breakout session: cybersecurity in medical devices
TRANSCRIPT
The internet of deadly thingsMedical Device Cybersecurity
Geoff FisherDirector & Leader of PwC Medical Device Cybersecurity PracticeHealth Industries Cybersecurity and Privacy
PwC
What is a medical device?
“An instrument, apparatus, implement, machine, contrivance, implant … which is … intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease”
– Food, Drug and Cosmetic Act
PwC
What’s driving a focus on cybersecurity?
Total business connectedness01Systemic risks02
Everything is under attack03
Risk to physical assets04
The driver The impactA business’ payroll, sales and products might all be connected to the Internet—and vulnerableA new vulnerability could leave a once-secure business open to major problems immediatelyPeople are looking for money, data, laughs, information, back-doors and infamy.Internet-connected products are vulnerable to physical problems, including failure
PwC
Over the years, medical devices have seen dramatic technological advances…
BeforeDevices are connected to
patients physically
Data obtained from devices are stored on
paper or locally
Devices are physical products
Care is hand-administered at a health care location
Physical access is needed to view health data
NowDevices are connected wirelessly to patients and other devices
Data obtained from devices are stored in the cloud
Devices include software and even databases of health information
Care is available to patients in the palm of their hand through apps
Health data can be accessed anywhere on earth
PwC
So have the concerns…If a device gets hacked into, there are some big potential problems
Patients could be harmed
Protected health data could be lost
Patients could die
Lost trust in connected devices
PwC
And the cost of breaches.Cybersecurity breaches are common and costly
18%of breaches cost
more than $1 million to remediate
$
85%of large health organizations experienced a data breach in
2014
PwC
19% 31% 22% 29% 9% 29%
Hacked devices, lost customersMany customers say they would never use, or would be wary of using, medical devices known to have been hacked or the or healthcare facilities where the hack occurred.
“Some medical devices (e.g., in hospitals) are now connected to the Internet to allow for software updates. You heard that a medical device (e.g., a blood pressure monitor, etc.) had been the subject of a hack that left a patient injured physically and/or financially. How comfortable would you feel using another…” – HRI Consumer Health Survey 2015
PwC
Customers value Security over Utility!
…knowing my health data is
secure.
…functionality and ease of
use.
“When using medical devices or healthcare mobile apps, I most value…”
38%
62%
HRI Consumer Survey 2015
PwC
A shift in how the FDA thinks about regulating medical devicesTraditional considerations meet technology
SecurityOnce a medical device is networked with other devices or the internet, is it still safe, or is it vulnerable to potentially serious problems?
QualityAfter approval, a device must be kept safe and effective through adherence to quality manufacturing standards established by FDA
Safety
Is a medical device safe for use in humans? Does it cause adverse events? Are its risks tolerable in relation to its benefits?
EfficacyIs a device effective for its given purpose? What is the magnitude of the effect? Tr
adit
iona
lEv
olvi
ng
PwC
A brief history of FDA and medical device cybersecurity
FDA issues general warning on device cybersecurity based on “known vulnerabilities”
FDA issues draft guidance on medical device cybersecurity
FDA releases final guidance on cybersecurity for networked
medical devices containing off-the-shelf software
January 2005
FDA issues first-ever warning about cybersecurity vulnerability of a device
FDA issues its final guidance document
on including medical device cybersecurity information in
premarket applications
President Obama issues executive order on improving infrastructure cybersecurity
February 2013
June 2013June 2013
October 2014July 2015
FDA issues draft guidance document on post-approved monitoring of medical device cybersecurity
January 2016Late 2016???
FDA issues final guidance document on post-approved monitoring and
remediation of medical device cybersecurity
PwC
FDA Pre-Market Cybersecurity Guidance
Key takeaways from the FDA’s previous guidance:• Manufacturers should address cybersecurity during the “design and development” of the medical device• Leverage NIST’s Cybersecurity Framework (NIST CSF)
• The scope of the Guidance covers the following: 510k, de novo submissions, Premarket Approval Applications (PMAs), product development protocols, and humanitarian device exemption
RecoverDetectIdentify RespondProtect
PwC
Draft FDA Post-Market Cybersecurity Guidance
‘Medical device manufacturers […] should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.’
• Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
• Understanding, assessing and detecting presence and impact of a vulnerability; • Establishing and communicating processes for vulnerability intake and handling; • Clearly defining essential clinical performance to develop mitigations that protect, respond and
recover from the cybersecurity risk; • Adopting a coordinated vulnerability disclosure policy and practice; and • Deploying mitigations that address cybersecurity risk early and prior to exploitation.
PwC
Draft FDA Post-Market Cybersecurity Guidance
In the absence of remediation, a device with uncontrolled risk to its essential clinical performance […]. may be considered in violation of the FD&C Act and subject to enforcement or other action.
Manufacturers should report these vulnerabilities to the FDA according to 21 CFR part 806, unless reported under 21 CFR parts 803 or 1004. However, the FDA does not intend to enforce reporting requirements under 21 CFR part 806 if all of the following circumstances are met: • There are no known serious adverse events or deaths associated with the vulnerability, • Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device
changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and
• The manufacturer is a participating member of an ISAO, such as NH-ISAC;
PwC
Medical Device Cyber Threat Landscape
Motives/Targets
Obtaining PHI/PII
Physical Attacks
Street ‘Cred’
Financial Gain
Retaliation
Extortion
Political/Social Change
Shift Organizational Objectives
Disrupt Business
Threat Actorsare driven by these motives and targets…
ThreatActors
CriminalGroups
Rogues
IntelligenceServices
Hackers
Activists
NationStates
D/DoS
ThreatVectors
Software Vulnerabilities
Sniffing
Brute Force
Malware / Viruses
…utilizingthese ThreatVectors
The cybersecurity challenge now extends beyond just protecting our information. Today, threat actors may be targeting the very devices that are used to provide care and treatment …
Insiders
PwC
FDA is not the only US Regulator interested in cybersecurityFour US agencies monitor medical devices in some way
0102
0304
FDA
NIST
FDA
DHS
HHS
FTC
The Food and Drug Administration
Department of Homeland Security (ICS-CERT)
Department of Health and Human
Services
Federal Trade Commission
PwC
Medical Device manufacturers need to be proactive to secure their devices…
Look to mature software and technology firms for inspiration and models
Determine best practices for connecting, securing and updating devices
Like quality, security must be designed into each product
Create incentives to find and report vulnerabilities
Routine security assessments to review device vulnerabilities
Limited experience/ability reacting to cybersecurity events in devices after product launch
Consumer confidence in the entire sector being hurt due to one company’s failures
Tougher regulation may follow problems affecting a patient’s health
Lawsuits, reputational harm, fired executives, and recalled products
Patients harmed or killed by a compromised device
What to fear What to do
PwC
A security centric, risk based product development process is core to the deployment of a secure effective medical device…
Protect
Information &
Maintain Device
Integrity
Incorporate
Product Safety
Imbe
d Dat
a
Privac
y
Man
agem
ent
Enable
Risk
Iden
tifica
tion
and M
itiga
tion
02Protected Health InformationProduct design must be equipped with handling patient sensitive information to meet both HIPAA and FDA regulations.
04Product SafetyProduct design must incorporate safety features that meet the regulatory requirements such as alarm systems to protect users and patients from unanticipated adverse situations
Medical Device Development
Secure Product ArchitectureProduct design must protect the
information & the device against any threats posed by external
circumstances or by other connected devices.
03Risk Assessment and
ManagementProduct design must enable
identification and management of risk through the product development
lifecycle.
01
PwC
With evolving technology and the changing regulatory climate it is essential that medical device design includes holistic product safety considerations and incorporates leading edge solutions against security threats & vulnerabilities
Medical Device
Privacy and
Security
Product Design
Product Launch Strategy
Patient NeedsMarket InsightsRegulatory Requirements
Innovation StrategyBusiness RequirementsFinancial Targets
PwC
To meet the current regulatory requirements and protect the device from cybersecurity attacks, it is critical to embed security within the lifecycle of the product and in risk management considerations…
Product Design
Requirements
ProductLaunch
Pre-market
Risk Management Lifecycle
Inevitable need to explore unidentifiable risks including
foreseeable tampering
Established mechanism to feed post market monitoring data into next
Gen device design
Continuous compliance with HIPAA and other privacy regulations
IT compliance function with expertise to evaluate compliance
with various regulations
Effective security and data standards with an ability to rapidly
respond to emerging threats
Risk Management Considerations
…and build an Incident Response capability that will allow the organization to respond to emerging threats to their devices in a methodical, repeatable and defensible way.
Incident ResponseLife Cycle
Use the information
gained during the event to build more secure devices and
improve future response
Recover Understand the
threat that has been uncovered
and how it is impacting the
device
React
Determine how to remediate the issue and notify your customers
Respond
Determine how an event will be
handled, by whom and what
tools will be necessary to be
effective
Prepare
PwC
Questions…
PwC