Security Requirements/Expectationsof Biomedical Devices

Security Requirements/Expectationsof Biomedical Devices

December 5, 2013 Start Time: 9AM US Pacific,

12PM US Eastern, 5PM London

December 5, 2013 Start Time: 9AM US Pacific,

12PM US Eastern, 5PM London

1

Welcome Conference Moderator

Welcome Conference Moderator

Michael BoydPortland, USA Chapter

Chief Information Security Officer & Director of Information Security

ManagementProvidence Health & Services

Michael BoydPortland, USA Chapter

Chief Information Security Officer & Director of Information Security

ManagementProvidence Health & Services

2

AgendaAgendaSpeakers

• Kevin McDonaldClinical Information Security, Mayo Clinic Office of Information Security

• Dale NordenbergExecutive Director and Co-Founder, Medical Device Innovation, Safety and Security Consortium (MDISS)

• Roy WattanasinInformation Security Officer, MITM

Closing Remarks

Speakers

• Kevin McDonaldClinical Information Security, Mayo Clinic Office of Information Security

• Dale NordenbergExecutive Director and Co-Founder, Medical Device Innovation, Safety and Security Consortium (MDISS)

• Roy WattanasinInformation Security Officer, MITM

Closing Remarks

3

Medical Device Security in a Connected World

Medical Device Security in a Connected World

Kevin McDonaldClinical Information Security

Mayo Clinic

Kevin McDonaldClinical Information Security

Mayo Clinic

4

5

Secure CAT ScannerSecure CAT Scanner

At least with this cat scanner if there is any hacking we only need to worry about hairballs!

TopicsTopics

• Mayo Clinic Overview

• Working in a Hostile Environment

• Medical Device Security in the News

• Medical Device Vendors

• Regulatory Environment

• Mayo’s Response

• Clinical Information Security

• CIS Activities and Planning

• Next Steps and Other Opportunities

• Mayo Clinic Overview

• Working in a Hostile Environment

• Medical Device Security in the News

• Medical Device Vendors

• Regulatory Environment

• Mayo’s Response

• Clinical Information Security

• CIS Activities and Planning

• Next Steps and Other Opportunities

Mayo Clinic OverviewMayo Clinic Overview

• Provides Patient Care, Education and Research

• 65,000 Employees– 4,100 Employed physicians & scientist– 3,500 Residents & students

• Large group practices in MN, AZ, FL– 70 Health system sites across upper Midwest

• Over 1 million patients per year

• Technology dependent– Paperless patient care– Interconnected systems and devices– ~200,000 active IP addresses

• Committed to a 6 billion dollar investment in Minnesota

• Provides Patient Care, Education and Research

• 65,000 Employees– 4,100 Employed physicians & scientist– 3,500 Residents & students

• Large group practices in MN, AZ, FL– 70 Health system sites across upper Midwest

• Over 1 million patients per year

• Technology dependent– Paperless patient care– Interconnected systems and devices– ~200,000 active IP addresses

• Committed to a 6 billion dollar investment in Minnesota

7

Working in a Hostile EnvironmentWorking in a Hostile Environment

“Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted.” 

“We only need to be lucky once. You need to be lucky every time.”

“Another way to lose control is to ignore something when you should address it”

“We have only two modes - complacency and panic.” 

“Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted.” 

“We only need to be lucky once. You need to be lucky every time.”

“Another way to lose control is to ignore something when you should address it”

“We have only two modes - complacency and panic.” 

8

Medical Devices in a Hostile EnvironmentMedical Devices in a Hostile Environment

• Medical devices are becoming more connected and technology dependent, thus more vulnerable

• Patient care is dependent on technology

• No network can be assumed to be secure anymore

• Skill level to cause harm is going down

• Tools to compromise and harm systems are readily available and cheap (free)

• Devices can be in use for > 10 years

• We are way beyond just firewalls & anti-virus

• Medical devices are becoming more connected and technology dependent, thus more vulnerable

• Patient care is dependent on technology

• No network can be assumed to be secure anymore

• Skill level to cause harm is going down

• Tools to compromise and harm systems are readily available and cheap (free)

• Devices can be in use for > 10 years

• We are way beyond just firewalls & anti-virus

9

In The NewsIn The News

• Deloitte Brief - 2013– “Among the unintended consequences of health care’s digitization and

increased networked connectivity are the risks of being hacked, being infected with malware, and being vulnerable to unauthorized access.”

• Gartner – Top Industry Predicts 2013– “By 2016, patients will be harmed or placed at risk by a medical device

security breach.”

• Veterans Affairs Department– Experienced 122 virus / malware infections in medical devices the last 14

months that had potential to harm patients– Launched an initiative to isolate 50,000 networked devices

• Deloitte Brief - 2013– “Among the unintended consequences of health care’s digitization and

increased networked connectivity are the risks of being hacked, being infected with malware, and being vulnerable to unauthorized access.”

• Gartner – Top Industry Predicts 2013– “By 2016, patients will be harmed or placed at risk by a medical device

security breach.”

• Veterans Affairs Department– Experienced 122 virus / malware infections in medical devices the last 14

months that had potential to harm patients– Launched an initiative to isolate 50,000 networked devices

In The News (cont.)In The News (cont.)

• Department of Homeland Security – Industrial Control Systems Cyber Emergency Team Alert– “…reported a hard-coded password vulnerability affecting roughly 300 medical

devices across approximately 40 vendors.”

• Newspaper Articles– Wall Street Journal “Potential Cyber attacks on Medical Devices Draw Attention”– Reuters “FDA urges protection of medical devices from cyber threats”– Washington Post “FDA, facing cyber security threats, tightens medical-device

standards”– Healthcare Information Security (Nov. 2013) Michael McNeil, Global Security and

Privacy Leader at Medtronic, says “it's vital for all medical device manufacturers learn from independent security experts and ethical hackers, such as Jay Radcliff of consulting firm InGuardians, and the late Barnaby Jack of vendor IOActive and before that, McAfee, who have, for example, demonstrated how they can remotely access web-enabled medical equipment, such as wireless insulin pumps, to deliver potentially dangerous doses of drugs.”

• Department of Homeland Security – Industrial Control Systems Cyber Emergency Team Alert– “…reported a hard-coded password vulnerability affecting roughly 300 medical

devices across approximately 40 vendors.”

• Newspaper Articles– Wall Street Journal “Potential Cyber attacks on Medical Devices Draw Attention”– Reuters “FDA urges protection of medical devices from cyber threats”– Washington Post “FDA, facing cyber security threats, tightens medical-device

standards”– Healthcare Information Security (Nov. 2013) Michael McNeil, Global Security and

Privacy Leader at Medtronic, says “it's vital for all medical device manufacturers learn from independent security experts and ethical hackers, such as Jay Radcliff of consulting firm InGuardians, and the late Barnaby Jack of vendor IOActive and before that, McAfee, who have, for example, demonstrated how they can remotely access web-enabled medical equipment, such as wireless insulin pumps, to deliver potentially dangerous doses of drugs.”

Medical Device VendorsMedical Device Vendors• Security as an “afterthought” (or no thought)

• Poor coding and configuration practices– Hard coded password– Inability to run basic anti-virus software– Default settings– Elevated privileges– Unencrypted data

• Dependent upon older OS, software and technologies with no upgrade paths

• Devices subject to a number of vulnerabilities– Denial of service– Password guessing– Old published exploits– Remote exploitation

• Vendors hide behind FDA re-certification

• Security as an “afterthought” (or no thought)

• Poor coding and configuration practices– Hard coded password– Inability to run basic anti-virus software– Default settings– Elevated privileges– Unencrypted data

• Dependent upon older OS, software and technologies with no upgrade paths

• Devices subject to a number of vulnerabilities– Denial of service– Password guessing– Old published exploits– Remote exploitation

• Vendors hide behind FDA re-certification

Vendors Generally

“Clueless”

Regulatory EnvironmentRegulatory Environment• FDA is becoming concerned

– “We are aware of hundreds of devices involving dozens of manufacturers that have been affected by cyber security vulnerabilities or incidents”

• FDA published draft guidance for device security– Limit access to trusted users only– Ensure trusted content– Use fail safe and recover features

• FDA published recommendations for healthcare facilities– Restrict access– Keep AV and Firewalls up to date– Protect network components – evaluations, patches, disabling

ports & services– Develop strategies to maintain service

• FDA is becoming concerned– “We are aware of hundreds of devices involving dozens of

manufacturers that have been affected by cyber security vulnerabilities or incidents”

• FDA published draft guidance for device security– Limit access to trusted users only– Ensure trusted content– Use fail safe and recover features

• FDA published recommendations for healthcare facilities– Restrict access– Keep AV and Firewalls up to date– Protect network components – evaluations, patches, disabling

ports & services– Develop strategies to maintain service

Very (very) basic requirements

FDA Q&AFDA Q&A

• Who is responsible for ensuring the safety and effectiveness of medical devices that incorporate OTS software?– You (the device manufacturer who uses OTS software in your

medical device) bear the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device.

• Is FDA premarket review required prior to implementation of a software patch to address a cyber security vulnerability?– Usually not. In general, FDA review is necessary when a change or

modification could significantly affect the safety or effectiveness of the medical device

• Who is responsible for ensuring the safety and effectiveness of medical devices that incorporate OTS software?– You (the device manufacturer who uses OTS software in your

medical device) bear the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device.

• Is FDA premarket review required prior to implementation of a software patch to address a cyber security vulnerability?– Usually not. In general, FDA review is necessary when a change or

modification could significantly affect the safety or effectiveness of the medical device

15

Reporting Cyber-security IssuesReporting Cyber-security Issues• Lack of reported issues

– MAUDE – Mandatory device reporting database• No issues found for “Computer Security Issue”

• FDA Reporting – Mandatory reporting for manufacturers and healthcare

providers in case of a death or injury – Form 3500A– Voluntary reporting by consumers and healthcare

professionals for adverse events or problems – Form 3500B

• Device Vulnerabilities– ICS-CERT – by e-mail or phone

• Lack of reported issues– MAUDE – Mandatory device reporting database

• No issues found for “Computer Security Issue”

• FDA Reporting – Mandatory reporting for manufacturers and healthcare

providers in case of a death or injury – Form 3500A– Voluntary reporting by consumers and healthcare

professionals for adverse events or problems – Form 3500B

• Device Vulnerabilities– ICS-CERT – by e-mail or phone

16

Processes and forms not tailored

for cyber-security issues

Mayo’s Medical Device EnvironmentMayo’s Medical Device Environment• Medical Devices

– 97,000 medical devices, ~15,000 devices attached to the network

• Varied responsibilities for purchase, installation and maintenance of medical equipment– Biomed, departments, IT, vendors

• Poor control over some types of equipment purchases

• Difficulty finding business owners for some devices

• Little control over what is placed on the network

• Lack of training and education on security risks

• Security of devices and response to incidents not integrated into overall Mayo’s enterprise processes

• Need strategy to address legacy devices– Cost of just replacing all XP devices $300M (not affordable)

• Medical Devices– 97,000 medical devices, ~15,000 devices attached to the network

• Varied responsibilities for purchase, installation and maintenance of medical equipment– Biomed, departments, IT, vendors

• Poor control over some types of equipment purchases

• Difficulty finding business owners for some devices

• Little control over what is placed on the network

• Lack of training and education on security risks

• Security of devices and response to incidents not integrated into overall Mayo’s enterprise processes

• Need strategy to address legacy devices– Cost of just replacing all XP devices $300M (not affordable)

Typical o

f today’s enviro

nment

Mayo’s ResponseMayo’s Response~Needs of the Patient Comes First~

• Hired a Chief Information Security Office (CISO)– Jim Nelms

• Formed the Office of Information Security (OIS)– Vision

• Information Security is here not to prevent, but rather to make possible– Mission

• Enabling people, process and technology through secure techniques to deliver the Mayo Clinic strategic and operational objectives

• Created structure for Clinical Information Security– Dedicated to clinical and research device security– Director – Kevin McDonald– Principle Security Analyst – Debra Bruemmer– Principle Security Engineers – tbn– Additional Engineers & Analyst in 2014

~Needs of the Patient Comes First~

• Hired a Chief Information Security Office (CISO)– Jim Nelms

• Formed the Office of Information Security (OIS)– Vision

• Information Security is here not to prevent, but rather to make possible– Mission

• Enabling people, process and technology through secure techniques to deliver the Mayo Clinic strategic and operational objectives

• Created structure for Clinical Information Security– Dedicated to clinical and research device security– Director – Kevin McDonald– Principle Security Analyst – Debra Bruemmer– Principle Security Engineers – tbn– Additional Engineers & Analyst in 2014

Clinical Information Security (CIS)Clinical Information Security (CIS)

• Enable Mayo Clinic initiatives by supporting a secure environment for clinical and research devices by– Developing a secure technical architecture for medical & research

devices– Developing mitigation & management strategies for vulnerable

devices– Providing processes & specialized knowledge to enable the

purchase, evaluation and secure maintenance of clinical & research devices

– Integrating medical & research devices into the overall security strategy, risk management, incident response & monitoring processes

• Enable Mayo Clinic initiatives by supporting a secure environment for clinical and research devices by– Developing a secure technical architecture for medical & research

devices– Developing mitigation & management strategies for vulnerable

devices– Providing processes & specialized knowledge to enable the

purchase, evaluation and secure maintenance of clinical & research devices

– Integrating medical & research devices into the overall security strategy, risk management, incident response & monitoring processes

Activities and PlanningActivities and Planning

• Validation of security concerns

• Multi-year plan to improve the security posture of medical devices

• Partnering with Biomed, Clinical Departments, IT

• Includes– People– Processes– Technology (may be the easiest)

• Five security levels– Basic fundamentals to world class

• Validation of security concerns

• Multi-year plan to improve the security posture of medical devices

• Partnering with Biomed, Clinical Departments, IT

• Includes– People– Processes– Technology (may be the easiest)

• Five security levels– Basic fundamentals to world class

20

We know security, not equipment

Mas

low’

s Hi

erar

chy

of N

eeds

Validation of Security ConcernsValidation of Security Concerns

• Vulnerability assessment and penetration testing for 45 medical devices over 5 days

• 12 to 14 experts each day from 4 external vendors

• Initial concerns (and more) were confirmed:– Hardcoded, default, weak or no passwords– Backdoor accounts – Unencrypted data and communications– Weak input validation and fragile applications– Use of remote access software and services– Unneeded services running – VNC, Telnet, FTP, etc.– Susceptibility to fuzzing and denial of service

• Surprising results– Availability of equipment on secondary market to reverse engineer– Social engineering of vendor support– Access to client support sites with manuals, firmware, etc.

• Vulnerability assessment and penetration testing for 45 medical devices over 5 days

• 12 to 14 experts each day from 4 external vendors

• Initial concerns (and more) were confirmed:– Hardcoded, default, weak or no passwords– Backdoor accounts – Unencrypted data and communications– Weak input validation and fragile applications– Use of remote access software and services– Unneeded services running – VNC, Telnet, FTP, etc.– Susceptibility to fuzzing and denial of service

• Surprising results– Availability of equipment on secondary market to reverse engineer– Social engineering of vendor support– Access to client support sites with manuals, firmware, etc.

21

Basic CapabilitiesBasic Capabilities• Inventory completion & validation

• Risk stratification

• Education

• Solution set development & implementation

• Incident response process (medical devices)

• Targeted security monitoring

• Medical device hardware & software standards

• Patch and update processes

• Device vulnerability assessments

• Inventory completion & validation

• Risk stratification

• Education

• Solution set development & implementation

• Incident response process (medical devices)

• Targeted security monitoring

• Medical device hardware & software standards

• Patch and update processes

• Device vulnerability assessments

Intermediate CapabilitiesIntermediate Capabilities

• Procurement, accreditation and retirement processes

• Solution set maintenance and compliance

• Responsibility and accountability matrix

• Enterprise device scanning

• External communication limitations

• Device security governance

• Regulatory and vendor involvement

• Procurement, accreditation and retirement processes

• Solution set maintenance and compliance

• Responsibility and accountability matrix

• Enterprise device scanning

• External communication limitations

• Device security governance

• Regulatory and vendor involvement

Mature CapabilitiesMature Capabilities

• Account management

• Endpoint protection

• Secure coding standards

• Account management

• Endpoint protection

• Secure coding standards

Advanced Capabilities Advanced Capabilities

• Organizational changes to improve support processes

• Ongoing testing processes: Static / Dynamic / Penetration

• Security research program

• Organizational changes to improve support processes

• Ongoing testing processes: Static / Dynamic / Penetration

• Security research program

Superior CapabilitiesSuperior Capabilities

• Full integration into enterprise operational activities

• Regulatory body influence

• Vulnerability management program

• Vendor management program

• Operational processes reviews

• Security metrics

• Full integration into enterprise operational activities

• Regulatory body influence

• Vulnerability management program

• Vendor management program

• Operational processes reviews

• Security metrics

Next steps Next steps

• Mitigate vulnerabilities identified

• Identify other high risk system that may need short term mitigations

• Complete detailed planning and resource needs for basic and intermediate capabilities

• Partner with interested groups to promote medical device security

• Mitigate vulnerabilities identified

• Identify other high risk system that may need short term mitigations

• Complete detailed planning and resource needs for basic and intermediate capabilities

• Partner with interested groups to promote medical device security

Other OpportunitiesOther Opportunities

• Support and Departmental Systems Security– Temperature monitoring – Infant abduction– Pharmacy automation– Patient tracking– Nurse call systems– + many more we don’t know about

• OWE (other weird equipment)– Hyperbaric chamber– Traveling gamma camera– Pneumatic tube system– Home grown stuff– + many more we don’t know about

• Support and Departmental Systems Security– Temperature monitoring – Infant abduction– Pharmacy automation– Patient tracking– Nurse call systems– + many more we don’t know about

• OWE (other weird equipment)– Hyperbaric chamber– Traveling gamma camera– Pneumatic tube system– Home grown stuff– + many more we don’t know about

28

SummarySummary• The full eco-system is broken

– Systems development & architecture– Testing– Patching & updates– Maintenance– Regulation– Support and incident response

• We will be living with this problem for at least a decade

• While the vendors have a responsibility to fix their equipment we have a responsibility to protect our patients

• The technology and knowledge are available to fix the problem

• Being “secure” is currently not a business differentiator

• It’s only a matter of time…

• The full eco-system is broken– Systems development & architecture– Testing– Patching & updates– Maintenance– Regulation– Support and incident response

• We will be living with this problem for at least a decade

• While the vendors have a responsibility to fix their equipment we have a responsibility to protect our patients

• The technology and knowledge are available to fix the problem

• Being “secure” is currently not a business differentiator

• It’s only a matter of time…

29

FDA & ICS-CERT ReferencesFDA & ICS-CERT References• Cybersecurity for Medical Devices and Hospital Networks

– http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm

• Draft Guidance - Premarket Submissions for Management of Cybersecurity in Medical Devices– http

://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm356186.htm

• MedWatch– https://www.accessdata.fda.gov/scripts/medwatch/

• MAUDE – Manufacturers and User Facility Device Experience– http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/Search.cfm

• New MDS2 for review of medical devices– http

://www.nema.org/standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx

• Industrial Control Systems Cyber Emergency Response Team– http://ics-cert.us-cert.gov/

• Draft Guidance for Industry & FDA– http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceD

ocuments/UCM356190.pdf

• Cybersecurity for Medical Devices and Hospital Networks– http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm

• Draft Guidance - Premarket Submissions for Management of Cybersecurity in Medical Devices– http

://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm356186.htm

• MedWatch– https://www.accessdata.fda.gov/scripts/medwatch/

• MAUDE – Manufacturers and User Facility Device Experience– http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/Search.cfm

• New MDS2 for review of medical devices– http

://www.nema.org/standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx

• Industrial Control Systems Cyber Emergency Response Team– http://ics-cert.us-cert.gov/

• Draft Guidance for Industry & FDA– http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceD

ocuments/UCM356190.pdf30

Question and Answer

Kevin McDonaldClinical Information Security

Mayo Clinic

Question and Answer

Kevin McDonaldClinical Information Security

Mayo Clinic

27

31

Public Health Through Procurement

Public Health Through Procurement

Dale NordenbergMDISS

Executive Director & Co-FounderMedical Device Innovation,

Safety and Security Consortium

Dale NordenbergMDISS

Executive Director & Co-FounderMedical Device Innovation,

Safety and Security Consortium

32

ContentContent

1. Defining a medical device

2. Defining and scoping a public health problem

3. Overview of medical device safety

4. Introduction to MDISS.ORG Consortium– Market versus regulatory driven change

5. Highlight key regulatory and standards initiatives

6. Highlight key MDISS initiatives

1. Defining a medical device

2. Defining and scoping a public health problem

3. Overview of medical device safety

4. Introduction to MDISS.ORG Consortium– Market versus regulatory driven change

5. Highlight key regulatory and standards initiatives

6. Highlight key MDISS initiatives

33

Medical DeviceMedical Device“A medical device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:

• recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,

• intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or

• intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of it's primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes."

Quoted: FDA - http://www.fda.gov/aboutfda/transparency/basics/ucm211822.htm

“A medical device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:

• recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,

• intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or

• intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of it's primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes."

Quoted: FDA - http://www.fda.gov/aboutfda/transparency/basics/ucm211822.htm

34

Medical Device ClassesMedical Device Classes

• “FDA classifies medical devices based on the risks associated with the device. Devices are classified into one of three categories—Class I, Class II, and Class III.

• Class I devices are deemed to be low risk and are therefore subject to the least regulatory controls. For example, dental floss is classified as Class I device.

• Class II devices are higher risk devices than Class I and require greater regulatory controls to provide reasonable assurance of the device’s safety and effectiveness. For example, condoms are classified as Class II devices. 

• Class III devices are generally the highest risk devices and are therefore subject to the highest level of regulatory control. Class III devices must typically be approved by FDA before they are marketed. For example, replacement heart valves are classified as Class III devices.”

Quoted: FDA- http://www.fda.gov/AboutFDA/Transparency/Basics/ucm194438.htm

• “FDA classifies medical devices based on the risks associated with the device. Devices are classified into one of three categories—Class I, Class II, and Class III.

• Class I devices are deemed to be low risk and are therefore subject to the least regulatory controls. For example, dental floss is classified as Class I device.

• Class II devices are higher risk devices than Class I and require greater regulatory controls to provide reasonable assurance of the device’s safety and effectiveness. For example, condoms are classified as Class II devices. 

• Class III devices are generally the highest risk devices and are therefore subject to the highest level of regulatory control. Class III devices must typically be approved by FDA before they are marketed. For example, replacement heart valves are classified as Class III devices.”

Quoted: FDA- http://www.fda.gov/AboutFDA/Transparency/Basics/ucm194438.htm

35

Medical Device Data System (MDDS)Medical Device Data System (MDDS)

• “Medical Device Data Systems (MDDS) are hardware or software products that transfer, store, convert formats, and display medical device data. An MDDS does not modify the data or modify the display of the data, and it does not by itself control the functions or parameters of any other medical device. MDDS are not intended to be used for active patient monitoring.

• Examples of MDDS include:– software that stores patient data such as blood pressure readings for

review at a later time;– software that converts digital data generated by a pulse oximeter into a

format that can be printed; and– software that displays a previously stored electrocardiogram for a

particular patient.

• The quality and continued reliable performance of MDDS are essential for the safety and effectiveness of health care delivery. Inadequate quality and design, unreliable performance, or incorrect functioning of MDDS can have a critical impact on public health.”

• “Medical Device Data Systems (MDDS) are hardware or software products that transfer, store, convert formats, and display medical device data. An MDDS does not modify the data or modify the display of the data, and it does not by itself control the functions or parameters of any other medical device. MDDS are not intended to be used for active patient monitoring.

• Examples of MDDS include:– software that stores patient data such as blood pressure readings for

review at a later time;– software that converts digital data generated by a pulse oximeter into a

format that can be printed; and– software that displays a previously stored electrocardiogram for a

particular patient.

• The quality and continued reliable performance of MDDS are essential for the safety and effectiveness of health care delivery. Inadequate quality and design, unreliable performance, or incorrect functioning of MDDS can have a critical impact on public health.”

36Quoted: FDA http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/MedicalDeviceDataSystems/default.htm

Medical Device, Accessory, ComponentMedical Device, Accessory, Component

37

Mobile Medical AppMobile Medical App• Mobile platform: “For purposes of this guidance, “mobile platforms”

are defined as commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity, that are handheld in nature. Examples of these mobile platforms include mobile computers such as smart phones, tablet computers, or other portable computers.”

• Mobile app: “For purposes of this guidance, a mobile application or “mobile app” is defined as a software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off-the-shelf computing platform , with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.”

• Mobile medical app: “For purposes of this guidance, a “mobile medical app” is a mobile app that meets the definition of device in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act); and either is intended (1) to be used as an accessory to a regulated medical device; or (2) to transform a mobile platform into a regulated medical device.”

• Mobile platform: “For purposes of this guidance, “mobile platforms” are defined as commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity, that are handheld in nature. Examples of these mobile platforms include mobile computers such as smart phones, tablet computers, or other portable computers.”

• Mobile app: “For purposes of this guidance, a mobile application or “mobile app” is defined as a software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off-the-shelf computing platform , with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.”

• Mobile medical app: “For purposes of this guidance, a “mobile medical app” is a mobile app that meets the definition of device in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act); and either is intended (1) to be used as an accessory to a regulated medical device; or (2) to transform a mobile platform into a regulated medical device.”

38

mHealth MarketmHealth Market

• In Q1 2013, more than 27,000 mhealth apps with a growth rate of about 500 per month

• Of these mhealth apps, only about 80 had gone through the FDA 510(k) process at the time of the survey.

• www.mhealthnews.com, March 2013

• In Q1 2013, more than 27,000 mhealth apps with a growth rate of about 500 per month

• Of these mhealth apps, only about 80 had gone through the FDA 510(k) process at the time of the survey.

• www.mhealthnews.com, March 2013

39

Mobile Medical Apps: Regulatory CategoriesMobile Medical Apps: Regulatory Categories

40

Basic Regulatory RequirementsBasic Regulatory Requirements

• Establishment registration

• Medical device listing

• Premarket notification (510k) or premarket approval (PMA)

• Investigational device exemption (IDE) for clinical studies

• Quality system (QS) regulation

• Labeling requirements

• Medical device reporting (MDR)

• Establishment registration

• Medical device listing

• Premarket notification (510k) or premarket approval (PMA)

• Investigational device exemption (IDE) for clinical studies

• Quality system (QS) regulation

• Labeling requirements

• Medical device reporting (MDR)

41

FDA RecommendationsFDA Recommendations

• The following FDA slides contain content quoted from:– Safety communication, June, 2013 – Cybersecurity Guidance, Sept, 2013

• The following FDA slides contain content quoted from:– Safety communication, June, 2013 – Cybersecurity Guidance, Sept, 2013

42

FDA: Identified RisksFDA: Identified Risks• Network-connected/configured medical devices infected or

disabled by malware;

• The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;

• Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);

• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)

• Network-connected/configured medical devices infected or disabled by malware;

• The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;

• Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);

• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)

43

FDA: Recommendations to ManufacturersFDA: Recommendations to Manufacturers• Take steps to limit unauthorized device access to trusted users only, particularly for

those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.

• Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.

• Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”

• Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

• Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.

• Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.

• Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”

• Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

44

FDA: Guidance to Manufacturers (con’t)FDA: Guidance to Manufacturers (con’t)

• Manufacturers should define and document the following components of their cybersecurity risk analysis and management plan as part of the risk analysis required by 21 CFR 820.30(g)2:

• Identification of assets, threats, and vulnerabilities;

• Impact assessment of the threats and vulnerabilities on device functionality;

• Assessment of the likelihood of a threat and of a vulnerability being exploited;

• Determination of risk levels and suitable mitigation strategies;

• Residual risk assessment and risk acceptance criteria

• Manufacturers should define and document the following components of their cybersecurity risk analysis and management plan as part of the risk analysis required by 21 CFR 820.30(g)2:

• Identification of assets, threats, and vulnerabilities;

• Impact assessment of the threats and vulnerabilities on device functionality;

• Assessment of the likelihood of a threat and of a vulnerability being exploited;

• Determination of risk levels and suitable mitigation strategies;

• Residual risk assessment and risk acceptance criteria 45

FDA Recommendations to Health SystemsFDA Recommendations to Health Systems• Restricting unauthorized access to the network and networked medical

devices.

• Making certain appropriate antivirus software and firewalls are up-to-date. 

• Monitoring network activity for unauthorized use.

• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.

• Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.

• Developing and evaluating strategies to maintain critical functionality during adverse conditions

• Restricting unauthorized access to the network and networked medical devices.

• Making certain appropriate antivirus software and firewalls are up-to-date. 

• Monitoring network activity for unauthorized use.

• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.

• Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.

• Developing and evaluating strategies to maintain critical functionality during adverse conditions

46

Public Health PerspectivePublic Health Perspective

• Three parameters define the importance of a public health problem– Breadth of exposure, e.g. incidence/prevalence– Depth if impact, e.g. morbidity and mortality– Preventability

• Three parameters define the importance of a public health problem– Breadth of exposure, e.g. incidence/prevalence– Depth if impact, e.g. morbidity and mortality– Preventability

47

Medical Device ExposureMedical Device Exposure

• Centers for Disease Control and Prevention (CDC) estimates annual patient encounters– 35 million hospital discharges– 100 million hospital outpatient visits– 900 million physician office visits– Billions of prescriptions

• Most of these encounters likely include a networked medical device

• Centers for Disease Control and Prevention (CDC) estimates annual patient encounters– 35 million hospital discharges– 100 million hospital outpatient visits– 900 million physician office visits– Billions of prescriptions

• Most of these encounters likely include a networked medical device

48

Medical Device MarketMedical Device Market

• Overall market estimated to be $100 - $300 billion dollars

• Digitally enabled devices represent about $25B to $75B or 25% of the market. An estimate in 2009

• Overall market estimated to be $100 - $300 billion dollars

• Digitally enabled devices represent about $25B to $75B or 25% of the market. An estimate in 2009

49

The U.S. medical devices sector includes surgical and medical instruments, orthopedic, prosthetic, and surgical appliances and supplies; dental equipment and supplies; x-ray apparatus, tubes, related irradiation apparatus; electrotherapy and electromedical apparatus; ophthalmic equipment; and in-vitro diagnostic substances. Annual Survey of Manufacturers, 2006, U.S. Census Bureau, Department of Commerce

Medical Device Adverse EventsMedical Device Adverse Events

• Many devices can cause serious harm if they malfunction– Linear accelerators– Infusion pumps– Defibrillators– Insulin pumps

• Difficult to identify security related malfunction as a root cause

• Many devices can cause serious harm if they malfunction– Linear accelerators– Infusion pumps– Defibrillators– Insulin pumps

• Difficult to identify security related malfunction as a root cause

50

Preventable RiskPreventable Risk

• There are many important security related best practices and security technologies that are available but that are not being deployed to secure medical devices

• Opportunity exists to integrate improved security functions in medical devices

• This renders medical device security a preventable risk

• There are many important security related best practices and security technologies that are available but that are not being deployed to secure medical devices

• Opportunity exists to integrate improved security functions in medical devices

• This renders medical device security a preventable risk

51

Innovation ImbalanceInnovation Imbalance

• HIT innovation and adoption is rapid, accelerating, and includes networked medical devices

• HIT interoperability is accelerating

• The rate of innovation and application for ICT security is lagging significantly behind HIT innovation

• The gap contributes to a major public health risk

• HIT innovation and adoption is rapid, accelerating, and includes networked medical devices

• HIT interoperability is accelerating

• The rate of innovation and application for ICT security is lagging significantly behind HIT innovation

• The gap contributes to a major public health risk

52 ICT – Information and Communication Technologies

The ‘Hand Off’A Black Hole Where Risk Lives

The ‘Hand Off’A Black Hole Where Risk Lives

Reference: Quoted from Int J Qual Health Care (2004) 16 (2): 125-132. doi: 10.1093/intqhc/mzh026

Handoff strategies in settings with high consequences for failure: lessons for health care operationsObjective. To describe strategies employed during handoffs in four settings with high consequences for failure.Design. Analysis of observational data for evidence of use of 21 handoff strategies.Setting. NASA Johnson Space Center in Texas, nuclear power generation plants in Canada, a railroad dispatch center in the United States, and an ambulance dispatch center in Toronto.Main measure. Evidence of 21 handoff strategies from observations and interviews.Results. Nineteen of 21 strategies were used in at least one domain, on at least an ‘as needed’ basis.Conclusions. An understanding of how handoffs are conducted in settings with high consequences for failure can jumpstart endeavors to modify handoffs to improve patient safety.

MDISS Consortium 53

Point of Care Risk in the Health EnterpriseHiding Behind Every HandoffPoint of Care Risk in the Health EnterpriseHiding Behind Every Handoff

InformationTechnology

InformationSecurity

Clinical Informatics

PatientRisk

Enterprise Risk Industrial Control Systems

Medical Devices

Data Systems

Physicians

Nurses

Therapists

MedicalTechnologists

Laboratorians

Computers

Mobile Devices

Quality ofCare

54

BiomedicalEngineers

Manufacturers

Origins of Risk: Industry Handoff GapsCrossing the Cultural ChasmOrigins of Risk: Industry Handoff GapsCrossing the Cultural Chasm

Regulators

Infrastructure

TechnologyBuild

Integrate

Operate

55

Hospitals

Who’s ResponsibleOrigins, Destinations, DirectionsWho’s ResponsibleOrigins, Destinations, Directions

Hospitals

FDA

NIST

Congress and GAO

800001Manufacturers

MDISS Consortium 56

MDS2MDISS Risk Assessment

57

Medical Device Safety

Background

Medical Device Safety

Background

Medical Device Innovation, Safety and Security Consortium

Cardiac Implantable Devices: OverviewCardiac Implantable Devices: Overview

FDA recalled 23 types of implantable products in the first half of 2010

In 2008, approximately 350,000 pacemakers and 140,000 ICDs were implanted in the United States, according to a forecast on the implantable medical device market published earlier this year

– Sanket S. Dhruva et al., Strength of Study Evidence Examined by the FDA in Premarket Approval of CardiovascularDevices, 302 J. Am. Med. Ass'n 2679 (2009).

Nation-wide demand for all IMDs is projected to increase 8.3 percent annually to $48 billion by 2014 while cardiac implants in the U.S. will increase 7.3 percent annually representing approximately $16.7 billion in 2014

– Freedonia Group, Cardiac Implants, Rep. Buyer, Sept. 2008, http://www.reportbuyer.com/pharma healthcare/medical devices/cardiac implants.html.

From 1997 to 2003, approximately 400,000 to 450,000 ICDs were implanted globally, the majority of these implants were done in the USA, and there were at least 212 deaths attributed to failure of these ICDs

– Robert G. Hauser & Linda Kallinen, Deaths Associated With Implantable Cardioverter Debrillator Failure and Deactiva-tion Reported in the United States Food and Drug Administration Manufacturer and User Facility Device Experience Database, 1 Heart Rhythm 399, t http://www.heartrhythmjournal.com/article/S1547-5271%2804%2900286-3/.

FDA recalled 23 types of implantable products in the first half of 2010

In 2008, approximately 350,000 pacemakers and 140,000 ICDs were implanted in the United States, according to a forecast on the implantable medical device market published earlier this year

– Sanket S. Dhruva et al., Strength of Study Evidence Examined by the FDA in Premarket Approval of CardiovascularDevices, 302 J. Am. Med. Ass'n 2679 (2009).

Nation-wide demand for all IMDs is projected to increase 8.3 percent annually to $48 billion by 2014 while cardiac implants in the U.S. will increase 7.3 percent annually representing approximately $16.7 billion in 2014

– Freedonia Group, Cardiac Implants, Rep. Buyer, Sept. 2008, http://www.reportbuyer.com/pharma healthcare/medical devices/cardiac implants.html.

From 1997 to 2003, approximately 400,000 to 450,000 ICDs were implanted globally, the majority of these implants were done in the USA, and there were at least 212 deaths attributed to failure of these ICDs

– Robert G. Hauser & Linda Kallinen, Deaths Associated With Implantable Cardioverter Debrillator Failure and Deactiva-tion Reported in the United States Food and Drug Administration Manufacturer and User Facility Device Experience Database, 1 Heart Rhythm 399, t http://www.heartrhythmjournal.com/article/S1547-5271%2804%2900286-3/.

58Medical Device Innovation, Safety and Security Consortium

Medical Device Software FailuresMedical Device Software Failures

• Between 1983 to 1997, 2,792 quality problems that resulted in recalls of medical devices and of problems, 383 were related to device software

• Of the recalled devices, 21 percent were cardiac

• 98 percent of the software failures analyzed were detectable by best practice quality assurance methods– Dolores R. Wallace & D. Richard Kuhn, Failure Modes in Medical Device

Software: An Analysis of 15 Years of Recall Data, 8 Int'l J. Reliability Quality Safety Eng'g 351 (2001), available at http://csrc.nist.gov/groups/SNS/acts/documents/nal-rqse.pdf.

• Between 1983 to 1997, 2,792 quality problems that resulted in recalls of medical devices and of problems, 383 were related to device software

• Of the recalled devices, 21 percent were cardiac

• 98 percent of the software failures analyzed were detectable by best practice quality assurance methods– Dolores R. Wallace & D. Richard Kuhn, Failure Modes in Medical Device

Software: An Analysis of 15 Years of Recall Data, 8 Int'l J. Reliability Quality Safety Eng'g 351 (2001), available at http://csrc.nist.gov/groups/SNS/acts/documents/nal-rqse.pdf.

59Medical Device Innovation, Safety and Security

Consortium

Infusion Pumps Software FailureInfusion Pumps Software Failure

Between 2005 and 2009, the FDA received approximately 56,000 infusion pump-related adverse event reports Many of these were associated with significant morbidity

and mortality

Software malfunction was a frequent cause for infusion pump malfunction

Hundreds of thousands of infusion pumps were recalled and scores of models were implicated

FDA is providing support to manufacturers– Review of code submitted by manufacturers– Collaborative development of open source safety models

and reference standards – White Paper: Infusion Pump Improvement Initiative April 2010, Center for Devices and Radiological Health U.S. Food and Drug Administration,

http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/InfusionPumps/ucm205424.htm

Between 2005 and 2009, the FDA received approximately 56,000 infusion pump-related adverse event reports Many of these were associated with significant morbidity

and mortality

Software malfunction was a frequent cause for infusion pump malfunction

Hundreds of thousands of infusion pumps were recalled and scores of models were implicated

FDA is providing support to manufacturers– Review of code submitted by manufacturers– Collaborative development of open source safety models

and reference standards – White Paper: Infusion Pump Improvement Initiative April 2010, Center for Devices and Radiological Health U.S. Food and Drug Administration,

http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/InfusionPumps/ucm205424.htm60

Medical Device Innovation, Safety and Security Consortium

Linear Accelerators Software Related DeathsLinear Accelerators Software Related Deaths

Therac-25 machines– Software problems lead to 6 well known cases of death or severe

adverse events between 1985-1987 resulting in machine recall– Catalyzed safety concerns and resulted in initiatives to improve

safety profile of linear accelerators• An Investigation of the Therac-25 Accidents, Nancy Leveson, IEEE Computer,

Vol. 26, No. 7, July 1993, pp. 18-41.

Radiation related adverse events are likely underestimated– Many adverse events are difficult to detect because many are

initially subclinical, e.g. increased exposures leading to malignancy

– “My suspicion is that maybe half of the accidents we don’t know about,” said Dr. Fred A. Mettler Jr.• Radiation Offers New Cures, and Ways to Do Harm, NY Times, January 23,

2010

Therac-25 machines– Software problems lead to 6 well known cases of death or severe

adverse events between 1985-1987 resulting in machine recall– Catalyzed safety concerns and resulted in initiatives to improve

safety profile of linear accelerators• An Investigation of the Therac-25 Accidents, Nancy Leveson, IEEE Computer,

Vol. 26, No. 7, July 1993, pp. 18-41.

Radiation related adverse events are likely underestimated– Many adverse events are difficult to detect because many are

initially subclinical, e.g. increased exposures leading to malignancy

– “My suspicion is that maybe half of the accidents we don’t know about,” said Dr. Fred A. Mettler Jr.• Radiation Offers New Cures, and Ways to Do Harm, NY Times, January 23,

2010

61Medical Device Innovation, Safety and Security

Consortium

Risk Reality Check - Hacking Machines vs. PeopleRisk Reality Check - Hacking Machines vs. People

In 2007 and 2008, health related websites were hacked with the intent to cause harm– Coping with Epilepsy website– Epilepsy Foundation website

In both instances, computer animations were posted that triggered migraines and seizures among visitors with epilepsy variants associated with photosensitivity

In 2007 and 2008, health related websites were hacked with the intent to cause harm– Coping with Epilepsy website– Epilepsy Foundation website

In both instances, computer animations were posted that triggered migraines and seizures among visitors with epilepsy variants associated with photosensitivity

62

Hacking of ‘medical devices’ to intentionally cause harm will occur

Medical Device Innovation, Safety and Security Consortium

Implanted medical devices have enriched and extended the lives of countless people, but device malfunctions and software glitches have become modern `diseases' that will continue to occur. The failure of manufacturers and the FDA to provide the public with timely, critical information about device performance, malfunctions, and ’fixes' enables potentially defective devices to reach unwary consumers.”

Capitol Hill Hearing Testimony of William H. Maisel, Director of Beth Israel Deaconess Medical Center,May 12, 2009

63

Silicon-Based Defects Etiology of Carbon-Based DiseasesSilicon-Based Defects Etiology of Carbon-Based Diseases

Medical Device Innovation, Safety and Security Consortium

Medical Device VulnerabilityPatient SafetyMedical Device VulnerabilityPatient Safety

“These [medical device] infections have the potential to greatly affect the world-class patient care that is expected by our customers. In addition to compromising data and the system, these incidents are also extremely costly to the VA in terms of time and money spent cleansing infected medical devices.”

Roger BakerAssistant Secretary for Information and Technology

Department of Veterans Affairs

“These [medical device] infections have the potential to greatly affect the world-class patient care that is expected by our customers. In addition to compromising data and the system, these incidents are also extremely costly to the VA in terms of time and money spent cleansing infected medical devices.”

Roger BakerAssistant Secretary for Information and Technology

Department of Veterans Affairs

64Medical Device Innovation, Safety and Security

Consortium

Medical Device Safety ActMedical Device Safety Act

Editorial: The Medical Device Safety Act of 2009, Gregory D. Curfman, M.D., Stephen Morrissey, Ph.D., and Jeffrey M. Drazen, M.D., N Engl J Med 2009; 360:1550-1551, April 9, 2009Editorial: The Medical Device Safety Act of 2009, Gregory D. Curfman, M.D., Stephen Morrissey, Ph.D., and Jeffrey M. Drazen, M.D., N Engl J Med 2009; 360:1550-1551, April 9, 2009

65

• Controversy regarding medical device safety• Medical devices and pharmaceuticals are treated

differently • Medical Device Safety Act (MDSA) seeks to overturn a

2008 Supreme Court decision based on the 1976 Medical Device Act that essentially states that manufacturers can’t be held at risk for adverse health events due to FDA approved products

Medical Device Security ChallengesMedical Device Security Challenges

The national biomedical device network remains a largely unrecognized entity

Multidisciplinary expertise is required to understand medical device risks and consequently design, implement, and manage medical devices and their associated biomedical device networks to optimize patient safety

Stakeholders have not yet built the multidisciplinary expertise required to optimize medical device safety profiles along the medical device life cycle

Security breaches in the health care industry escalate each year and represent an increasing patient risk as the prevalence of networked medical devices increases

The national biomedical device network remains a largely unrecognized entity

Multidisciplinary expertise is required to understand medical device risks and consequently design, implement, and manage medical devices and their associated biomedical device networks to optimize patient safety

Stakeholders have not yet built the multidisciplinary expertise required to optimize medical device safety profiles along the medical device life cycle

Security breaches in the health care industry escalate each year and represent an increasing patient risk as the prevalence of networked medical devices increases

66Medical Device Innovation, Safety and Security

Consortium

Medical Device Security Challenges (cont.)Medical Device Security Challenges (cont.)

Medical device security breaches can harm patients and organizations

Medical device network dysfunction is a potential national security risk

The security of medical devices, given that they operate as part of a networked system, receive inadequate attention

Limited information is reported regarding the extent of the potential exposure, risks, and risk mitigation strategies

Regulatory focus is often about a ‘point in time’ assessment while networked medical devices are continuously exposed to rapidly evolving technology risks

Collaboration is lacking among all stakeholders in developing practical solutions

The engineering, informatics, and public health science to leverage real-time data streams from networked devices is immature

Medical device security breaches can harm patients and organizations

Medical device network dysfunction is a potential national security risk

The security of medical devices, given that they operate as part of a networked system, receive inadequate attention

Limited information is reported regarding the extent of the potential exposure, risks, and risk mitigation strategies

Regulatory focus is often about a ‘point in time’ assessment while networked medical devices are continuously exposed to rapidly evolving technology risks

Collaboration is lacking among all stakeholders in developing practical solutions

The engineering, informatics, and public health science to leverage real-time data streams from networked devices is immature

67Medical Device Innovation, Safety and Security

Consortium

Medical Device Design Issues Medical Device Design Issues

• Device system design is proprietary and requires professional inputs for operation

• Patients connected to multiple devices can’t be monitored from a single integrated platform

• Significant risks are associated with attempts to compel currently designed devices to be interoperable

• “Neither past nor current development methods are adequate for the high-confidence design and manufacture of highly complex, interoperable medical device software and systems (“intelligent” prosthetics, minimally invasive surgical devices, implants, “operating room of the future”), which in years to come will likely include nano/bio devices, bionics, or even pure (programmable) biological systems.”

• Device system design is proprietary and requires professional inputs for operation

• Patients connected to multiple devices can’t be monitored from a single integrated platform

• Significant risks are associated with attempts to compel currently designed devices to be interoperable

• “Neither past nor current development methods are adequate for the high-confidence design and manufacture of highly complex, interoperable medical device software and systems (“intelligent” prosthetics, minimally invasive surgical devices, implants, “operating room of the future”), which in years to come will likely include nano/bio devices, bionics, or even pure (programmable) biological systems.”

68

High-Confidence Medical Devices: Cyber-Physical Systems for 21st Century Health Care (Feb. 2009); byThe Networking and Information Technology Research and Development (NITRD) Programhttp://www.whitehouse.gov/files/documents/cyber/NITRD%20-%20High-Confidence%20Medical%20Devices.pdf

Medical Device Design Issues (con’t)Medical Device Design Issues (con’t)

• “To enable the necessary holistic cyber-physical systems understanding, barriers must fall among the relevant disciplines: medicine, discrete and continuous mathematics of dynamics and control; real-time computation and communication; medical robotics; learning; computational models and the supporting systems engineering design, analysis, and implementation technologies; and formal and algorithmic methods for stating, checking, and reasoning about system properties.”

• “To enable the necessary holistic cyber-physical systems understanding, barriers must fall among the relevant disciplines: medicine, discrete and continuous mathematics of dynamics and control; real-time computation and communication; medical robotics; learning; computational models and the supporting systems engineering design, analysis, and implementation technologies; and formal and algorithmic methods for stating, checking, and reasoning about system properties.”

69High-Confidence Medical Devices: Cyber-Physical Systems for 21st Century Health Care (Feb. 2009)http://www.whitehouse.gov/files/documents/cyber/NITRD%20-%20High-Confidence%20Medical%20Devices.pdf

Key Activities Around Medical Device SecurityKey Activities Around Medical Device Security

• FDA - 2013– FDASIA – a federal advisory committee focused on

healthcare technology safety– Cybersecurity for medical devices guidance and safety

communication issued

• Standards and best practices– IEC 80001– IEC 62443 adaptation– AAMI technical report under development for manufacturer

risk management– MDS2 version 2.0 just released– CIS, MDISS, and Counsel for Cybersecurity medical device

security benchmarking activity

• FDA - 2013– FDASIA – a federal advisory committee focused on

healthcare technology safety– Cybersecurity for medical devices guidance and safety

communication issued

• Standards and best practices– IEC 80001– IEC 62443 adaptation– AAMI technical report under development for manufacturer

risk management– MDS2 version 2.0 just released– CIS, MDISS, and Counsel for Cybersecurity medical device

security benchmarking activity

70

Types of StandardsTypes of Standards Information security management system

Defines at the highest level how an organization will conduct their information security management

Ensures an organization puts in place appropriate organizational structure, policies, processes, procedures, risk management program, incident management process

Risk management standards Defines methodology for Risk Management Identifying threats, vulnerabilities, consequences Determining probability and risk Determining what to do with the risk once it’s identified (accept,

transfer, reduce, etc).

Control frameworks Specific checkpoints to monitor people, process or capabilities in

order to control and limit risk, e.g. access Control, Backup, Disaster Recovery, Malware Protection, etc.

Information security management system Defines at the highest level how an organization will conduct their

information security management Ensures an organization puts in place appropriate organizational

structure, policies, processes, procedures, risk management program, incident management process

Risk management standards Defines methodology for Risk Management Identifying threats, vulnerabilities, consequences Determining probability and risk Determining what to do with the risk once it’s identified (accept,

transfer, reduce, etc).

Control frameworks Specific checkpoints to monitor people, process or capabilities in

order to control and limit risk, e.g. access Control, Backup, Disaster Recovery, Malware Protection, etc.

71

Standards OverviewStandards Overview

72

Standard Description Type TargetISO/IEC 27001 Information Security Management Systems Information Security Management System IT Organizations

ISO/IEC 27002 The Code of Practice for Information Security Management

Control Framework ManufacturesDevelopersIT OrganizationsAuditors

ISO/IEC 27005 Information technology - Security techniques — Information security risk management

Risk Management IT Organizations

ISO/IEC 14971 Medical devices — Application of risk management to medical device

Risk Management Manufacturer(Saftey Focused)

ISO/IEC 80001:1 Application of risk management for IT-networks incorporating medical devices

Risk Management HealthCare Delivery Organizations (HDO)(Medical-IT / Provider)

NIST 800-30 Risk Management Guide for Risk Management IT OrganizationsInformation Technology Systems

NIST 800-53 Recommended Security Controls Control Framework Manufacturesfor Federal Information Systems Developersand Organizations IT Organizations Auditors

PCI-DSS Payment Card Data Security Standard Control Framework Any organization that collects, processes or stores credit card

informationIEC 62443-2-4 A Baseline Security Standard for Industrial

Automated Control Systems (IACS)Control Framework ManufacturesLifecycle Management Focus on Industry: Oil, Gas, Electric

MDS2 Manufacture Disclosure Statement for Medical Device Security

Device Profile and Disclosure HealthCare Delivery Organizations (HDO)

Manufacturers

SOX Sarbanes–Oxley Regulatory Requirement Public CompaniesHIPAA Health Insurance Portability and

Accountability ActRegulatory Requirement HealthCare Delivery Organizations (HDO)

FDA Title 21 CFR 801, 803, 807, 812[1] Quality Systems Regulation Regulatory Requirement Manufacturers

FDA Title 21 Electronic Record Keeping Regulatory Requirement ManufacturersCFR Part 11

ISO/IEC 80001:1 ISO/IEC 80001:1 Provider based risk management Focus on the responsible organization Incorporates updated risk management process based on the IEC/ISO

14971 safety standard Creates a Medical-IT Risk Manager Role

Silo Busting effect: Works with IT, IS, Biomed Engineers, Clinical Technology, Clinicians and manufactures and vendors

Maintains a risk management file for all devices Capabilities Model provides a top-level framework for

communicating security requirements and capabilities Defines security risk management processes to be embedded into

incident and change-release management processes

Provider based risk management Focus on the responsible organization Incorporates updated risk management process based on the IEC/ISO

14971 safety standard Creates a Medical-IT Risk Manager Role

Silo Busting effect: Works with IT, IS, Biomed Engineers, Clinical Technology, Clinicians and manufactures and vendors

Maintains a risk management file for all devices Capabilities Model provides a top-level framework for

communicating security requirements and capabilities Defines security risk management processes to be embedded into

incident and change-release management processes

73

ISO/IEC 80001:1ISO/IEC 80001:1

74Source: Quoted from ISO/IEC 80001:1 Standard

IEC 62443 Adaption for HealthcareIEC 62443 Adaption for Healthcare

• Originally for industrial control systems and includes best practices for vendors

• For ICS, there is certification

• MDISS has led adaptation for healthcare

• Undergoing pilot to assess adoption feasibility

• Adopting a minimal viable product approach

• Originally for industrial control systems and includes best practices for vendors

• For ICS, there is certification

• MDISS has led adaptation for healthcare

• Undergoing pilot to assess adoption feasibility

• Adopting a minimal viable product approach

75

Manufacturer Disclosure Statement for Medical Device Security Manufacturer Disclosure Statement for Medical Device Security

• Manufacturer Disclosure Statement for Medical Device Security (MDS2)

• Developed by Health Information Management System Society (HIMSS) and National Electronics Manufacturers Association (NEMA)

• Provides a standard form to record manufacturers device security profile

• The intent of the MDS2 is to supply healthcare providers with important information that can assist them in assessing the vulnerability and risks associated with electronic Protected Health Information (ePHI) transmitted or maintained by medical devices.

• Manufacturer Disclosure Statement for Medical Device Security (MDS2)

• Developed by Health Information Management System Society (HIMSS) and National Electronics Manufacturers Association (NEMA)

• Provides a standard form to record manufacturers device security profile

• The intent of the MDS2 is to supply healthcare providers with important information that can assist them in assessing the vulnerability and risks associated with electronic Protected Health Information (ePHI) transmitted or maintained by medical devices.

76MDS2 – HIMSS/NEMA Manufacturer Disclosure Statement for Medical Device Securityhttp://www.nema.org/stds/hn1.cfm

MDISS Medical Device Risk Assessment PlatformMDISS Medical Device Risk Assessment Platform

77

• Operational focus for health systems• Requires multidisciplinary team• Software as a service• Aggregates information across health centers• Flexible configuration of question sets• Graphical results to share with executives to

communicate risk• Informs procurement and legacy security tune ups

• Operational focus for health systems• Requires multidisciplinary team• Software as a service• Aggregates information across health centers• Flexible configuration of question sets• Graphical results to share with executives to

communicate risk• Informs procurement and legacy security tune ups

Our MissionOur Mission

The Medical Device Innovation, Safety and Security Consortium (MDISS) protects public health and well-being by advancing innovation and computing risk management practices to ensure wide availability of innovative and safe medical devices

The Medical Device Innovation, Safety and Security Consortium (MDISS) protects public health and well-being by advancing innovation and computing risk management practices to ensure wide availability of innovative and safe medical devices

Medical Device Innovation, Safety and Security Consortium 78

GoalsGoals

• A public private partnership effectively catalyzes the development of a safe and secure national bio-device network

• Security risks associated with medical devices are well understood and appreciated across the industry

• Medical devices and associated networks are safe and secure

• A public private partnership effectively catalyzes the development of a safe and secure national bio-device network

• Security risks associated with medical devices are well understood and appreciated across the industry

• Medical devices and associated networks are safe and secure

Medical Device Innovation, Safety and Security Consortium 79

Our OrganizationOur Organization

We are a collaborative and inclusive nonprofit professional organization committed to advancing quality healthcare with a focus on the safety and security of medical devices

As a public-private partnership, we serve providers, payers, manufacturers, universities, government agencies, technology companies, individuals, patients and patient advocates

We are a collaborative and inclusive nonprofit professional organization committed to advancing quality healthcare with a focus on the safety and security of medical devices

As a public-private partnership, we serve providers, payers, manufacturers, universities, government agencies, technology companies, individuals, patients and patient advocates

Medical Device Innovation, Safety and Security Consortium 80

Sample MembersSample Members

• VA, Kaiser, Sutter, Duke, Texas Health Resources, HCA, etc

• Medtronic, Covidien, Intuitive Surgical, GE, etc

• Intel, TrendMicro, Symantec, McAfee, Cylance, etc

• Work closely with FDA, DHS, DOD, etc

• VA, Kaiser, Sutter, Duke, Texas Health Resources, HCA, etc

• Medtronic, Covidien, Intuitive Surgical, GE, etc

• Intel, TrendMicro, Symantec, McAfee, Cylance, etc

• Work closely with FDA, DHS, DOD, etc

81

Consortium Initiatives ExamplesConsortium Initiatives Examples

82

Medical device expert network Collaborative medical device requirements

development Pre-procurement support Determination of scope of the security

challenges based on robust epidemiologic methods

Collaborative medical device security testing Standards, policy, guidelines, and regulatory

briefings, updates, explanation, and implications Education and training

Medical Device Innovation, Safety and Security Consortium

Thank YouThank You

For information, please contact:

Dale Nordenberg, MD

dnordenberg@mdiss.org

----------------------------------------

Acknowledgements

Significant contributions to the development and operations of MDISS continue to be made by representatives from numerous organizations including Kaiser Permanente, VA/VHA, John Muir Health, DOD, and others

For information, please contact:

Dale Nordenberg, MD

dnordenberg@mdiss.org

----------------------------------------

Acknowledgements

Significant contributions to the development and operations of MDISS continue to be made by representatives from numerous organizations including Kaiser Permanente, VA/VHA, John Muir Health, DOD, and others

83Medical Device Innovation, Safety and Security

Consortium

Question and Answer

Dale NordenbergMDISS

Executive Director & Co-FounderMedical Device Innovation, Safety

and Security Consortium

Question and Answer

Dale NordenbergMDISS

Executive Director & Co-FounderMedical Device Innovation, Safety

and Security Consortium

Copyright Secure Mentem

Medical Device Security - The Time is Now

Medical Device Security - The Time is Now

Roy Wattanasin, Information Security Officer, MITMRoy Wattanasin, Information Security Officer, MITM

Medical Device Security

- The Time is Now

Medical Device Security

- The Time is Now

Roy WattanasinMTIM

Information Security Officer

Roy WattanasinMTIM

Information Security Officer

86

AgendaAgenda

• Introduction

• Recommendations

• Resources

• Introduction

• Recommendations

• Resources

87

Search for Medical Device SecuritySearch for Medical Device Security

• Let Me Google That For You– http://lmgtfy.com/?q=medical+device+security

• Dick Cheney’s Defibrilator – http://www.cnn.com/2013/10/20/us/dick-cheney-gupta-intervi

ew/

• Let Me Google That For You– http://lmgtfy.com/?q=medical+device+security

• Dick Cheney’s Defibrilator – http://www.cnn.com/2013/10/20/us/dick-cheney-gupta-intervi

ew/

88

Recommendations (1 of 2)Recommendations (1 of 2)

• Inventorying

• Raise Awareness

• Incorporate Security into Policies

• Work With Device Manufacturers

• Inventorying

• Raise Awareness

• Incorporate Security into Policies

• Work With Device Manufacturers

89

Recommendations (2 of 2)Recommendations (2 of 2)

• Map Data Flows

• Incorporate Disaster Recovery (DR) Procedures

• Work Together

• Map Data Flows

• Incorporate Disaster Recovery (DR) Procedures

• Work Together

90

Resources (1 of 2)Resources (1 of 2)

• Archimedes http://secure-medicine.org/

• Center for Internet Security (CIS) https://benchmarks.cisecurity.org/about/MedicalDeviceOverview.cfm

• Council on Cybersecurity (CCS) http://www.counciloncybersecurity.org/

• FDA Guidance Draft on Medical Devices http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

• Archimedes http://secure-medicine.org/

• Center for Internet Security (CIS) https://benchmarks.cisecurity.org/about/MedicalDeviceOverview.cfm

• Council on Cybersecurity (CCS) http://www.counciloncybersecurity.org/

• FDA Guidance Draft on Medical Devices http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf 91

Resources (2 of 2)Resources (2 of 2)• HIMSS/NEMA Manufacturer Disclosure Statement (MDS) http://

www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx

• I Am The Calvary http://bit.ly/thecavalry

• National Health Information Sharing and Analysis Center http://www.nhisac.org

• Medical Device Innovation, Safety and Security Consortium http://www.mdiss.org

• MedSec http://www.linkedin.com/groups/MedSec-2206357

• HIMSS/NEMA Manufacturer Disclosure Statement (MDS) http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx

• I Am The Calvary http://bit.ly/thecavalry

• National Health Information Sharing and Analysis Center http://www.nhisac.org

• Medical Device Innovation, Safety and Security Consortium http://www.mdiss.org

• MedSec http://www.linkedin.com/groups/MedSec-2206357 92

Question and Answer

Roy WattanasinMITM

Information Security Officer

Question and Answer

Roy WattanasinMITM

Information Security Officer

Copyright Secure Mentem

Open Panel with Audience Q&A Open Panel with Audience Q&A

Please feel free to use the questions section of the GoToWebinar toolbar to

ask a question of the speakers. You may have to click on the double arrow to

access this function.

Please feel free to use the questions section of the GoToWebinar toolbar to

ask a question of the speakers. You may have to click on the double arrow to

access this function.

94

Healthcare Special Interest GroupHealthcare Special Interest Group

VISION:

Establish and maintain collaborative models for information security within healthcare organizations

MISSION:

Drive collaborative thought and knowledge-sharing for information security leaders within healthcare organizations.

If you are interested in participating:

Contact: christineg@issa.org

VISION:

Establish and maintain collaborative models for information security within healthcare organizations

MISSION:

Drive collaborative thought and knowledge-sharing for information security leaders within healthcare organizations.

If you are interested in participating:

Contact: christineg@issa.org

96

Closing Remarks

Online Meetings Made Easy

Thank you to Citrix for donating this Webcast service

CPE CreditCPE Credit• Within 24 hours of the conclusion of this webcast, you

will receive a link via email to a post Web Conference quiz.

• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

• On Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/1471055/Security-Requirements-Expectations-of-Biomedical-Devices

• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.

• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

• On Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/1471055/Security-Requirements-Expectations-of-Biomedical-Devices

97