MEDICAL DEVICE CYBERSECURITY...2017/10/04  · Cybersecurity • EO 13636 (Feb 2013) à NIST Voluntary Framework (Feb 2014) v1.1 in Dra Jan. 10, 2017 • PPD 21 (Feb 2013) • EO 13691

1

MEDICALDEVICECYBERSECURITYSETHDCARMODYPHDCYBERSECURITYSUMMIT2017OCTOBER23,2017

www.fda.gov

2

Execu;veOrders(EO),Presiden;alPolicyDirec;ves,andFrameworktoStrengthenCri;calInfrastructure

Cybersecurity•  EO13636(Feb2013)àNISTVoluntaryFramework(Feb2014)v1.1inDraJ

Jan.10,2017

•  PPD21(Feb2013)•  EO13691(Feb2015)–establishmentofInformaTonSharingandAnalysis

OrganizaTons(ISAO)•  EO13800,"StrengtheningtheCybersecurityofFederalNetworksandCriTcal

Infrastructure”May17,2017

www.fda.gov

3

Informa;onalTech/Opera;onalTech

www.fda.gov

InformaTonTechnologyOperaTonalTechnology

IoT–InternetofThings

Byh^p://hem.dis.anl.gov/eehem/picts/94110818_8.gif[deadlink],PublicDomain,h^ps://commons.wikimedia.org/w/index.php?curid=5804284

ControlSystem

Internet-ConnectedOperaTonalTechnology

4

Center for Food Safety & Applied Nutrition

Center for Drug Evaluation & Research

Center for Biologics Evaluation & Research

Center for Devices & Radiological Health (CDRH)

Center for Veterinary Medicine

National Center for Toxicological Research

Center for Tobacco Products

www.fda.gov

FDA’sRegulatoryScope

5

TheAc;veAdversary,AFineWine

www.fda.gov

Moveover,MiraiThea^acksareavariaTononthosemountedbyMirai,abotnetmadeupofnetworkcameras,digitalvideorecorders,andotherso-calledInternet-of-thingsdevices.ThepointofMiraiistobuildanarmyofdevicesthatcrippleprominentwebsiteswithrecord-sehngdistributedDoSa^acks.ThemoTvaTonforthePDoSa^acksremainsunclear,inpartbecauseBrickerBot.2a^ackedamuchwidervarietyofstoragedevices—includingthoseusedbyservers—ratherthanstorageusedonlybymorelimitedIoTdevices

6

IntendedUse+Misuseh^p://hackaday.com/2015/09/07/brick-laying-robot-does-it-be^er/

h^p://www.technologyvista.in/pin/here-comes-the-brick-laying-robot-to-make-buildings/

7

Nega;veRequirementsareInfinite!

Features:WhataDeviceMUSTDo…

Safety:WhataDeviceMUSTNOTdo

Thou,shallnotunderoroverdelivertherapy!

GetdruglibrariesfromtheInternet

8

PostmarketCybersecurityRiskAssessment

www.fda.gov

9

DeviceLifecycle:EcosystemChallenges

www.fda.gov

10

EmpathyandCollaboraTonFromEO13636“Wecanachievethesegoalsthroughapartnershipwiththeownersandoperatorsofcri6calinfrastructuretoimprovecybersecurityinforma6onsharingandcollabora6velydevelopandimplementrisk-basedstandards.”

11

FDA’sApproachtoCybersecurity

ExecuTveOrdersFDASafetyCommunicaTonDraJPremarketGuidanceBeginCoordinaTonwithDHSRecognizeStandardsEstablishIncidentResponseTeam

FinalPremarketGuidanceMOUwithNH-ISACPublicWorkshop

Product-SpecificSafetyCommBuildEcosystem/CollaboraTon

2013

2014

2015

2016

DraJandFinalPostmarketGuidancePublicWorkshopMOUwithNH-ISAC/MDISS

2017

2005:Issuedguidance2008:Halpern,et.al. 2009:IssuedsafetycommunicaTon2011:“Hacking”ofimplantableinsulinpump(Radcliffe)2012:FirstrecallofvulnerablesoJware(Roche-PCAnywhere)2013:RecallofTNS-listener(Roche)

Product-SpecificSafetyComm

1stCybersecurityWL

12

Ques;ons?

Contacts:CDRHmailbox,AskMedCyberWorkshop@fda.hhs.govSuzanneSchwartz,Suzanne.Schwartz@fda.hhs.govAJinRoss,aJin.ross@fda.hhs.govSethCarmody,seth.carmody@fda.hhs.gov