement, and manage medical devices and their associated biomedical device networks to optimize patient safety Stakeholders have not yet built the multidisciplinary expertise required to optimize medical device safety profiles along the medical device life cycle Security breaches in the health care industry escalate each year and represent an increasing patient risk as the prevalence of networked medical devices increases Medical Device Innovation, Safety and Security Consortium

67 Medical Device Security Challenges (cont.)
Medical device security breaches can harm patients and organizations Medical device network dysfunction is a potential national security risk The security of medical devices, given that they operate as part of a networked system, receive inadequate attention Limited information is reported regarding the extent of the potential exposure, risks, and risk mitigation strategies Regulatory focus is often about a ‘point in time’ assessment while networked medical devices are continuously exposed to rapidly evolving technology risks Collaboration is lacking among all stakeholders in developing practical solutions The engineering, informatics, and public health science to leverage real-time data streams from networked devices is immature Medical Device Innovation, Safety and Security Consortium

68 Medical Device Design Issues
Device system design is proprietary and requires professional inputs for operation Patients connected to multiple devices can’t be monitored from a single integrated platform Significant risks are associated with attempts to compel currently designed devices to be interoperable “Neither past nor current development methods are adequate for the high-confidence design and manufacture of highly complex, interoperable medical device software and systems (“intelligent” prosthetics, minimally invasive surgical devices, implants, “operating room of the future”), which in years to come will likely include nano/bio devices, bionics, or even pure (programmable) biological systems.” High-Confidence Medical Devices: Cyber-Physical Systems for 21st Century Health Care (Feb. 2009); by The Networking and Information Technology Research and Development (NITRD) Program

69 Medical Device Design Issues (con’t)
“To enable the necessary holistic cyber-physical systems understanding, barriers must fall among the relevant disciplines: medicine, discrete and continuous mathematics of dynamics and control; real-time computation and communication; medical robotics; learning; computational models and the supporting systems engineering design, analysis, and implementation technologies; and formal and algorithmic methods for stating, checking, and reasoning about system properties.” High-Confidence Medical Devices: Cyber-Physical Systems for 21st Century Health Care (Feb. 2009)

70 Key Activities Around Medical Device Security
FDA FDASIA – a federal advisory committee focused on healthcare technology safety Cybersecurity for medical devices guidance and safety communication issued Standards and best practices IEC 80001 IEC adaptation AAMI technical report under development for manufacturer risk management MDS2 version 2.0 just released CIS, MDISS, and Counsel for Cybersecurity medical device security benchmarking activity

71 Types of Standards Information security management system
Defines at the highest level how an organization will conduct their information security management Ensures an organization puts in place appropriate organizational structure, policies, processes, procedures, risk management program, incident management process Risk management standards Defines methodology for Risk Management Identifying threats, vulnerabilities, consequences Determining probability and risk Determining what to do with the risk once it’s identified (accept, transfer, reduce, etc). Control frameworks Specific checkpoints to monitor people, process or capabilities in order to control and limit risk, e.g. access Control, Backup, Disaster Recovery, Malware Protection, etc.

72 Standards Overview Standard Description Type Target ISO/IEC 27001
Information Security Management Systems Information Security Management System IT Organizations ISO/IEC 27002 The Code of Practice for Information Security Management Control Framework Manufactures Developers Auditors ISO/IEC 27005 Information technology - Security techniques — Information security risk management Risk Management ISO/IEC 14971 Medical devices — Application of risk management to medical device Manufacturer (Saftey Focused) ISO/IEC :1 Application of risk management for IT-networks incorporating medical devices HealthCare Delivery Organizations (HDO) (Medical-IT / Provider) NIST Risk Management Guide for Information Technology Systems NIST Recommended Security Controls for Federal Information Systems and Organizations PCI-DSS Payment Card Data Security Standard Any organization that collects, processes or stores credit card information IEC A Baseline Security Standard for Industrial Automated Control Systems (IACS) Lifecycle Management Focus on Industry: Oil, Gas, Electric MDS2 Manufacture Disclosure Statement for Medical Device Security Device Profile and Disclosure Manufacturers SOX Sarbanes–Oxley Regulatory Requirement Public Companies HIPAA Health Insurance Portability and Accountability Act FDA Title 21 CFR 801, 803, 807, 812[1] Quality Systems Regulation FDA Title 21 Electronic Record Keeping CFR Part 11

73 ISO/IEC 80001:1 Provider based risk management
Focus on the responsible organization Incorporates updated risk management process based on the IEC/ISO safety standard Creates a Medical-IT Risk Manager Role Silo Busting effect: Works with IT, IS, Biomed Engineers, Clinical Technology, Clinicians and manufactures and vendors Maintains a risk management file for all devices Capabilities Model provides a top-level framework for communicating security requirements and capabilities Defines security risk management processes to be embedded into incident and change-release management processes

74 ISO/IEC 80001:1 Source: Quoted from ISO/IEC 80001:1 Standard

75 IEC 62443 Adaption for Healthcare
Originally for industrial control systems and includes best practices for vendors For ICS, there is certification MDISS has led adaptation for healthcare Undergoing pilot to assess adoption feasibility Adopting a minimal viable product approach

76 Manufacturer Disclosure Statement for Medical Device Security
Manufacturer Disclosure Statement for Medical Device Security (MDS2) Developed by Health Information Management System Society (HIMSS) and National Electronics Manufacturers Association (NEMA) Provides a standard form to record manufacturers device security profile The intent of the MDS2 is to supply healthcare providers with important information that can assist them in assessing the vulnerability and risks associated with electronic Protected Health Information (ePHI) transmitted or maintained by medical devices. MDS2 – HIMSS/NEMA Manufacturer Disclosure Statement for Medical Device Security

77 MDISS Medical Device Risk Assessment Platform
Operational focus for health systems Requires multidisciplinary team Software as a service Aggregates information across health centers Flexible configuration of question sets Graphical results to share with executives to communicate risk Informs procurement and legacy security tune ups

78 Medical Device Innovation, Safety and Security Consortium
Our Mission The Medical Device Innovation, Safety and Security Consortium (MDISS) protects public health and well-being by advancing innovation and computing risk management practices to ensure wide availability of innovative and safe medical devices Medical Device Innovation, Safety and Security Consortium

79 Medical Device Innovation, Safety and Security Consortium
Goals A public private partnership effectively catalyzes the development of a safe and secure national bio-device network Security risks associated with medical devices are well understood and appreciated across the industry Medical devices and associated networks are safe and secure Medical Device Innovation, Safety and Security Consortium

80 Medical Device Innovation, Safety and Security Consortium
Our Organization We are a collaborative and inclusive nonprofit professional organization committed to advancing quality healthcare with a focus on the safety and security of medical devices As a public-private partnership, we serve providers, payers, manufacturers, universities, government agencies, technology companies, individuals, patients and patient advocates Medical Device Innovation, Safety and Security Consortium

81 Sample Members VA, Kaiser, Sutter, Duke, Texas Health Resources, HCA, etc Medtronic, Covidien, Intuitive Surgical, GE, etc Intel, TrendMicro, Symantec, McAfee, Cylance, etc Work closely with FDA, DHS, DOD, etc

82 Consortium Initiatives Examples
Medical device expert network Collaborative medical device requirements development Pre-procurement support Determination of scope of the security challenges based on robust epidemiologic methods Collaborative medical device security testing Standards, policy, guidelines, and regulatory briefings, updates, explanation, and implications Education and training Medical Device Innovation, Safety and Security Consortium

83 Medical Device Innovation, Safety and Security Consortium
Thank You For information, please contact: Dale Nordenberg, MD Acknowledgements Significant contributions to the development and operations of MDISS continue to be made by representatives from numerous organizations including Kaiser Permanente, VA/VHA, John Muir Health, DOD, and others Medical Device Innovation, Safety and Security Consortium

84 Assurance and Advisory Business Services
April 1, 2017 Question and Answer Dale Nordenberg MDISS Executive Director & Co-Founder Medical Device Innovation, Safety and Security Consortium Moderator: Thank Dale for his presentation and ask for the first audience question. NEXT (after the answer), Move to closing remarks Copyright Secure Mentem

85 Medical Device Security - The Time is Now
Roy Wattanasin, Information Security Officer, MITM

86 Medical Device Security - The Time is Now
Assurance and Advisory Business Services April 1, 2017 Medical Device Security - The Time is Now Roy Wattanasin MTIM Information Security Officer Moderator: Dale Nordenberg– Executive Director & Co-Founder of MDISS (Medical Device Innovation, Safety & Security Consortium) Dr. Nordenberg is president of Novasano Health and Science and also the co-founder and executive director for the Medical Device Innovation, Safety, and Security Consortium (MDISS.) Prior to launching MDISS and Novasano, Dr. Nordenberg was a managing director in the health care practice of PricewaterhouseCoopers. From , Dr. Nordenberg held various positions at CDC including Associate Director and Chief Information Officer (CIO), National Center for Infectious Diseases (NCID) and Senior Advisor for Strategic Planning, Office of the CIO, CDC. Dr. Nordenberg has been a member of the Science and Technology Subcommittee of the Science Advisory Board of the FDA, 2007 and 2009, which was tasked with the evaluation of science and technology at the FDA. He provided Congressional testimony in early 2008 based on the 2007 FDA evaluation. Dr. Nordenberg is a board certified pediatrician. He received a BS in Microbiology from the University of Michigan, his medical degree from Northwestern University, and completed his training in pediatrics at McGill University, Montreal Children’s Hospital. He completed his fellowship in epidemiology and public health in the Epidemic Intelligence Services Program at the Centers for Disease Control. Moderator: Turn over presentation to Dale. 86

87 Agenda Introduction Recommendations Resources

88 Search for Medical Device Security
Let Me Google That For You Dick Cheney’s Defibrilator

89 Recommendations (1 of 2) Inventorying Raise Awareness
Incorporate Security into Policies Work With Device Manufacturers

90 Recommendations (2 of 2) Map Data Flows
Incorporate Disaster Recovery (DR) Procedures Work Together

91 Resources (1 of 2) Archimedes http://secure-medicine.org/
Center for Internet Security (CIS) https://benchmarks.cisecurity.org/about/MedicalDeviceOverview.cfm Council on Cybersecurity (CCS) FDA Guidance Draft on Medical Devices

92 Resources (2 of 2) HIMSS/NEMA Manufacturer Disclosure Statement (MDS) I Am The Calvary National Health Information Sharing and Analysis Center Medical Device Innovation, Safety and Security Consortium MedSec

93 Question and Answer Roy Wattanasin MITM Information Security Officer
Assurance and Advisory Business Services April 1, 2017 Question and Answer Roy Wattanasin MITM Information Security Officer Moderator: Thank Dale for his presentation and ask for the first audience question. NEXT (after the answer), Move to closing remarks Copyright Secure Mentem

94 Open Panel with Audience Q&A
Assurance and Advisory Business Services April 1, 2017 Open Panel with Audience Q&A Please feel free to use the questions section of the GoToWebinar toolbar to ask a question of the speakers. You may have to click on the double arrow to access this function. Moderator: Move to open discussion: “Now we will move to an open discussion to give our speakers today an opportunity to answer audience questions.”

95 Healthcare Special Interest Group
VISION: Establish and maintain collaborative models for information security within healthcare organizations MISSION: Drive collaborative thought and knowledge-sharing for information security leaders within healthcare organizations. If you are interested in participating: Contact:

96 Assurance and Advisory Business Services
April 1, 2017 Closing Remarks Thank you to Citrix for donating this Webcast service Online Meetings Made Easy Moderator Closing Comments: Unfortunately, that is all the time we have for today. Thank you for participating in our ISSA Web Conference. And, thank you for the excellent questions. Lastly, I would like to thank today’s speakers Kevin and Dale for lending their time and expertise to this ISSA Educational Program. Moderator: Please turn it over to ISSA Staff to provide remaining Closing Remarks and final Thank You. ISSA Staff to provide Following Closing Comments: We would like to thank Citrix for donating the GoToMeeting service to ISSA, allowing us to present this program today.

97 Assurance and Advisory Business Services
April 1, 2017 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On Demand Viewers Quiz Link: Within 24 hours of the conclusion of this webcast, you will receive a follow-up which contains a link to the post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to print a certificate of attendance to use for the submission of CPE credits. Be sure to sign up now for our next web conference on January 28th, “Security Reflections of 2013 and Predictions for 2014.” Thank you for joining us. This concludes today’s broadcast.


Download ppt "Security Requirements/Expectations of Biomedical Devices"

Similar presentations


Ads by Google