medical device cyber security for safer device and ... · medical device innovation, safety and...
TRANSCRIPT
1
Medical Device Cyber Security for Safer Device and Networks
A CollaborativeInternational Cyber Safety Network
for Health Technology
NCHICA
March 27, 2018
Dale Nordenberg, MDExecutive DirectorMedical Device Innovation, Safety and Security [email protected]
2
The Number:
500,000,000,000
Why is it Interesting?
What’s missing?
Risks• Safety • Privacy • Business • Regulatory • Accreditation • Reputational • Professional liability
Patient Exposure toConnected Devices Very High
But No Data is Available About Exposure
500,000,000,000Estimated number of times a patient will be
Exposed to a connect medical device over next 10 years*
Care Stats
• 1 billion healthcare visits / year• Hospitals and clinics
• 6,000 hospitals• 17,000 nursing homes• > 5 M home health visits /year• > 10 K home health agencies• 1.5 M nursing home residents
*Estimate Confidential for MDISS Briefing Only - Not for Distribution 3
Taking ActionCyber Securing
Healthcare Delivery
Talk security risk and…...
Create healthcare delivery solutions and…..
4
MDRAP LIVE DEMOMedical Device Risk Assessment ProgramCollecting and Sharing Risk Information
Drive Safer Device Networks
• Assessment analytic results plotted in a magic quadrant• Magic quadrant supports efficient executive level discussions of risk-benefit with non-technical leadership• Table lists all numeric data in the plot chart• Notes are automatically generated from the analytics module
Risk Assessment Platform and Beyond• Delivers risk assessment
methodologies• Agile and configurable as
understanding evolves• Epidemiologically robust• Provides services, e.g. standardized
device catalogue, that enable diverse data sharing and data commons
• Provides business value to support adoption of public health programs
• Supports collaborative innovation and crowdsourcing of work
6
Mod
el Sample Risk Assessment Result
MDRAP Standards-BasedAssessment Control Categories
Table view of the assessment scoring data
Medical Device MDS2 Library
• Standard MDS2 form• Completed by
manufacturer or by health system
• PDF format today• Structured data
capability in 2018• Contributor of the
MDS2 form informs the sharing policy
• Working closely with stakeholders for MDS2 forms and for sharing acceptance
Assessments Management
• Largely based on the standard MDS2 form
• Additional data elements inform level of effort to remediate, scoring of control deficiency, and impact score
• Completed by manufacturer or by health system
• All MDRAP-based completion
• Contains scoring data• Sharing status dictated by
assessment ‘owner’
10
Jurisdictional Chasms Create Patient Safety Challenges
Device
Community
Critical Infrastructure
Hospital
Care Delivery
Areas and Networks
Focus Area Oversight Organization
Device Characteristics FDA
Hospital &
Device Networks
State Health Departments
Joint Commission
HFAP*
DNV*
Community / Critical
Infrastructure
DHS
State/Local Health
Departments
Stakeholders, priorities, policy, etc. varies by jurisdiction
Outcomes Focus…Drive Adoption and Impact
HDO Operations & Research
Data Collection Network
Medical Device Evaluation
Stakeholder Community
Policy Programs
State and Local Public
Health
Federal Agencies
Public Private Partnership
Academic and Research
Outcome Domains
Patient and PublicSafety
Health Systems
Critical Infrastructure
Device Safety
Critical Infrastructure
Education and Training Programs
Consensus Best Practice and Quality Improvement Programs
National Healthcare Technology Cyber Safety Network
Confidential for MDISS Briefing Only - Not for Distribution 11
Crowdsourcing Data Sharing Best Practices
Secure Community-Shared Data
International Cyber Sharing Network
For Medical Device Surveillance and Response
Engaged Countries• USA• Finland• Sweden• Israel• Canada• Singapore
Stakeholder DrivenData Commons for
Patient Safety and Public HealthBusiness – Patients - Communities
14
*
* Sample of data tied to specific devices. Flexible enough to support other structured data or attachments
15
National Cyber Safety Network for Health Technology is based on the hospital acquired infections (HAI) analogue at the CDC, The National Health Safety Network
Consensus Best Practice Guides Cyber Protection and Safety
Crush Barriers to AdoptionInstructs ‘How to’ Deploy MDRAP
Expertise
Gap
Workforce
Enabled
Cyber Protection and Safety Impact
Full community executes per consensus best practice guides
Expert innovation teams create consensus best practice guides
Iteration
16
Cyber SecurityImpact Amplification
BuildTechnology
MDRAP
Public HealthPrograms Patient and
PopulationSafetyImpact
ImpactEnablesInvestment *Policy*Workforce*Best
Practices
Confidential for MDISS Briefing Only - Not for Distribution 17
Key BenefitsMarket Level Voice Catalyzing
Safety Transformation
• First and only executable risk assessment methodology for medical devices
• Generates real-time cyber security requirements for medical devices
• Renders medical device security profile transparent and actionable
• Builds workforce: Trains technology and biomedical engineers
• Healthcare industry-wide transformation
• People engaged, supported, educated and trained
• Process defined, matured, distributed and exercised
• Technology developed and matured through large-scale collaborative process
• Public health programs drive patient and population safety impact
• Policy driven by data for decision making
• Cyber security and safety transformational model supports other industries18
19
Key Public Health Messages for Cyber Safety
• Medical device cybersecurity is a public health challenge
• Public health best practices provide the key programmatic capabilities to address this public health risk
• National Cyber Safety Network for Health Technology is a public health initiative and patient safety program based on the CDC NHSN as an analogue
• NCSN transforms a focus on technology vulnerabilities and risk into healthcare delivery solutions
• Delivering patient centric security and securing patient care delivery environments
TechnologyApproach
(Data Assets)
SafeZone
Surveillance, Evaluation, Intervention, AssessmentMedical Devices
Care Delivery NetworksPatients
PopulationsCritical Infrastructure
Safety Programs
Confidential for MDISS Briefing Only - Not for Distribution 20
Safety Occurs at the Intersection of Data and Safety Programs
What is the ’Human Exposure’?A Medical Device – Patient ‘Contact’*
Confidential for MDISS Briefing Only - Not for Distribution 21
>500 billion exposures / 10 years
>50 billion exposures / year
> 4 billion exposures / month
> 133 million exposures / day
> 100,000 exposures / minute
*Estimate based on CDC data for patient visits per year to USA healthcare system*Contact may be via wired or wireless interaction
What Can You Do Today?Closing the Cyber Risk Mitigation Gap
Confidential for MDISS Briefing Only - Not for Distribution 22
• Share medical device cyber information at the 'bedside’
• Ensure that hospitals and their teams have the cyber specifications that they need to best configure medical devices and their associated networks
• Add cyber surveillance capability
• Share cyber surveillance with manufacturers to help them comply with post-market surveillance requirements and design better products
• Help address one of the major risk factors, the lack of specifications, associated with the building of care delivery networks (This is like prescribing drugs with no idea about their mechanism of action or their adverse reactions)
What If You Elect to Delay?The Cyber Risk Mitigation GAP WIDENS
Confidential for MDISS Briefing Only - Not for Distribution 23
• Preventable exposures exceeding 4 billion per month • Missed opportunity to detect sentinel signals for a malware 'epidemic'• Less effective data collection and sharing for preparedness and emergency
response• Malware spreads• Detection and remediation delayed
• Sub-optimal innovation networks for best practice development and testing• Slowed exposure of the workforce, a very small percentage of which has been
trained to competency in medical device cyber risk, to important education and training activities
• Lack of information for health systems presents a large legal liability for both health systems and manufacturers
HDO Operations & Research
Data Collection Network
Medical Device Evaluation
Stakeholder Community
Policy Programs
State and Local Public
Health
Federal Agencies
Public Private Partnership
Academic and Research
Outcome Domains
Patient and PublicSafety
Health Systems
Critical Infrastructure
Device Safety
Critical Infrastructure
Education and Training Programs
Consensus Best Practice and Quality Improvement Programs
National Healthcare Technology Cyber Safety Network
Confidential for MDISS Briefing Only - Not for Distribution 24
Dale Nordenberg, MDThe Public Health Guy
Dale Nordenberg, MDExecutive DirectorMedical Device Innovation, Safety and Security [email protected]
Acknowledgement
All work presented has been a collaborative effort of many health systems, manufacturers, technology companies, industry associations, and research institutions.
Thank You!
25