© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
FDA Cybersecurity Recommendations toComply with NIST: A Best Practice for All
Wearables?
June 21, 2016
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com 2
This presentation has been provided for informational
purposes only and is not intended and should not be
construed to constitute legal advice. Please consult your
attorneys in connection with any fact-specific situation under
federal, state, and/or local laws that may impose additional
obligations on you and your company.
Cisco WebEx can be used to record webinars/briefings. By
participating in this webinar/briefing, you agree that your
communications may be monitored or recorded at any time
during the webinar/briefing.
Attorney Advertising
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Presented by
Kim Tyrrell-Knott
Member of the Firm
858-764-2494
3
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Medical Device Cybersecurity
4
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Pre-Market
Post-Market
MedicalDevice
InfoSecExternalInfoSec
Medical Device ComprehensiveCybersecurity Risk Management
5
COMPREHENSIVECYBERSECURITY
RISKMANAGEMENT
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
NIST Framework for ImprovingCritical Infrastructure Cybersecurity
6
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
FDA Pre- Market
7
• Identification of assets, threats and vulnerabilitiesIdentify
• Assess likelihood of a threat and of a vulnerabilitybeing exploitedLikelihood
• Assess impact of threats and vulnerabilities ondevice functionality and end users/patientsImpact
• Determine risk levels and suitable mitigationstrategiesMitigation
• Assess residual risk and risk acceptance criteriaResidual Risk
Design Inputs Software Validation and Risk Analysis
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Pre-Market: What is the Difference?
8
• Limit Access to Trusted users• Ensure Trusted Content
• Detect, recognize, act upon during use• Enable critical features of the device to
continue to function during compromise• Retention and recovery of device
configuration
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
FDA Post Market: What’s the Difference?(DRAFT)
9
• Essential Clinical Performance• Cybersecurity Signals
• Vulnerability and ExploitabilityAssessment (CVSS)
• Risk Analysis• Threat Modeling/Threat sources and
detection
• Compensating controls• Risk Mitigations of Essential Clinical
Performance
Participation in cybersecurity info sharing organizations
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Common Vulnerability Scoring System
10
OTHER
• Exploit Code Maturity (high, functional, proof-of-concept, unproven)
• Remediation Level (unavailable, work-around, temporary fix, official fix,not defined)
• Report Confidence (confirmed, reasonable, unknown, not defined)
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
FDA vs. HIPAA
FDA
Protect Patient Safety
Device Focus (traditionally)
Risk to Essential Clinical Performance
Report to FDA
Uncontrolled vulnerabilities to risk toessential clinical performance unless:• No known serious adverse events or
deaths associated• Within 30 days, device changes
and/or compensating controls areimplements to bring the residualrisk to acceptable level and notifiesusers, and
• Manufacturer is a ISAO member
11
HIPAA
Protect Health Data (PHI)
IT environment
Security Breach
Report to:Covered EntityIndividual
HHS Secretary (≥ 500 individuals)Media (sometimes)
Breach of unsecured PHI unlesslow probability PHI has beencompromised based on risk assessment ofat least the following factors:• Nature and extent PHI (e.g. identifiers,
likelihood of re-identification;• Who the unauthorized person is;• PHI actually acquired or viewed; and• Mitigations
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Are data breaches being evaluated for impact on essentialclinical performance?
Are customer complaints being evaluated for data breachimplications?
Are security based changes being evaluated for pre-marketnotification requirements?
Are you clearly distinguishing between product changesneed to data security and patient safety?
Are your vulnerability disclosure and reporting policies andpractices coordinated?
FDA and HIPAAWhat are the “hooks”?
12
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Key Takeaways
1. Cybersecurity is no longer just an IT function
2. Comprehensive and structured cybersecurity programrequires structured, proactive, ongoing assessment of dataoutside of traditional medical device sources
3. FDA and HIPAA are 2 distinct but overlapping frameworks
• Don’t confuse the two – make sure you have the rightexpertise and “hooks”
13
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Questions?
Kim Tyrrell-Knott
Member of the Firm
858-764-2494
14
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Privacy and WearablesJune 28, 2016 at 2:00 – 2:15 p.m. ETPatricia M. Wagner
To register, please visit: http://www.ebglaw.com/events/
Upcoming WebinarsWearables Crash Course Series
15
© 2016 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Thank you.
16
Top Related