The internet of deadly thingsMedical Device Cybersecurity

Geoff FisherDirector & Leader of PwC Medical Device Cybersecurity PracticeHealth Industries Cybersecurity and Privacy

PwC

What is a medical device?

“An instrument, apparatus, implement, machine, contrivance, implant … which is … intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease”

– Food, Drug and Cosmetic Act

PwC

What’s driving a focus on cybersecurity?

Total business connectedness01Systemic risks02

Everything is under attack03

Risk to physical assets04

The driver The impactA business’ payroll, sales and products might all be connected to the Internet—and vulnerableA new vulnerability could leave a once-secure business open to major problems immediatelyPeople are looking for money, data, laughs, information, back-doors and infamy.Internet-connected products are vulnerable to physical problems, including failure

PwC

Over the years, medical devices have seen dramatic technological advances…

BeforeDevices are connected to

patients physically

Data obtained from devices are stored on

paper or locally

Devices are physical products

Care is hand-administered at a health care location

Physical access is needed to view health data

NowDevices are connected wirelessly to patients and other devices

Data obtained from devices are stored in the cloud

Devices include software and even databases of health information

Care is available to patients in the palm of their hand through apps

Health data can be accessed anywhere on earth

PwC

So have the concerns…If a device gets hacked into, there are some big potential problems

Patients could be harmed

Protected health data could be lost

Patients could die

Lost trust in connected devices

PwC

And the cost of breaches.Cybersecurity breaches are common and costly

18%of breaches cost

more than $1 million to remediate

$

85%of large health organizations experienced a data breach in

2014

PwC

19% 31% 22% 29% 9% 29%

Hacked devices, lost customersMany customers say they would never use, or would be wary of using, medical devices known to have been hacked or the or healthcare facilities where the hack occurred.

“Some medical devices (e.g., in hospitals) are now connected to the Internet to allow for software updates. You heard that a medical device (e.g., a blood pressure monitor, etc.) had been the subject of a hack that left a patient injured physically and/or financially. How comfortable would you feel using another…” – HRI Consumer Health Survey 2015

PwC

Customers value Security over Utility!

…knowing my health data is

secure.

…functionality and ease of

use.

“When using medical devices or healthcare mobile apps, I most value…”

38%

62%

HRI Consumer Survey 2015

PwC

A shift in how the FDA thinks about regulating medical devicesTraditional considerations meet technology

SecurityOnce a medical device is networked with other devices or the internet, is it still safe, or is it vulnerable to potentially serious problems?

QualityAfter approval, a device must be kept safe and effective through adherence to quality manufacturing standards established by FDA

Safety

Is a medical device safe for use in humans? Does it cause adverse events? Are its risks tolerable in relation to its benefits?

EfficacyIs a device effective for its given purpose? What is the magnitude of the effect? Tr

adit

iona

lEv

olvi

ng

PwC

A brief history of FDA and medical device cybersecurity

FDA issues general warning on device cybersecurity based on “known vulnerabilities”

FDA issues draft guidance on medical device cybersecurity

FDA releases final guidance on cybersecurity for networked

medical devices containing off-the-shelf software

January 2005

FDA issues first-ever warning about cybersecurity vulnerability of a device

FDA issues its final guidance document

on including medical device cybersecurity information in

premarket applications

President Obama issues executive order on improving infrastructure cybersecurity

February 2013

June 2013June 2013

October 2014July 2015

FDA issues draft guidance document on post-approved monitoring of medical device cybersecurity

January 2016Late 2016???

FDA issues final guidance document on post-approved monitoring and

remediation of medical device cybersecurity

PwC

FDA Pre-Market Cybersecurity Guidance

Key takeaways from the FDA’s previous guidance:• Manufacturers should address cybersecurity during the “design and development” of the medical device• Leverage NIST’s Cybersecurity Framework (NIST CSF)

• The scope of the Guidance covers the following: 510k, de novo submissions, Premarket Approval Applications (PMAs), product development protocols, and humanitarian device exemption

RecoverDetectIdentify RespondProtect

PwC

Draft FDA Post-Market Cybersecurity Guidance

‘Medical device manufacturers […] should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.’

• Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;

• Understanding, assessing and detecting presence and impact of a vulnerability; • Establishing and communicating processes for vulnerability intake and handling; • Clearly defining essential clinical performance to develop mitigations that protect, respond and

recover from the cybersecurity risk; • Adopting a coordinated vulnerability disclosure policy and practice; and • Deploying mitigations that address cybersecurity risk early and prior to exploitation.

PwC

Draft FDA Post-Market Cybersecurity Guidance

In the absence of remediation, a device with uncontrolled risk to its essential clinical performance […]. may be considered in violation of the FD&C Act and subject to enforcement or other action.

Manufacturers should report these vulnerabilities to the FDA according to 21 CFR part 806, unless reported under 21 CFR parts 803 or 1004. However, the FDA does not intend to enforce reporting requirements under 21 CFR part 806 if all of the following circumstances are met: • There are no known serious adverse events or deaths associated with the vulnerability, • Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device

changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and

• The manufacturer is a participating member of an ISAO, such as NH-ISAC;

PwC

Medical Device Cyber Threat Landscape

Motives/Targets

Obtaining PHI/PII

Physical Attacks

Street ‘Cred’

Financial Gain

Retaliation

Extortion

Political/Social Change

Shift Organizational Objectives

Disrupt Business

Threat Actorsare driven by these motives and targets…

ThreatActors

CriminalGroups

Rogues

IntelligenceServices

Hackers

Activists

NationStates

D/DoS

ThreatVectors

Software Vulnerabilities

Sniffing

Brute Force

Malware / Viruses

…utilizingthese ThreatVectors

The cybersecurity challenge now extends beyond just protecting our information. Today, threat actors may be targeting the very devices that are used to provide care and treatment …

Insiders

PwC

FDA is not the only US Regulator interested in cybersecurityFour US agencies monitor medical devices in some way

0102

0304

FDA

NIST

FDA

DHS

HHS

FTC

The Food and Drug Administration

Department of Homeland Security (ICS-CERT)

Department of Health and Human

Services

Federal Trade Commission

PwC

Medical Device manufacturers need to be proactive to secure their devices…

Look to mature software and technology firms for inspiration and models

Determine best practices for connecting, securing and updating devices

Like quality, security must be designed into each product

Create incentives to find and report vulnerabilities

Routine security assessments to review device vulnerabilities

Limited experience/ability reacting to cybersecurity events in devices after product launch

Consumer confidence in the entire sector being hurt due to one company’s failures

Tougher regulation may follow problems affecting a patient’s health

Lawsuits, reputational harm, fired executives, and recalled products

Patients harmed or killed by a compromised device

What to fear What to do

PwC

A security centric, risk based product development process is core to the deployment of a secure effective medical device…

Protect

Information &

Maintain Device

Integrity

Incorporate

Product Safety

Imbe

d Dat

a

Privac

y

Man

agem

ent

Enable

Risk

Iden

tifica

tion

and M

itiga

tion

02Protected Health InformationProduct design must be equipped with handling patient sensitive information to meet both HIPAA and FDA regulations.

04Product SafetyProduct design must incorporate safety features that meet the regulatory requirements such as alarm systems to protect users and patients from unanticipated adverse situations

Medical Device Development

Secure Product ArchitectureProduct design must protect the

information & the device against any threats posed by external

circumstances or by other connected devices.

03Risk Assessment and

ManagementProduct design must enable

identification and management of risk through the product development

lifecycle.

01

PwC

With evolving technology and the changing regulatory climate it is essential that medical device design includes holistic product safety considerations and incorporates leading edge solutions against security threats & vulnerabilities

Medical Device

Privacy and

Security

Product Design

Product Launch Strategy

Patient NeedsMarket InsightsRegulatory Requirements

Innovation StrategyBusiness RequirementsFinancial Targets

PwC

To meet the current regulatory requirements and protect the device from cybersecurity attacks, it is critical to embed security within the lifecycle of the product and in risk management considerations…

Product Design

Requirements

ProductLaunch

Pre-market

Risk Management Lifecycle

Inevitable need to explore unidentifiable risks including

foreseeable tampering

Established mechanism to feed post market monitoring data into next

Gen device design

Continuous compliance with HIPAA and other privacy regulations

IT compliance function with expertise to evaluate compliance

with various regulations

Effective security and data standards with an ability to rapidly

respond to emerging threats

Risk Management Considerations

…and build an Incident Response capability that will allow the organization to respond to emerging threats to their devices in a methodical, repeatable and defensible way.

Incident ResponseLife Cycle

Use the information

gained during the event to build more secure devices and

improve future response

Recover Understand the

threat that has been uncovered

and how it is impacting the

device

React

Determine how to remediate the issue and notify your customers

Respond

Determine how an event will be

handled, by whom and what

tools will be necessary to be

effective

Prepare

PwC

Questions…

PwC