How to Stay Two Steps Ahead of The New Cybersecurity IoMT Requirements
Shlomit Cymbalista, Head of Regulations @Sternum , surveys the regulatory landscape for medical devices and its impact on the future of the industry. Presented at the Annual Medical Device and Diagnostic Cybersecurity Conference (2022).
Pacemakers “The FBI specifically cited vulnerabilities ….noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or otherwise endanger patient health.”
in the quality of care 20% 50% saw an increase in mortality rates The FBI site a report from a week prior which found that 89% of healthcare professionals surveyed experienced at least one cyberattack in the last 12 months
information on the tools, such as static analysis tools, that you used to detect run-time errors. …needed to assess whether good coding practices have been implemented to prevent common coding errors which may adversely affect the safety of the device …tools used, identify what error types the tool detects, method and process of applying the tool(s), and a summary report and/or conclusion about the results
cybersecurity of the device is needed to evaluate the cybersecurity risks and the associated controls. The FDA has been asking for the cybersecurity even from devices that have no connectivity.” Mitigations for intentional and unintentional cybersecurity risks Cybersecurity risks considered in the design List and justification for all cybersecurity controls Evidence that controls perform as intended. Information confidentiality, integrity, and availability
development processes that account for and address cybersecurity risks as part of design control …Premarket submissions should include information that describes how the security objectives are addressed by and integrated into the device design…”
throughout the Total Product Lifecycle Security TPLC Implementation of SPDF to mitigate cybersecurity risks SPDF Security Process to manage safe devices as part of QMS system Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries SBOM Traceability and transparency of all software components and their vulnerabilities V&V Security requirements, threat mitigation, vulnerability testing, penetration testing throughout testing IN-DEV PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET
Cybersecurity • MDCG (EU) 2019-16 • Medical Device and Health IT Joint Security Plan (JSP) • NIST A Global Movement • Secure by design • SBOM • 3rd party vulnerabilities • Post market surveillance • Vulnerability management • Secure development process
5-year old code • 2MB of free space • No visibility into usage, quality, performance, geolocation • 3 vulnerabilities found • Heap overflow, time-of-use time–of-check OTA vulnerability, information leak
cyber breaches, performance once in field Technical security controls Secure from design New requirements to meet Technologies available Vulnerability management and coverage of 3rd parties; automated SBOM Real-time observability and alerting Integrity, cryptography, authentication, event detection, etc. Autonomous security solution built into the device code/software- agentless
and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed Total Product Lifecycle V&V Security requirements, threat mitigation, vulnerability testing, penetration testing throughout testing IN-DEV SPDF Security process to manage safe devices as part of QMS system Security TPLC Implementation of SPDF to mitigate cybersecurity risks Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET * Embedded protection throughout TPLC * Seamless integration * Part of cybersecurity V&V * Protection from zero day attacks Run-time protection
and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed Total Product Lifecycle Security TPLC Implementation of SPDF to mitigate cybersecurity risks SPDF Security process to manage safe devices as part of QMS system Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET SBOM Traceability and transparency of all software components and their vulnerabilities Monitoring, Insights and Reports * Real time alerts of cybersecurity attacks * Monitoring and observability for Post Market Surveillance * Tool for CAPA and CC assessment * SBOM
and control of your device fleets * Device trends and user interaction Sternum Synergy of Security + Observability Anomaly Detection What For both new and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed Total Product Lifecycle Total Product Lifecycle Security TPLC Implementation of SPDF to mitigate cybersecurity risks SPDF Security process to manage safe devices as part of QMS system Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET
of cybersecurity V&V * Protection from zero day attacks Run-Time Protection Monitoring, Insights& Reports * Real time alerts of cybersecurity attacks * Monitoring and observability for Post Market Surveillance * Tool for CAPA and CC assessment * SBOM Anomaly Detection * Early detection & investigation of emerging issues * Visibility and control of your device fleets * Device trends and user interaction Sternum Synergy of Security + Observability What For both new and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed
by design is the new cost of entry • Security doesn’t stop after the release • Continuous monitoring a baseline for all • New documentation requirements overwhelming and complex
sternumiot
denniskardys
smashingmag
kevinliebholz
62gerente
addyosmani
ddemaree
swwweet
sachag
iamctodd
hannesfritz
philhawksworth
![[email protected] Head of Regulation and Compliance, Sternum FEELING VULNERABLE?](https://files.speakerdeck.com/presentations/251434a404854770abf0b0db03cc85d9/slide_23.jpg){kind=link}