® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague,

Slides:

Advertisements

Similar presentations

GEOSS Data Sharing Principles. GEOSS 10-Year Implementation Plan 5.4 Data Sharing The societal benefits of Earth observations cannot be achieved without.

Advertisements

Test Automation Success: Choosing the Right People & Process

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

Delivery Business Solutions April 29, Nashville PMI Symposium April 29, 2013 Stephanie Dedmon, PMP Director, Business Solutions Delivery Department.

1 Vendor Evaluation: Selecting for Success Dana McCormick Wells Fargo Home Mortgage Delivery Services Baltimore PCC Education Seminar April 27, 2007.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

An Introduction to the Hennepin County Hennepin County GIS Technical Advisory Group (eGTAG) 10/20/2009.

(Geneva, Switzerland, September 2014)

NCCN and NCCN Clinical Practice Guidelines in Oncology™

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

Information Technology Audit

UBC Senate: Supporting an integrated approach to enhancing the mental health and wellbeing of students in the academic environment Lindsey Kovacevic Academic.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Organization Mission Organizations That Use Evaluative Thinking Will Develop mission statements specific enough to provide a basis for goals and.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Network Security Resources from the Department of Homeland Security National Cyber Security Division.

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

INTERNET2 COLLABORATIVE INNOVATION PROGRAM DEVELOPMENT Florence D. Hudson Senior Vice President and Chief Innovation.

HL7 Webinar: Mobile Health Chuck Jaffe Austin Kreisler John Quinn 19 March 2012.

 Utilization of a timeline  Defining influence  Establishing members  Meet and network  ORGANIZATION!

Developing a result-oriented Operational Plan Training

Ajaz S. Hussain, Ph.D. Deputy Director Office of Pharmaceutical Science, CDER, FDA ACPS Subcommittee on Manufacturing Science: Identification and Prioritization.

Working Definition of Program Evaluation

EARTO – working group on quality issues – 2 nd session Anneli Karttunen, Quality Manager VTT Technical Research Centre of Finland This presentation.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Chapter 6 CRISIS MANAGEMENT. Introduction - Crisis: ◦is a situation that specifically involves a pharmaceutical product, medical device or activity with.

Response of the Disease Management Community to the New Medicare Chronic Care Improvement Program National Disease Management Audioconference: Update on.

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.

Presenter’s Name June 17, Directions for this Template  Use the Slide Master to make universal changes to the presentation, including inserting.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.

FDA Public Meeting on Electronic Records and Signatures June 11, 2004 Presentation of the Industry Coalition on 21CFR Part 11 Alan Goldhammer, PhD Chair.

NATIONAL MENTAL HEALTH SERVICES COLLABORATIVE Report of Independent Evaluation Presentation – 7 th February 2012 NATIONAL MENTAL HEALTH SERVICES COLLABORATIVE.

MODULE 3 Composition & Roles. TAT TEAM APPROACH UPON COMPLETION OF THIS MODULE, PARTICIPANTS SHOULD UNDERSTAND: 3 – 2  Composition of the Threat Assessment.

This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Research in the Office of Cellular, Tissue and Gene Therapies: Vision and Overview Jesse Goodman, M.D., M.P.H. Director, Center for Biologics Evaluation.

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Albany Bank Corporation Security Incident Management Program.

The Power of Recommendations Dainius Jakimavičius National Audit Office of Lithuania Vilnius, April 23, 2013.

1 An Overview of Process and Procedures for Health IT Collaboration GSA Office of Citizen Services and Communications Intergovernmental Solutions Division.

Installation and Maintenance of Health IT Systems Unit 8a Troubleshooting; Maintenance and Upgrades; and Interaction with Vendors, Developers, and Users.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Tuesday March 15, 2016 Session 19-D Technology Forum David Finkelstein, CIO RiverSpring Health.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

Preparation of Drought Vulnerability Assessment Study to Develop Iraq National Framework for Integrated Drought Risk Management (DRM) PAVING THE WAY FOR.

13 TH MEETING OF THE GBIF PARTICIPANT NODE MANAGERS COMMITTEE – 6 OCTOBER 2015 Review of regional collaboration Olaf Bánki.

1 Managing Risk in Software Process Improvement: Software Process Improvement: An Action Research Approach Jakob H. Ivesen, Lars Mathiassen, and Peter.

IS THERE A SPECIFIC PROFESSIONAL ACT FOR CLINICAL ENGINEERS? Gnahoua Zoabli, P.Eng, M.Eng., Ph.D. 10:30 am on Friday May 27 th Performance and Quality.

Community Resilience Jill J Artzberger, MPH 2011 Texas Emergency Management Conference Thursday, April 28, 2011.

MEM Cybersecurity Working Group Update to PCD Technical Committee

Transforming the future of public health in Missouri

The Five Secrets of Project Scheduling A PMO Approach

MEM Cybersecurity Working Group Update to PCD Technical Committee

Responding to Intrusions

CBP Strategic Communications Plan

Identify the Risk of Not Doing BA

FDA Guidance for Industry and FDA Staff Summary of Public Notification of Emerging Postmarket Medical Device Signals (“Emerging Signals”) Effective: December.

California’s Rural Intercity Bus System: 2018 Update

SOA Strategic Research Programs Initiative Update

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Cyber Security in a Risk Management Framework

Enterprise Cybersecurity Initiative Department of Information Technology Vince Martinez, State CIO, Executive Sponsor Lorenzo Ornelas, Managing Director.

Presentation transcript:

® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague, Senior Business Analyst, UHC April 12, 2005

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 2 Who is the University HealthSystem Consortium? The University HealthSystem Consortium (UHC), formed in 1984, is an alliance of academic health centers situated mainly in the United States. As a membership organization, UHC provides its 90 full members and 123 associate members with a variety of helpful resources aimed at improving performance levels in clinical, operational, and financial areas. The mission of the University HealthSystem Consortium is to advance knowledge, foster collaboration, and promote change to help members succeed in their respective markets.

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 3 Background  Early in 2004, The UHC CIO Steering Committee asked UHC to investigate the issue of medical device security and suggest ideas to mitigate the problem.  The UHC Medical Device Security Team: Pete Giordano, MCSA/MCSE - Security, CISSP, Senior Security Analyst; Catherine Sprague, Senior Business Analyst; and Doug Surch, PMP, CISSP, Director, Project Management Office

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 4 Background  Interviews with: - Medical device vendors/manufacturers - Government Agencies - Industry Groups - Members, members, and more members! Lots of research, culminating in a… White Paper published in January 2005, available at:

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 5 The Problem  Medical device security is a significant issue for healthcare organizations.  The problems are related to the complex and sensitive nature of the devices.  Security solutions are often invasive, requiring patches or updates to the device software and/or OS. Not the FDA! Must usually be applied by the manufacturer! There is often a disconnect between the manufacturers and providers as to what “secure” actually means, as well as the length of time that is acceptable for a medical device to be exposed to risk before a patch can be applied!

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 6 The Solution must:  Accommodate the providers’ need, timing, and sense of urgency;  Accommodate the vendors’ time and resource constraints;  Fix an identified vulnerability or provide an extra measure of protection for the device and/or network, without compromising the performance and/or integrity of the device.

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 7 Short Term Solutions FDA/MedSun Reporting  The FDA encourages health care organizations to report any and all problems.  There is a notable lack of formal reporting on the part of the providers.  Without formal evidence, the FDA is limited to act.  This is something that providers can and should start doing immediately!

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 8 Short Term Solutions Incident Response An effective incident management plan can: 1. Minimize the damage from a security event. 2. Provide important lessons for improving security. Incident response plans must: 1. Include network medical devices. 2. Provide feedback to regulatory agencies and device manufacturers.

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 9 Short Term Solutions Risk Management  Requires a vigilant methodology  A multi-disciplinary team to: 1. Monitor organization’s network/exposure. 2. Monitor security bulletins (e.g. CERT).  Also applies to the device: 1. Easier to prioritize where extra controls are needed. 2. Helps make the case for extra funds to protect the network.

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 10 Medium Term Solutions Standard Assessment  A common set of questions used to assess security components: 1. Can be used by provider to understand risk. 2. Can be a qualifier when choosing between otherwise comparable devices.  Examples: 1. MDS downloads since it was posted! 2. NCHICA

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 11 Long Term Solutions Device Design  Security components should be an integral part of the device. 1. Installed and supported by the manufacturer; the responsibility is clearer. 2. Strongly supported by UHC members.  Drawbacks: 1. Defining the “best” security strategy and software. 2. Security components must not impact the function of the multiple devices. 3. These even more complex devices must be compatible with an multiple organizational enterprise layered defense strategies. 4. The length of time to develop a medical device is 5 to 7 years.

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 12 Long Term Solutions Industry Groups HIMSS has formed a Medical Device Security Workgroup: 1. Identify both the security issues associated with medical devices and systems and the best practices available to address those issues. 2. Evaluate the issues of security threats and vulnerabilities that affect medical devices, the provider’s and the equipment manufacturer's responses and responsibilities, and the legal and regulatory framework in which these issues must be addressed. 3. Coordinate with similar groups and committees to capitalize on existing efforts and realize the economies of collaboration. 4. Prepare and endorse white papers, guidance documents, comments, and recommendations on medical device security issues and practices for addressing those issues. 5. Educate HIMSS membership and the industry on the implications of medical device security through publications, tools, resources, and educational programs.

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 13 Long Term Solutions Industry Groups  North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA): 1. A nonprofit consortium of more than 250 organizations dedicated to improving health care by accelerating the adoption of information technology. 2. Developed the NCHICA Vendor RFP Template. There is strength in numbers! Industry groups, such as HIMSS and NCHICA, can wield great influence.

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 14 Conclusion  There are a variety of approaches to medical device security.  No single solution stands out over the others and all have merit.  As long as there are computers, there is a potential for compromise and a combination of approaches is necessary.  Providers NEED to protect their environments, however … Vendors and Providers need to work together to define a common approach and resolution to the issue of medical device security!

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 15 For more information, contact : Peter Giordano, (630) Cathy Sprague, (630) Doug Surch, (630)

©2005 University HealthSystem Consortium UHC PowerPoint.ppt 16 Questions? Thank You!