PCD MEM Medical Device IT Management Project Status – April 2013 Axel Wirth PCD MEM Working Group

PCD MEM: Medical Device IT Management

Initial Goal Setting Work launched in Dec 2011 (scope & outline) Project coordination: PCD MEM priority PCD ITI (IT Infrastructure) is responsible for infrastructure and will support / consult These needs are not unique to PCD and may require cooperation with other IHE groups (e.g. RAD) or outside IHE (e.g. NEMA) Whitepaper purpose: Define status quo Established best practices Existing standards and regulations, including existing profiles Recommendation for to be developed profiles or standards (where appropriate)

Status Current active members: John Rhoads, Philips Dan Trainor, Philips Andrew Sargent, Philips Jeff McGeath, Accents on Integration Richard Hurst, iSirona Ryan Roobian, Symantec Axel Wirth, Symantec

Status No way around it – progress has been slow The “day job” problem …. Identified 3 Focus areas (based on provider feedback) Cyber Security Patching Configuration Management Researched best practices and existing standards: Reviewed published thought leadership Other industries may establish relevant precedent Data collection winding down, moving towards outline / specific proposal

Status Example: IEC 62443 (SCADA / IACS = Industrial Automation and Control Solution)

Status In parallel, working on leveraging synergies between us and MDISS (Medical Device Innovation, Safety and Security Consortium, www.mdiss.org) Proposed MOU between IHE and MDISS to join on Cyber Security. Reviewed by IHE International Board, assigned to Operations Subcommittee for recommendation. MDISS has agreed to draft MOU, ready to move forward. Benefits of cooperation: Combined resources IHE - Vendor experience, MDISS - Provider experience MDISS – broad approach: e.g. “epidemiological” analysis IHE - established frameworks: e.g. Profiles, Connectathon Lastly: avoid conflicting messages and confusion

What else? Need to re-align with CMMS project (Steve Merritt) Presentation at AAMI 2013 John Rhoads, Axel Wirth Presentation due by May 6! IT and Cybersecurity Challenges in a Medical Device World “Medical devices are increasingly becoming interconnected via standard IT networks, resulting in new challenges for healthcare technology management professionals. Because these devices need to be protected against cyber-attacks and privacy breaches, the device lifecycle must include safeguards such as software patch management, IT risk management, authentication, encryption, and more. In this session, you will learn about the challenges of maintaining the highly sensitive and strictly regulated environments required for IT-connected medical devices. You’ll recognize your own role in the process, as well as the role of your IT peers; and find out about existing standards, guidelines, and best practices”

Current Whitepaper Scope Outline: Definition and Architecture Asset Management Asset Tracking Discovery Automatic Configuration Monitoring and Logging Patch Management Lifecycle Management Risk Management Guidance Event Communication—non-alarm, system-to-system Cyber Security Status Information Privacy (encryption and similar) Key Management User-to–Device and Device-To-Network Authentication Note: the topics outlined will be purely IT focused and not deal with clinical functionality or patient management aspects.

Thank YOU