Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Stay Two Steps Ahead of The New Cybersec...

SternumIoT
October 24, 2022
0
80

How to Stay Two Steps Ahead of The New Cybersecurity IoMT Requirements

Shlomit Cymbalista, Head of Regulations @Sternum , surveys the regulatory landscape for medical devices and its impact on the future of the industry. Presented at the Annual Medical Device and Diagnostic Cybersecurity Conference (2022).

SternumIoT

October 24, 2022
Tweet

More Decks by SternumIoT

See All by SternumIoT
NXP Partner Webinar: Bringing Security and Device-level Insights to IoT Products
sternumiot
1
55
Outsmarting IoT Defenses: The Hacker Perspective - IoT Tech Expo 2022
sternumiot
0
170

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
182
21k
Speed Design
sergeychernyshev
25
720
Optimising Largest Contentful Paint
csswizardry
33
3k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.3k
Why Our Code Smells
bkeepers
PRO
335
57k
The World Runs on Bad Software
bkeepers
PRO
66
11k
How to Ace a Technical Interview
jacobian
276
23k
Building Applications with DynamoDB
mza
92
6.1k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.4k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
3
230
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k

Transcript

  1. How to stay two steps ahead of Shlomit Cymbalista Head

    of Regulation and Compliance, Sternum The New Cybersecurity Requirements

  2. 1 3 2 4 Era of hypothetical is over Cyber

    is no longer an add-on Key changes in FDA requirements Sounds complicated. Now what? For Discussion

  3. 1 Era of hypothetical is over

  4. Insulin Pumps Intracardiac Defibrillators Mobile Cardiac Telemetry Intrathecal Pain Pumps

    Pacemakers “The FBI specifically cited vulnerabilities ….noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or otherwise endanger patient health.”

  5. caused longer patient stays, delays in procedures and overall decreases

    in the quality of care 20% 50% saw an increase in mortality rates The FBI site a report from a week prior which found that 89% of healthcare professionals surveyed experienced at least one cyberattack in the last 12 months

  6. HIPAA GDPR ISO 27001 ISO 27799 Cybersecurity and Healthcare Evolving

    from Data Protection to Product Security

  7. The New Reality Product Security Is Patient Safety.

  8. 2 Cyber is no longer an add-on

  9. Submissions are meeting pushback by the FDA: Cybersecurity = Safety

    Run-Time Protection Evidence and performance of controls

  10. Coding Errors Affecting Safety Feedback Example #1 …did not include

    information on the tools, such as static analysis tools, that you used to detect run-time errors. …needed to assess whether good coding practices have been implemented to prevent common coding errors which may adversely affect the safety of the device …tools used, identify what error types the tool detects, method and process of applying the tool(s), and a summary report and/or conclusion about the results

  11. Cyber by design Feedback Example #2 “The information security and

    cybersecurity of the device is needed to evaluate the cybersecurity risks and the associated controls. The FDA has been asking for the cybersecurity even from devices that have no connectivity.” Mitigations for intentional and unintentional cybersecurity risks Cybersecurity risks considered in the design List and justification for all cybersecurity controls Evidence that controls perform as intended. Information confidentiality, integrity, and availability

  12. Security within design of the device 3 Key Changes in

    FDA Requirements Secure practices and evidence Onus is on the manufacturer

  13. FDA Cybersecurity guidance, April 2022: “FDA requires manufacturers to implement

    development processes that account for and address cybersecurity risks as part of design control …Premarket submissions should include information that describes how the security objectives are addressed by and integrated into the device design…”

  14. Total Product Lifecycle Secure By Design From Day 1 and

    throughout the Total Product Lifecycle Security TPLC Implementation of SPDF to mitigate cybersecurity risks SPDF Security Process to manage safe devices as part of QMS system Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries SBOM Traceability and transparency of all software components and their vulnerabilities V&V Security requirements, threat mitigation, vulnerability testing, penetration testing throughout testing IN-DEV PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET

  15. • Patch Act • IMDRF Principles and Practices of MD

    Cybersecurity • MDCG (EU) 2019-16 • Medical Device and Health IT Joint Security Plan (JSP) • NIST A Global Movement • Secure by design • SBOM • 3rd party vulnerabilities • Post market surveillance • Vulnerability management • Secure development process

  16. 4 Sounds complicated. Now what?

  17. A Standard Medical Device • 1M units in the field

    5-year old code • 2MB of free space • No visibility into usage, quality, performance, geolocation • 3 vulnerabilities found • Heap overflow, time-of-use time–of-check OTA vulnerability, information leak

  18. Mitigation of supply chain/3rd party attacks Full visibility into usage,

    cyber breaches, performance once in field Technical security controls Secure from design New requirements to meet Technologies available Vulnerability management and coverage of 3rd parties; automated SBOM Real-time observability and alerting Integrity, cryptography, authentication, event detection, etc. Autonomous security solution built into the device code/software- agentless

  19. Sternum Synergy of Security + Observability What For both new

    and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed Total Product Lifecycle V&V Security requirements, threat mitigation, vulnerability testing, penetration testing throughout testing IN-DEV SPDF Security process to manage safe devices as part of QMS system Security TPLC Implementation of SPDF to mitigate cybersecurity risks Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET * Embedded protection throughout TPLC * Seamless integration * Part of cybersecurity V&V * Protection from zero day attacks Run-time protection

  20. Sternum Synergy of Security + Observability What For both new

    and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed Total Product Lifecycle Security TPLC Implementation of SPDF to mitigate cybersecurity risks SPDF Security process to manage safe devices as part of QMS system Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET SBOM Traceability and transparency of all software components and their vulnerabilities Monitoring, Insights and Reports * Real time alerts of cybersecurity attacks * Monitoring and observability for Post Market Surveillance * Tool for CAPA and CC assessment * SBOM

  21. * Early detection & investigation of emerging issues * Visibility

    and control of your device fleets * Device trends and user interaction Sternum Synergy of Security + Observability Anomaly Detection What For both new and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed Total Product Lifecycle Total Product Lifecycle Security TPLC Implementation of SPDF to mitigate cybersecurity risks SPDF Security process to manage safe devices as part of QMS system Vulnerability Management Identify, evaluate, treat, and report on security vulnerabilities including 3rd party libraries PMS Continuous monitoring, risk assessment performed for postmarket vulnerability POST MARKET

  22. * Embedded protection throughout TPLC * Seamless integration * Part

    of cybersecurity V&V * Protection from zero day attacks Run-Time Protection Monitoring, Insights& Reports * Real time alerts of cybersecurity attacks * Monitoring and observability for Post Market Surveillance * Tool for CAPA and CC assessment * SBOM Anomaly Detection * Early detection & investigation of emerging issues * Visibility and control of your device fleets * Device trends and user interaction Sternum Synergy of Security + Observability What For both new and legacy devices Why Improve your ROI with minimized need for patching How All with: • Low memory requirements • No impact on performance • Little to no impact on resources – no Internet connection needed

  23. IMPLICATIONS • Cybersecurity is no longer an afterthought • Secure

    by design is the new cost of entry • Security doesn’t stop after the release • Continuous monitoring a baseline for all • New documentation requirements overwhelming and complex

  24. [email protected] Head of Regulation and Compliance, Sternum FEELING VULNERABLE?