Medical Device Cybersecurity Legislative Activities - Overview

Slides:



Advertisements
Similar presentations
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security Controls – What Works
Information Security Policies and Standards
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Seán Paul McGurk National Cybersecurity and Communications
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Product Development Chapter 6. Definitions needed: Verification: The process of evaluating compliance to regulations, standards, or specifications.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
MD Digital Government Summit, June 26, Maryland Project Management Oversight & System Development Life Cycle (SDLC) Robert Krauss MD Digital Government.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Engineering Essential Characteristics Security Engineering Process Overview.
Programme Performance Criteria. Regulatory Authority Objectives To identify criteria against which the status of each element of the regulatory programme.
Enterprise Cybersecurity Strategy
Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Cook Children’s 1 Theresa Meadows, RN, MS, CHCIO Senior Vice President and CIO Co-Chair HHS Health Care Cyber Security Task Force July 2016 Cybersecurity:
Security and resilience for Smart Hospitals Key findings
Principles Identified - UK DfT -
Quality Management System Deliverable Software 9115 revision A Key changes presentation IAQG 9115 Team March 2017.
Enhancing Network Security
Suggestion for Summarizing Process of the Principles
MEM Cybersecurity Working Group Update to PCD Technical Committee
Presenter: Mohammed Jalaluddin
Cybersecurity - What’s Next? June 2017
JU September Stakeholder Engagement Conference Webinar #1
Security of In-Vehicle Software
MEM Cybersecurity Working Group Update to PCD Technical Committee
Learn Your Information Security Management System
Team 2 – understand vulnerabilities
Security and Encryption
PCD MEM Medical Device IT Management
Introduction to the Federal Defense Acquisition Regulation
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Cybersecurity in Belarus a general overview of support areas
TCG’s Embedded System and IoT Focus
I have many checklists: how do I get started with cyber security?
8 Building Blocks of National Cyber Strategies
EU R&D in cybersecurity's certification
#IASACFO.
Consumer Empowerment through Education
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
John Carlson Senior Director, BITS
Cyber Security professions Overview
Cyber Security in a Risk Management Framework
LO1 - Know about aspects of cyber security
DSC Contract Management Committee Meeting
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Anatomy of a Common Cyber Attack
The state of digital supplier risk management: In partners we trust
Cloud Computing for Wireless Networks
Presentation transcript:

Medical Device Cybersecurity Legislative Activities - Overview Axel Wirth, CPHIMS, CISSP, HCISPP Distinguished Architect US Healthcare Industry Symantec Corp. 01-Nov-2017

Medical Devices Security – Legislative Activities June 2017 HHS Cybersecurity Task Force Report July 2017 Medical Device Cybersecurity Act of 2017 Aug. 2017 IoT Cybersecurity Improvement Act of 2017 Oct. 2017 IoMT Resilience Partnership Act Oct. 2017 Cyber Shield Act of 2017 Mar/Sep 2017 UL 2900-1 / UL 2900-2-1 WIP MDISS Recommended Practice High level summary only. For business, legal and regulatory decision making please refer to the most recent version of the actual text. 2

Medical Devices Security – HHS Efforts HHS Cybersecurity Task Force Report (June 2017) Imperative 2 (of 6): Increase the security and resilience of medical devices and health IT. Recommendations: 2.1: Secure legacy systems 2.2: Improve manufacturing and development transparency 2.3: Increase adoption and rigor of the secure development lifecycle (SDL) 2.4: Require strong authentication to improve identity and access management 2.5: Employ strategic and architectural approaches to reduce the attack surface for medical devices … and interfaces 2.6: Establish a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures. 3 Text Questions to 929-237-5318

Medical Devices Security – Action in Congress Medical Device Cybersecurity Act of 2017 Introduced July 2017 (Blumenthal, D-CT) Definitions: Cyber device: device with network connectivity (incl. near field, Bluetooth, WiFi), connects to external storage or media, or has other cyber capability. Key aspects: Cybersecurity Report Card: MDS2, traceability matrix, compensating controls, testing, risk assessment, remote access capabilities. Disclosures: Clearance (e.g. 510(k)) and permitted access Protecting remote access: notification, audit log, multi-factor authentication, encryption, whitelisting Cybersecurity Fixes and Updates (free); End-of-Life Expansion of ICS-CERT responsibility: investigation, response coordination 4 Text Questions to 929-237-5318

Medical Devices Security – Action in Congress IoT Cybersecurity Improvement Act of 2017 Introduced Aug. 2017 (Warner D-VA, Gardner R-CO, Wyden D-OR, Daines R-MT) Minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies Verification: Contains no known vulnerabilities Ensure trusted updates Secure connection and access Vulnerability notification requirements Provide timely updates and repair Continuation of service Certification against 3rd party security standards Coordinated disclosure 5 Text Questions to 929-237-5318

Medical Devices Security – Action in Congress IoMT Resilience Partnership Act Introduced Oct. 2017 (Brooks R-IN, Trott R-MI) Under FDA & NIST Leadership: establish public-private partnership to lay out a cybersecurity framework Increase the security and resilience of networked medical devices Unauthorized access, modification, misuse, or denial of use may result in patient harm Identification standards, guidelines, frameworks, and best practices Specification of high-priority gaps and action plans by which such gaps can be addressed. 6 Text Questions to 929-237-5318

Medical Devices Security – Action in Congress Cyber Shield Act of 2017 Introduced Oct. 2017 (Markey D-MA, Lieu D-CA) Cyber Shield Advisory Committee: Cyber Shield label Cybersecurity and data security benchmarks Cyber Shield Program: Voluntary program to identify and certify products Grading against security benchmarks Device use case risk based Promote compliant cybersecurity technologies Enhance public awareness Certification by a accredited third-party laboratory Cyber Shield Digital Product Portal 7 Text Questions to 929-237-5318

Medical Devices Security – Certification and Assurance UL 2900-1 (general) and UL 2900-2-1 (medical devices) Evaluation and testing of network-connectable products for vulnerabilities, software weaknesses and malware. Risk management process Evaluation and testing methodology Security risk controls Normative references Key security aspects: Design and security documentation Risk controls Remote communication Sensitive data Product management and risk management process Vulnerability and malware testing Malformed input testing Penetration testing Software weakness analysis and source code analysis 8 Text Questions to 929-237-5318

Medical Devices Security – Best Practice Guidance MDISS Recommended Practice (Draft) Based on ISA/IEC 62443 “Cybersecurity for the Industrial Environment” Role-based: manufacturer, integrator, provider, support Requirements by role and main category: Staffing Assurance Architecture Wireless Safety Systems Configuration Management Remote Access Event Management Account Management Malware Protection Patch Management Backup & Restore 9 Text Questions to 929-237-5318

Thank You! axel_wirth@symantec.com 617-999-4035

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.