MedCon 2016 Case Study Clinical Data Stored in the Cloud Managing the Risks from a Quality Perspective 05May2016 Track 2: “You Really want to store Clinical Data in the Cloud?” Presenter: Bob Banta

MedCon 2016 Slide 2 Lilly System of Quality (SoQ) Model At MedCon 2015, we discussed lessons learned with changes to the Lilly QMS for MMA/SaMDs. In case you missed it, that presentation is available at: In today’s presentation, we address how the Lilly System of Quality (SoQ) model can inform decisions made with respect to an integrated risk management approach to “Project Connect.” To begin with, let’s re-examine a few of the foundational elements of the SoQ model. Then we will progress into how the SoQ informs decisions made about these foundational elements as they apply to risk management for “Project Connect”.

MedCon 2016 Slide 3 “Project Connect” Big Picture Challenge 3 Big Picture Challenge: FDA and other Regulatory Agencies expect device manufacturers to follow design controls for cybersecurity. How does “Project Connect” solve the risk management challenge without a single harmonized international standard for medical device cybersecurity? Response: Create a customized medical device cybersecurity standard that meets the “Project Connect” risk proposition. Follow the SoQ model to integrate the applicable standards that will be used for this customized medical device cybersecurity standard.

MedCon 2016 Slide 4 System of Quality (SoQ) 4 SoQ functions as a “Systems Engineering Methodology for all things Quality”— F. Blacha (2015)

MedCon 2016 Slide 5 Linking Risk Elements Together under the SoQ SoQ: Managing Data in the Cloud using a holistic approach Compliance Risk Elements Cybersecurity Assurance Case Deliverables Business Process Governance Organization SoQ

Compliance

MedCon 2016 Slide 7 Compliance: What Standards? 7 With no single harmonized international consensus standard for medical device cybersecurity, what are going to be our requirements? The System of Quality leads you to conducting an assessment of available standards so that you can identify the appropriate requirements with respect to addressing “Project Connect” cybersecurity risk concerns. What Medical Device Cybersecurity Standard(s) do We Comply With?

MedCon 2016 Slide 8 Compliance: Standards Harmonization Compliance Standards groups are moving toward harmonization on Cybersecurity National Institute for Standards and Technology (NIST) European Telecommunications Standards Institute (ETSI) Both groups are promoting a common cybersecurity framework.

MedCon 2016 Slide 9 Compliance: Cybersecurity Standards Following the SoQ, we would assess existing applicable Standards. The table shows some of the important already existing standards. Standard No.Standard Title IEC 62304Medical device software – Software lifecycle processes ISO/IEC 27001Security techniques—Information security management systems--Requirements ISO/IEC 27005Information technology – Security techniques – Information security risk management ISO/IEC 27032Information technology -- Security techniques -- Guidelines for cybersecurity ISO/IEC Information technology – Security techniques – Application security ISO/IEC 29147: 2014 Information technology – Security techniques – Vulnerability disclosure ISO/IEC 30111: 2013 Information technology – Security techniques – Vulnerability handling processes AAMI/ANSI/IEC TIR : 2012 Application of risk management for IT Networks incorporating medical devices – Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls IEC/TR Medical device software – Part 1: Guidance on the application of ISO to medical device software

MedCon 2016 Slide 10 Compliance: Cybersecurity Guidances NIST Framework for Improving Critical Infrastructure Cybersecurity v1.0 FDA Final Guidance Infusion Pumps Total Product Life Cycle (contains Safety Assurance Case guidance for medical device software) FDA Final Guidance on MMAs FDA Final Guidance for Content of Premarket Submissions for Management of Cybersecurity in Medical Devices EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité - Expression of Needs and Identification of Security Objectives) European Telecommunications Standards Institute (ETSI) TR v1.1.1 (Nov2015) Cyber: Global Cyber Security Ecosystem Following the SoQ methodology, we would assess existing applicable Guidance’s.

Risk Elements

MedCon 2016 Slide 12 Risk Elements: FDA Minimum Requirements 12 These cybersecurity risk elements include: Identification of assets, threats, and vulnerabilities Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients Assessment of the likelihood of a threat and of a vulnerability being exploited Determination of risk levels and suitable mitigation strategies Assessment of residual risk and risk acceptance criteria

MedCon 2016 Slide 13 Risk Elements: Design Control Perspective 13 Using the SoQ model, cybersecurity risk elements would be documented in accordance with design control principles, for example: Risk Management Plan requirements: Supply Chain Management requirements for Cloud Service Providers Physical and Logical Security requirements for Data Centers including data breach incident response management Cybersecurity risk management for both patient risk and for data asset protection under a Safety Assurance Case approach Expectations for protection of data integrity for data at rest and data in-transit Expectations for appropriate subject matter experts (such as independent cybersecurity consultants) to review and approve the risk management plan

Business Processes

MedCon 2016 Slide 15 Business Processes: Adapting to Cybersecurity 15 How do we modify our risk-related business processes and stay compliant with ISO across the product lifecycle? Project Connect needed new business processes that would holistically address the associated cybersecurity-related risk elements such as: Cross-Functional Collaboration Supply Chain Management Protecting digital health information Merging existing medical device risk management processes into a Safety Assurance Case

MedCon 2016 Slide 16 Business Processes: Cross-Functional Collaboration 16 Cross-Functional TeamsSubject Area IT technical teams working with Medical Device development teams Design Controls under a Medical Device quality management system (QMS) for MMAs Medical Device Quality and IT Quality Joint Supply Chain auditing of Cloud Service Providers Product Complaint Teams working with IT technical teams Develop a MMA product complaint management process inclusive of training and support Global Mobility group and Medical Device Development team Adapted process controls for MMA deployment process to Apple’s App Store Enterprise Resource Programs (ERPs) business unit and Medical Device Development team Placement of MMA as business objects in the ERP System IT Information Security SME working with Independent Cybersecurity Consultants Review MMA cybersecurity risk management processes, conduct penetration testing, etc. Examples of new Cross-Functional Collaborative Business Processes:

Deliverables

MedCon 2016 Slide 18 Deliverables: Risk Management Plan is the Driver 18 Design Controls call for a Risk Management Plan. This diagram shows deliverables addressing both patient safety, data asset cybersecurity risks, and the integration of both. Cloud Cybersecurity Risk Assessment Cloud Cybersecurity Risk Management Plan System Cybersecurity Risk Management Plan System Integration Risk Management Plan Common Preliminary Hazards Analysis (PHA) Common Preliminary Hazards Analysis (PHA) Project Connect Risk Management Plan AFMEA Risk Analysis Formative & Summative HF Evaluations System Risk Human Factors (HF) Plan Cybersecurity Residual Risks System Information Asset (Data Integrity) Cybersecurity Assurance Case Cloud Software Risk Management Plan System Patient Safety Residual Risks System Patient Safety Assurance Case (SAC) MMA App Software Risk Management Plan

Cybersecurity Assurance Case

MedCon 2016 Slide “Project Connect” Risk Elements to Clinical Data Stored in the Cloud Challenge: How does the “SoQ” help manage these Risk Elements? Cybersecurity Assurance Case: Addressing Risk Elements

MedCon 2016 Slide 21 Cybersecurity Assurance Case: Managing Cybersecurity Risks under ISO How do We Manage Cybersecurity Risks under ISO 14971?

MedCon 2016 Slide Relationship of Cybersecurity Risk Elements under an ISO Model Cybersecurity Assurance Case: Adapting ISO for Cybersecurity

MedCon 2016 Slide 23 Cybersecurity Assurance Case: Merging Risk Analyses 23 CHALLENGE: For Project Connect, how do we integrate the top-down common PHA with the bottom-up DFMEA and also integrate the data asset cybersecurity risk assessments and controls? Controls Claim Argument Evidence Top Down Analysis Bottom Up Analysis Vulnerabilities Harms Threats Causes Occurrence Severity Evidence RESPONSE: For Project Connect, adopt a business process for Cybersecurity Assurance Case methodology to integrate top down analysis with bottom up analysis. Threats and Vulnerabilities are tied to data asset location: Data in-transit Data at rest on device Data at rest in Cloud Natural Disasters Misuse

Organization

MedCon 2016 Slide 25 Organization Organization: Finding the Right People for the Right Roles 25 Challenge: “Project Connect” design reviews are required to have independent technical reviewer. Response: For medical device cybersecurity risk controls, the team engaged an independent cybersecurity risk consulting firm. This firm independently reviewed cybersecurity-related design documentation, they performed penetration testing, they performed code reviews, and they produced a technical report with an assessment of the “Project Connect” cybersecurity risk management program with recommendations to meet industry best practices.

Governance

MedCon 2016 Slide 27 Governance: Cybersecurity Management Oversight 27 Challenge: “Project Connect” needs cross-functional governance oversight. Response: Cross-functional governance oversight would serve as an approval body for “Project Connect” design control documents and risk management (such as cybersecurity or SAC) deliverables. The SoQ drove the chartering and governance proceduralization for this cross-functional governance body. Functional areas represented in this governance body included among others quality, patient safety, medical, legal, regulatory, privacy, labeling, information security subject matter expert (cybersecurity specialist), etc.

MedCon 2016 Slide Governance: Cybersecurity Process Owners Using the “SoQ” model, organization needs associated with Project Connect such as roles, spans of control, and clear accountability including items: Clear organizational accountability for patient privacy decisions Identification of control over any promotional and labeling content Human Factors subject matter experts leading cross-functional teams in formative and summative HF Studies Collaborative groups of IT Security SMEs and Independent Cybersecurity Consultants advising and reviewing Project Connect cybersecurity risk management practices Usage of steering teams to select integrated software toolsets (code management, etc.) Collaborations of Device and IT Security performing cybersecurity assessments of Cloud Service Provider Postmarket Surveillance inclusive of monitoring key cybersecurity metrics such as Distributed Denial of Service (DDoS) attacks, application crash metrics, Man- in-the-Middle (MITM) threats, account management, etc.

MedCon 2016 Slide 29 Governance: Establishing Cross-functional Lead Teams 29 Using the “SoQ” model, governance / management oversight needs associated with Project Connect to ensure management involvement, appropriate problem escalation, timely decision making processes were developed. Items such as: Creation of a cross-functional lead team responsible for Project Connect-related: DHF document approvals, change management approvals, medical affairs decisions, residual risk acceptability decisions, legal decisions, patient data privacy decisions, etc. Collaborative team auditing of Cloud Service Providers and Data Centers. Agreements as to Project Connect launch approvals from appropriate groups such as labeling, promotional materials, IT teams responsible for app submission to Apple’s App Store.

MedCon 2016 Slide 30 SoQ Addresses the Risks Holistically  Created cross-functional lead team to oversee MMA development, risk management, MMA deployment and post-launch change control approvals.  Partnered with IT Group to manage Cloud Service Provider changes and develop hybrid Quality Agreements.  Modified clinical data risk management business processes to include cybersecurity risk management.  Engaged independent cybersecurity SMEs for holistic risk management assessments.  Adopted collaborative auditing of Cloud Service Providers.  Worked with IT Information Security SME to liaise between MMA teams and IT Security teams  Hired new MMA team support with years of MMA Industry experience.  Quality Standard addresses supply chain management of Cloud Service Providers, data centers, cybersecurity risk management under a SAC. “Project Connect” relies on System of Quality Model to become comfortable with the risks of putting clinical data in the Cloud. Integrated Standards Business Processes Organization Governance/ Management Oversight

MedCon 2016 Slide 31 Questions? 31