Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Stay Two Steps Ahead of The New Cybersecurity IoMT Requirements

SternumIoT
October 24, 2022
52

How to Stay Two Steps Ahead of The New Cybersecurity IoMT Requirements

Shlomit Cymbalista, Head of Regulations @Sternum , surveys the regulatory landscape for medical devices and its impact on the future of the industry. Presented at the Annual Medical Device and Diagnostic Cybersecurity Conference (2022).

SternumIoT

October 24, 2022
Tweet

Transcript

  1. How to stay two steps ahead of
    Shlomit Cymbalista
    Head of Regulation and Compliance, Sternum
    The New Cybersecurity
    Requirements

    View Slide

  2. 1
    3
    2
    4
    Era of hypothetical is over Cyber is no longer an add-on
    Key changes in FDA
    requirements
    Sounds complicated.
    Now what?
    For Discussion

    View Slide

  3. 1 Era of hypothetical is over

    View Slide

  4. Insulin
    Pumps
    Intracardiac
    Defibrillators
    Mobile Cardiac
    Telemetry
    Intrathecal
    Pain Pumps
    Pacemakers
    “The FBI specifically cited vulnerabilities ….noting that malicious hackers
    could take over the devices and change readings, administer drug
    overdoses, or otherwise endanger patient health.”

    View Slide

  5. caused longer patient stays,
    delays in procedures and overall
    decreases in the quality of care
    20% 50%
    saw an increase in
    mortality rates
    The FBI site a report from a week prior which found that 89% of healthcare professionals
    surveyed experienced at least one cyberattack in the last 12 months

    View Slide

  6. HIPAA GDPR ISO 27001 ISO 27799
    Cybersecurity and Healthcare Evolving
    from Data Protection to Product Security

    View Slide

  7. The New Reality
    Product Security Is Patient Safety.

    View Slide

  8. 2 Cyber is no longer
    an add-on

    View Slide

  9. Submissions are meeting
    pushback by the FDA:
    Cybersecurity
    =
    Safety
    Run-Time
    Protection
    Evidence and
    performance
    of controls

    View Slide

  10. Coding Errors Affecting Safety
    Feedback Example #1
    …did not include information on the tools, such as static analysis tools, that you
    used to detect run-time errors. …needed to assess whether good coding practices
    have been implemented to prevent common coding errors which may adversely
    affect the safety of the device
    …tools used, identify what error types the tool detects, method and process of
    applying the tool(s), and a summary report and/or conclusion about the results

    View Slide

  11. Cyber by design
    Feedback Example #2
    “The information security and cybersecurity of the device is needed to evaluate
    the cybersecurity risks and the associated controls. The FDA has been asking for the
    cybersecurity even from devices that have no connectivity.”
    Mitigations for
    intentional and
    unintentional
    cybersecurity risks
    Cybersecurity risks
    considered in the
    design
    List and justification
    for all cybersecurity
    controls
    Evidence that
    controls perform
    as intended.
    Information
    confidentiality,
    integrity, and
    availability

    View Slide

  12. Security within
    design of the device
    3 Key Changes in FDA
    Requirements
    Secure practices
    and evidence
    Onus is on the
    manufacturer

    View Slide

  13. FDA Cybersecurity guidance,
    April 2022:
    “FDA requires manufacturers to implement development processes
    that account for and address cybersecurity risks as part of design
    control
    …Premarket submissions should include information that describes
    how the security objectives are addressed by and integrated into the
    device design…”

    View Slide

  14. Total
    Product
    Lifecycle
    Secure By Design From Day 1 and throughout the
    Total Product Lifecycle
    Security TPLC
    Implementation of SPDF to
    mitigate cybersecurity risks
    SPDF
    Security Process to
    manage safe devices as
    part of QMS system
    Vulnerability Management
    Identify, evaluate, treat, and report on
    security vulnerabilities including 3rd
    party libraries
    SBOM
    Traceability and
    transparency of all
    software components
    and their vulnerabilities
    V&V
    Security requirements, threat
    mitigation, vulnerability testing,
    penetration testing throughout testing
    IN-DEV
    PMS
    Continuous monitoring, risk
    assessment performed for
    postmarket vulnerability
    POST MARKET

    View Slide

  15. • Patch Act
    • IMDRF Principles and
    Practices of MD
    Cybersecurity
    • MDCG (EU) 2019-16
    • Medical Device and Health IT
    Joint Security Plan (JSP)
    • NIST
    A Global Movement
    • Secure by design
    • SBOM
    • 3rd party vulnerabilities
    • Post market surveillance
    • Vulnerability management
    • Secure development process

    View Slide

  16. 4 Sounds complicated.
    Now what?

    View Slide

  17. A Standard Medical Device
    ● 1M units in the field 5-year old
    code
    ● 2MB of free space
    ● No visibility into usage, quality,
    performance, geolocation
    ● 3 vulnerabilities found
    ● Heap overflow, time-of-use
    time–of-check OTA
    vulnerability, information leak

    View Slide

  18. Mitigation of supply chain/3rd party
    attacks
    Full visibility into usage, cyber breaches,
    performance once in field
    Technical security controls
    Secure from design
    New requirements to meet Technologies available
    Vulnerability management and coverage
    of 3rd parties; automated SBOM
    Real-time observability and alerting
    Integrity, cryptography, authentication,
    event detection, etc.
    Autonomous security solution built into
    the device code/software- agentless

    View Slide

  19. Sternum
    Synergy of Security
    + Observability
    What
    For both new and
    legacy devices
    Why
    Improve your ROI with
    minimized need for patching
    How
    All with:
    ● Low memory requirements
    ● No impact on performance
    ● Little to no impact on resources
    – no Internet connection needed
    Total
    Product
    Lifecycle
    V&V
    Security requirements,
    threat mitigation,
    vulnerability testing,
    penetration testing
    throughout testing
    IN-DEV
    SPDF
    Security process
    to manage safe
    devices as part
    of QMS system
    Security TPLC
    Implementation of
    SPDF to mitigate
    cybersecurity risks
    Vulnerability
    Management
    Identify, evaluate, treat,
    and report on security
    vulnerabilities
    including 3rd party
    libraries
    PMS
    Continuous
    monitoring, risk
    assessment
    performed for
    postmarket
    vulnerability
    POST
    MARKET
    * Embedded protection throughout TPLC
    * Seamless integration
    * Part of cybersecurity V&V
    * Protection from zero day attacks
    Run-time protection

    View Slide

  20. Sternum
    Synergy of Security
    + Observability
    What
    For both new and
    legacy devices
    Why
    Improve your ROI with
    minimized need for patching
    How
    All with:
    ● Low memory requirements
    ● No impact on performance
    ● Little to no impact on resources
    – no Internet connection needed
    Total
    Product
    Lifecycle
    Security TPLC
    Implementation of
    SPDF to mitigate
    cybersecurity risks
    SPDF
    Security process
    to manage safe
    devices as part
    of QMS system
    Vulnerability
    Management
    Identify, evaluate, treat,
    and report on security
    vulnerabilities
    including 3rd party
    libraries
    PMS
    Continuous
    monitoring, risk
    assessment
    performed for
    postmarket
    vulnerability
    POST
    MARKET
    SBOM
    Traceability and
    transparency of
    all software
    components and
    their
    vulnerabilities
    Monitoring, Insights and
    Reports
    * Real time alerts of cybersecurity attacks
    * Monitoring and observability for Post
    Market Surveillance
    * Tool for CAPA and CC assessment
    * SBOM

    View Slide

  21. * Early detection & investigation of
    emerging issues
    * Visibility and control of your device fleets
    * Device trends and user interaction
    Sternum
    Synergy of Security
    + Observability
    Anomaly Detection
    What
    For both new and
    legacy devices
    Why
    Improve your ROI with
    minimized need for patching
    How
    All with:
    ● Low memory requirements
    ● No impact on performance
    ● Little to no impact on resources
    – no Internet connection needed
    Total
    Product
    Lifecycle
    Total
    Product
    Lifecycle
    Security TPLC
    Implementation of
    SPDF to mitigate
    cybersecurity risks
    SPDF
    Security process
    to manage safe
    devices as part
    of QMS system
    Vulnerability
    Management
    Identify, evaluate, treat,
    and report on security
    vulnerabilities
    including 3rd party
    libraries
    PMS
    Continuous
    monitoring, risk
    assessment
    performed for
    postmarket
    vulnerability
    POST
    MARKET

    View Slide

  22. * Embedded protection
    throughout TPLC
    * Seamless integration
    * Part of cybersecurity V&V
    * Protection from zero day
    attacks
    Run-Time
    Protection
    Monitoring,
    Insights& Reports
    * Real time alerts of cybersecurity
    attacks
    * Monitoring and observability for
    Post Market Surveillance
    * Tool for CAPA and CC assessment
    * SBOM
    Anomaly
    Detection
    * Early detection & investigation
    of emerging issues
    * Visibility and control of your
    device fleets
    * Device trends and user
    interaction
    Sternum
    Synergy of Security + Observability
    What
    For both new and
    legacy devices
    Why
    Improve your ROI with
    minimized need for patching
    How
    All with:
    ● Low memory requirements
    ● No impact on performance
    ● Little to no impact on resources
    – no Internet connection needed

    View Slide

  23. IMPLICATIONS • Cybersecurity is no longer an afterthought
    • Secure by design is the new cost of entry
    • Security doesn’t stop after the release
    • Continuous monitoring a baseline for all
    • New documentation requirements
    overwhelming and complex

    View Slide

  24. [email protected]
    Head of Regulation and Compliance, Sternum
    FEELING
    VULNERABLE?

    View Slide