1

Medical Device Cyber Security for Safer Device and Networks

A CollaborativeInternational Cyber Safety Network

for Health Technology

NCHICA

March 27, 2018

Dale Nordenberg, MDExecutive DirectorMedical Device Innovation, Safety and Security Consortiumdalenordenberg@mdiss.org

2

The Number:

500,000,000,000

Why is it Interesting?

What’s missing?

Risks• Safety • Privacy • Business • Regulatory • Accreditation • Reputational • Professional liability

Patient Exposure toConnected Devices Very High

But No Data is Available About Exposure

500,000,000,000Estimated number of times a patient will be

Exposed to a connect medical device over next 10 years*

Care Stats

• 1 billion healthcare visits / year• Hospitals and clinics

• 6,000 hospitals• 17,000 nursing homes• > 5 M home health visits /year• > 10 K home health agencies• 1.5 M nursing home residents

*Estimate Confidential for MDISS Briefing Only - Not for Distribution 3

Taking ActionCyber Securing

Healthcare Delivery

Talk security risk and…...

Create healthcare delivery solutions and…..

4

MDRAP LIVE DEMOMedical Device Risk Assessment ProgramCollecting and Sharing Risk Information

Drive Safer Device Networks

• Assessment analytic results plotted in a magic quadrant• Magic quadrant supports efficient executive level discussions of risk-benefit with non-technical leadership• Table lists all numeric data in the plot chart• Notes are automatically generated from the analytics module

Risk Assessment Platform and Beyond• Delivers risk assessment

methodologies• Agile and configurable as

understanding evolves• Epidemiologically robust• Provides services, e.g. standardized

device catalogue, that enable diverse data sharing and data commons

• Provides business value to support adoption of public health programs

• Supports collaborative innovation and crowdsourcing of work

6

Mod

el Sample Risk Assessment Result

MDRAP Standards-BasedAssessment Control Categories

Table view of the assessment scoring data

Medical Device MDS2 Library

• Standard MDS2 form• Completed by

manufacturer or by health system

• PDF format today• Structured data

capability in 2018• Contributor of the

MDS2 form informs the sharing policy

• Working closely with stakeholders for MDS2 forms and for sharing acceptance

Assessments Management

• Largely based on the standard MDS2 form

• Additional data elements inform level of effort to remediate, scoring of control deficiency, and impact score

• Completed by manufacturer or by health system

• All MDRAP-based completion

• Contains scoring data• Sharing status dictated by

assessment ‘owner’

10

Jurisdictional Chasms Create Patient Safety Challenges

Device

Community

Critical Infrastructure

Hospital

Care Delivery

Areas and Networks

Focus Area Oversight Organization

Device Characteristics FDA

Hospital &

Device Networks

State Health Departments

Joint Commission

HFAP*

DNV*

Community / Critical

Infrastructure

DHS

State/Local Health

Departments

Stakeholders, priorities, policy, etc. varies by jurisdiction

Outcomes Focus…Drive Adoption and Impact

HDO Operations & Research

Data Collection Network

Medical Device Evaluation

Stakeholder Community

Policy Programs

State and Local Public

Health

Federal Agencies

Public Private Partnership

Academic and Research

Outcome Domains

Patient and PublicSafety

Health Systems

Critical Infrastructure

Device Safety

Critical Infrastructure

Education and Training Programs

Consensus Best Practice and Quality Improvement Programs

National Healthcare Technology Cyber Safety Network

Confidential for MDISS Briefing Only - Not for Distribution 11

Crowdsourcing Data Sharing Best Practices

Secure Community-Shared Data

International Cyber Sharing Network

For Medical Device Surveillance and Response

Engaged Countries• USA• Finland• Sweden• Israel• Canada• Singapore

Stakeholder DrivenData Commons for

Patient Safety and Public HealthBusiness – Patients - Communities

14

*

* Sample of data tied to specific devices. Flexible enough to support other structured data or attachments

15

National Cyber Safety Network for Health Technology is based on the hospital acquired infections (HAI) analogue at the CDC, The National Health Safety Network

Consensus Best Practice Guides Cyber Protection and Safety

Crush Barriers to AdoptionInstructs ‘How to’ Deploy MDRAP

Expertise

Gap

Workforce

Enabled

Cyber Protection and Safety Impact

Full community executes per consensus best practice guides

Expert innovation teams create consensus best practice guides

Iteration

16

Cyber SecurityImpact Amplification

BuildTechnology

MDRAP

Public HealthPrograms Patient and

PopulationSafetyImpact

ImpactEnablesInvestment *Policy*Workforce*Best

Practices

Confidential for MDISS Briefing Only - Not for Distribution 17

Key BenefitsMarket Level Voice Catalyzing

Safety Transformation

• First and only executable risk assessment methodology for medical devices

• Generates real-time cyber security requirements for medical devices

• Renders medical device security profile transparent and actionable

• Builds workforce: Trains technology and biomedical engineers

• Healthcare industry-wide transformation

• People engaged, supported, educated and trained

• Process defined, matured, distributed and exercised

• Technology developed and matured through large-scale collaborative process

• Public health programs drive patient and population safety impact

• Policy driven by data for decision making

• Cyber security and safety transformational model supports other industries18

19

Key Public Health Messages for Cyber Safety

• Medical device cybersecurity is a public health challenge

• Public health best practices provide the key programmatic capabilities to address this public health risk

• National Cyber Safety Network for Health Technology is a public health initiative and patient safety program based on the CDC NHSN as an analogue

• NCSN transforms a focus on technology vulnerabilities and risk into healthcare delivery solutions

• Delivering patient centric security and securing patient care delivery environments

TechnologyApproach

(Data Assets)

SafeZone

Surveillance, Evaluation, Intervention, AssessmentMedical Devices

Care Delivery NetworksPatients

PopulationsCritical Infrastructure

Safety Programs

Confidential for MDISS Briefing Only - Not for Distribution 20

Safety Occurs at the Intersection of Data and Safety Programs

What is the ’Human Exposure’?A Medical Device – Patient ‘Contact’*

Confidential for MDISS Briefing Only - Not for Distribution 21

>500 billion exposures / 10 years

>50 billion exposures / year

> 4 billion exposures / month

> 133 million exposures / day

> 100,000 exposures / minute

*Estimate based on CDC data for patient visits per year to USA healthcare system*Contact may be via wired or wireless interaction

What Can You Do Today?Closing the Cyber Risk Mitigation Gap

Confidential for MDISS Briefing Only - Not for Distribution 22

• Share medical device cyber information at the 'bedside’

• Ensure that hospitals and their teams have the cyber specifications that they need to best configure medical devices and their associated networks

• Add cyber surveillance capability

• Share cyber surveillance with manufacturers to help them comply with post-market surveillance requirements and design better products

• Help address one of the major risk factors, the lack of specifications, associated with the building of care delivery networks (This is like prescribing drugs with no idea about their mechanism of action or their adverse reactions)

What If You Elect to Delay?The Cyber Risk Mitigation GAP WIDENS

Confidential for MDISS Briefing Only - Not for Distribution 23

• Preventable exposures exceeding 4 billion per month • Missed opportunity to detect sentinel signals for a malware 'epidemic'• Less effective data collection and sharing for preparedness and emergency

response• Malware spreads• Detection and remediation delayed

• Sub-optimal innovation networks for best practice development and testing• Slowed exposure of the workforce, a very small percentage of which has been

trained to competency in medical device cyber risk, to important education and training activities

• Lack of information for health systems presents a large legal liability for both health systems and manufacturers

HDO Operations & Research

Data Collection Network

Medical Device Evaluation

Stakeholder Community

Policy Programs

State and Local Public

Health

Federal Agencies

Public Private Partnership

Academic and Research

Outcome Domains

Patient and PublicSafety

Health Systems

Critical Infrastructure

Device Safety

Critical Infrastructure

Education and Training Programs

Consensus Best Practice and Quality Improvement Programs

National Healthcare Technology Cyber Safety Network

Confidential for MDISS Briefing Only - Not for Distribution 24

Dale Nordenberg, MDThe Public Health Guy

Dale Nordenberg, MDExecutive DirectorMedical Device Innovation, Safety and Security Consortiumdalenordenberg@mdiss.org

Acknowledgement

All work presented has been a collaborative effort of many health systems, manufacturers, technology companies, industry associations, and research institutions.

Thank You!

25