Presentation is loading. Please wait.

Presentation is loading. Please wait.

Medical Device Cybersecurity Legislative Activities - Overview

Published byVernon Welch Modified over 5 years ago

Similar presentations

Presentation on theme: "Medical Device Cybersecurity Legislative Activities - Overview"— Presentation transcript:

1 Medical Device Cybersecurity Legislative Activities - Overview
Axel Wirth, CPHIMS, CISSP, HCISPP Distinguished Architect US Healthcare Industry Symantec Corp. 01-Nov-2017

2 Medical Devices Security – Legislative Activities
June 2017 HHS Cybersecurity Task Force Report July 2017 Medical Device Cybersecurity Act of 2017 Aug IoT Cybersecurity Improvement Act of 2017 Oct IoMT Resilience Partnership Act Oct Cyber Shield Act of 2017 Mar/Sep 2017 UL / UL WIP MDISS Recommended Practice High level summary only. For business, legal and regulatory decision making please refer to the most recent version of the actual text. 2

3 Medical Devices Security – HHS Efforts
HHS Cybersecurity Task Force Report (June 2017) Imperative 2 (of 6): Increase the security and resilience of medical devices and health IT. Recommendations: 2.1: Secure legacy systems 2.2: Improve manufacturing and development transparency 2.3: Increase adoption and rigor of the secure development lifecycle (SDL) 2.4: Require strong authentication to improve identity and access management 2.5: Employ strategic and architectural approaches to reduce the attack surface for medical devices … and interfaces 2.6: Establish a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures. 3 Text Questions to

4 Medical Devices Security – Action in Congress
Medical Device Cybersecurity Act of 2017 Introduced July 2017 (Blumenthal, D-CT) Definitions: Cyber device: device with network connectivity (incl. near field, Bluetooth, WiFi), connects to external storage or media, or has other cyber capability. Key aspects: Cybersecurity Report Card: MDS2, traceability matrix, compensating controls, testing, risk assessment, remote access capabilities. Disclosures: Clearance (e.g. 510(k)) and permitted access Protecting remote access: notification, audit log, multi-factor authentication, encryption, whitelisting Cybersecurity Fixes and Updates (free); End-of-Life Expansion of ICS-CERT responsibility: investigation, response coordination 4 Text Questions to

5 Medical Devices Security – Action in Congress
IoT Cybersecurity Improvement Act of 2017 Introduced Aug (Warner D-VA, Gardner R-CO, Wyden D-OR, Daines R-MT) Minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies Verification: Contains no known vulnerabilities Ensure trusted updates Secure connection and access Vulnerability notification requirements Provide timely updates and repair Continuation of service Certification against 3rd party security standards Coordinated disclosure 5 Text Questions to

6 Medical Devices Security – Action in Congress
IoMT Resilience Partnership Act Introduced Oct (Brooks R-IN, Trott R-MI) Under FDA & NIST Leadership: establish public-private partnership to lay out a cybersecurity framework Increase the security and resilience of networked medical devices Unauthorized access, modification, misuse, or denial of use may result in patient harm Identification standards, guidelines, frameworks, and best practices Specification of high-priority gaps and action plans by which such gaps can be addressed. 6 Text Questions to

7 Medical Devices Security – Action in Congress
Cyber Shield Act of 2017 Introduced Oct (Markey D-MA, Lieu D-CA) Cyber Shield Advisory Committee: Cyber Shield label Cybersecurity and data security benchmarks Cyber Shield Program: Voluntary program to identify and certify products Grading against security benchmarks Device use case risk based Promote compliant cybersecurity technologies Enhance public awareness Certification by a accredited third-party laboratory Cyber Shield Digital Product Portal 7 Text Questions to

8 Medical Devices Security – Certification and Assurance
UL (general) and UL (medical devices) Evaluation and testing of network-connectable products for vulnerabilities, software weaknesses and malware. Risk management process Evaluation and testing methodology Security risk controls Normative references Key security aspects: Design and security documentation Risk controls Remote communication Sensitive data Product management and risk management process Vulnerability and malware testing Malformed input testing Penetration testing Software weakness analysis and source code analysis 8 Text Questions to

9 Medical Devices Security – Best Practice Guidance
MDISS Recommended Practice (Draft) Based on ISA/IEC “Cybersecurity for the Industrial Environment” Role-based: manufacturer, integrator, provider, support Requirements by role and main category: Staffing Assurance Architecture Wireless Safety Systems Configuration Management Remote Access Event Management Account Management Malware Protection Patch Management Backup & Restore 9 Text Questions to

10 Thank You!

Download ppt "Medical Device Cybersecurity Legislative Activities - Overview"

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Seán Paul McGurk National Cybersecurity and Communications

Seán Paul McGurk National Cybersecurity and Communications
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Product Development Chapter 6. Definitions needed: Verification: The process of evaluating compliance to regulations, standards, or specifications.

Product Development Chapter 6. Definitions needed: Verification: The process of evaluating compliance to regulations, standards, or specifications.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

Similar presentations

Ads by Google