1 Medical Device Cyber Security for Safer Device and Networks A Collaborative International Cyber Safety Network for Health Technology NCHICA March 27, 2018 Dale Nordenberg, MD Executive Director Medical Device Innovation, Safety and Security Consortium [email protected]
25
Embed
Medical Device Cyber Security for Safer Device and ... · Medical Device Innovation, Safety and Security Consortium [email protected] Acknowledgement All work presented has
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Medical Device Cyber Security for Safer Device and Networks
Risks• Safety • Privacy • Business • Regulatory • Accreditation • Reputational • Professional liability
Patient Exposure toConnected Devices Very High
But No Data is Available About Exposure
500,000,000,000Estimated number of times a patient will be
Exposed to a connect medical device over next 10 years*
Care Stats
• 1 billion healthcare visits / year• Hospitals and clinics
• 6,000 hospitals• 17,000 nursing homes• > 5 M home health visits /year• > 10 K home health agencies• 1.5 M nursing home residents
*Estimate Confidential for MDISS Briefing Only - Not for Distribution 3
Taking ActionCyber Securing
Healthcare Delivery
Talk security risk and…...
Create healthcare delivery solutions and…..
4
MDRAP LIVE DEMOMedical Device Risk Assessment ProgramCollecting and Sharing Risk Information
Drive Safer Device Networks
• Assessment analytic results plotted in a magic quadrant• Magic quadrant supports efficient executive level discussions of risk-benefit with non-technical leadership• Table lists all numeric data in the plot chart• Notes are automatically generated from the analytics module
Risk Assessment Platform and Beyond• Delivers risk assessment
methodologies• Agile and configurable as
understanding evolves• Epidemiologically robust• Provides services, e.g. standardized
device catalogue, that enable diverse data sharing and data commons
• Provides business value to support adoption of public health programs
• Supports collaborative innovation and crowdsourcing of work
6
Mod
el Sample Risk Assessment Result
MDRAP Standards-BasedAssessment Control Categories
Table view of the assessment scoring data
Medical Device MDS2 Library
• Standard MDS2 form• Completed by
manufacturer or by health system
• PDF format today• Structured data
capability in 2018• Contributor of the
MDS2 form informs the sharing policy
• Working closely with stakeholders for MDS2 forms and for sharing acceptance
Assessments Management
• Largely based on the standard MDS2 form
• Additional data elements inform level of effort to remediate, scoring of control deficiency, and impact score
• Completed by manufacturer or by health system
• All MDRAP-based completion
• Contains scoring data• Sharing status dictated by
Patient Safety and Public HealthBusiness – Patients - Communities
14
*
* Sample of data tied to specific devices. Flexible enough to support other structured data or attachments
15
National Cyber Safety Network for Health Technology is based on the hospital acquired infections (HAI) analogue at the CDC, The National Health Safety Network
Consensus Best Practice Guides Cyber Protection and Safety
Crush Barriers to AdoptionInstructs ‘How to’ Deploy MDRAP
Expertise
Gap
Workforce
Enabled
Cyber Protection and Safety Impact
Full community executes per consensus best practice guides
Expert innovation teams create consensus best practice guides
Iteration
16
Cyber SecurityImpact Amplification
BuildTechnology
MDRAP
Public HealthPrograms Patient and
PopulationSafetyImpact
ImpactEnablesInvestment *Policy*Workforce*Best
Practices
Confidential for MDISS Briefing Only - Not for Distribution 17
Key BenefitsMarket Level Voice Catalyzing
Safety Transformation
• First and only executable risk assessment methodology for medical devices
• Generates real-time cyber security requirements for medical devices
• Renders medical device security profile transparent and actionable
• Builds workforce: Trains technology and biomedical engineers
• Healthcare industry-wide transformation
• People engaged, supported, educated and trained
• Process defined, matured, distributed and exercised
• Technology developed and matured through large-scale collaborative process
• Public health programs drive patient and population safety impact
• Policy driven by data for decision making
• Cyber security and safety transformational model supports other industries18
19
Key Public Health Messages for Cyber Safety
• Medical device cybersecurity is a public health challenge
• Public health best practices provide the key programmatic capabilities to address this public health risk
• National Cyber Safety Network for Health Technology is a public health initiative and patient safety program based on the CDC NHSN as an analogue
• NCSN transforms a focus on technology vulnerabilities and risk into healthcare delivery solutions
• Delivering patient centric security and securing patient care delivery environments
Confidential for MDISS Briefing Only - Not for Distribution 20
Safety Occurs at the Intersection of Data and Safety Programs
What is the ’Human Exposure’?A Medical Device – Patient ‘Contact’*
Confidential for MDISS Briefing Only - Not for Distribution 21
>500 billion exposures / 10 years
>50 billion exposures / year
> 4 billion exposures / month
> 133 million exposures / day
> 100,000 exposures / minute
*Estimate based on CDC data for patient visits per year to USA healthcare system*Contact may be via wired or wireless interaction
What Can You Do Today?Closing the Cyber Risk Mitigation Gap
Confidential for MDISS Briefing Only - Not for Distribution 22
• Share medical device cyber information at the 'bedside’
• Ensure that hospitals and their teams have the cyber specifications that they need to best configure medical devices and their associated networks
• Add cyber surveillance capability
• Share cyber surveillance with manufacturers to help them comply with post-market surveillance requirements and design better products
• Help address one of the major risk factors, the lack of specifications, associated with the building of care delivery networks (This is like prescribing drugs with no idea about their mechanism of action or their adverse reactions)
What If You Elect to Delay?The Cyber Risk Mitigation GAP WIDENS
Confidential for MDISS Briefing Only - Not for Distribution 23
• Preventable exposures exceeding 4 billion per month • Missed opportunity to detect sentinel signals for a malware 'epidemic'• Less effective data collection and sharing for preparedness and emergency
response• Malware spreads• Detection and remediation delayed
• Sub-optimal innovation networks for best practice development and testing• Slowed exposure of the workforce, a very small percentage of which has been
trained to competency in medical device cyber risk, to important education and training activities
• Lack of information for health systems presents a large legal liability for both health systems and manufacturers
HDO Operations & Research
Data Collection Network
Medical Device Evaluation
Stakeholder Community
Policy Programs
State and Local Public
Health
Federal Agencies
Public Private Partnership
Academic and Research
Outcome Domains
Patient and PublicSafety
Health Systems
Critical Infrastructure
Device Safety
Critical Infrastructure
Education and Training Programs
Consensus Best Practice and Quality Improvement Programs
National Healthcare Technology Cyber Safety Network
Confidential for MDISS Briefing Only - Not for Distribution 24
All work presented has been a collaborative effort of many health systems, manufacturers, technology companies, industry associations, and research institutions.