Post on 20-May-2020
1
MEDICALDEVICECYBERSECURITYSETHDCARMODYPHDCYBERSECURITYSUMMIT2017OCTOBER23,2017
www.fda.gov
2
Execu;veOrders(EO),Presiden;alPolicyDirec;ves,andFrameworktoStrengthenCri;calInfrastructure
Cybersecurity• EO13636(Feb2013)àNISTVoluntaryFramework(Feb2014)v1.1inDraJ
Jan.10,2017
• PPD21(Feb2013)• EO13691(Feb2015)–establishmentofInformaTonSharingandAnalysis
OrganizaTons(ISAO)• EO13800,"StrengtheningtheCybersecurityofFederalNetworksandCriTcal
Infrastructure”May17,2017
www.fda.gov
3
Informa;onalTech/Opera;onalTech
www.fda.gov
InformaTonTechnologyOperaTonalTechnology
IoT–InternetofThings
Byh^p://hem.dis.anl.gov/eehem/picts/94110818_8.gif[deadlink],PublicDomain,h^ps://commons.wikimedia.org/w/index.php?curid=5804284
ControlSystem
Internet-ConnectedOperaTonalTechnology
4
Center for Food Safety & Applied Nutrition
Center for Drug Evaluation & Research
Center for Biologics Evaluation & Research
Center for Devices & Radiological Health (CDRH)
Center for Veterinary Medicine
National Center for Toxicological Research
Center for Tobacco Products
www.fda.gov
FDA’sRegulatoryScope
5
TheAc;veAdversary,AFineWine
www.fda.gov
Moveover,MiraiThea^acksareavariaTononthosemountedbyMirai,abotnetmadeupofnetworkcameras,digitalvideorecorders,andotherso-calledInternet-of-thingsdevices.ThepointofMiraiistobuildanarmyofdevicesthatcrippleprominentwebsiteswithrecord-sehngdistributedDoSa^acks.ThemoTvaTonforthePDoSa^acksremainsunclear,inpartbecauseBrickerBot.2a^ackedamuchwidervarietyofstoragedevices—includingthoseusedbyservers—ratherthanstorageusedonlybymorelimitedIoTdevices
6
IntendedUse+Misuseh^p://hackaday.com/2015/09/07/brick-laying-robot-does-it-be^er/
h^p://www.technologyvista.in/pin/here-comes-the-brick-laying-robot-to-make-buildings/
7
Nega;veRequirementsareInfinite!
Features:WhataDeviceMUSTDo…
Safety:WhataDeviceMUSTNOTdo
Thou,shallnotunderoroverdelivertherapy!
GetdruglibrariesfromtheInternet
8
PostmarketCybersecurityRiskAssessment
www.fda.gov
9
DeviceLifecycle:EcosystemChallenges
www.fda.gov
10
EmpathyandCollaboraTonFromEO13636“Wecanachievethesegoalsthroughapartnershipwiththeownersandoperatorsofcri6calinfrastructuretoimprovecybersecurityinforma6onsharingandcollabora6velydevelopandimplementrisk-basedstandards.”
11
FDA’sApproachtoCybersecurity
ExecuTveOrdersFDASafetyCommunicaTonDraJPremarketGuidanceBeginCoordinaTonwithDHSRecognizeStandardsEstablishIncidentResponseTeam
FinalPremarketGuidanceMOUwithNH-ISACPublicWorkshop
Product-SpecificSafetyCommBuildEcosystem/CollaboraTon
2013
2014
2015
2016
DraJandFinalPostmarketGuidancePublicWorkshopMOUwithNH-ISAC/MDISS
2017
2005:Issuedguidance2008:Halpern,et.al. 2009:IssuedsafetycommunicaTon2011:“Hacking”ofimplantableinsulinpump(Radcliffe)2012:FirstrecallofvulnerablesoJware(Roche-PCAnywhere)2013:RecallofTNS-listener(Roche)
Product-SpecificSafetyComm
1stCybersecurityWL
12
Ques;ons?
Contacts:CDRHmailbox,AskMedCyberWorkshop@fda.hhs.govSuzanneSchwartz,Suzanne.Schwartz@fda.hhs.govAJinRoss,aJin.ross@fda.hhs.govSethCarmody,seth.carmody@fda.hhs.gov