4th Annual Medical Device Cybersecurity Risk Mitigation Conference

July 23-24, 2019 | Arlington, VA

Le Meridien Arlington

Download AgendaRegister Now

DAY ONE | TUESDAY, JULY 23

7:45 REGISTRATION & WELCOME COFFEE

8:20 CHAIRPERSON’S OPENING REMARKS
Tom Klein, Vice President of IoT Solutions, KEYFACTOR

8:30 OPENING ICE BREAKER: STRATEGIES TO MITIGATE & MANAGE CYBERSECURITY RISKS
As the number of network connected devices grows, companies are discovering more concerns related to cybersecurity requiring industry stakeholders to utilize various approaches and innovative tools to manage risk. This interactive ice breaker will open the event with an opportunity for all participants to meet fellow cybersecurity professionals with the goal of engaging in swift discussion aimed towards sharing insights into risk analysis and mitigation best practices. Furthermore, in this warmup session participants will have the opportunity to build contacts with industry peers, kicking off the event networking platform.

Tom Klein, Vice President of IoT Solutions, KEYFACTOR

 

8:45 ANALYZING CONSIDERATIONS FOR INDUSTRY IMPLEMENTATION OF THE JOINT SECURITY PLAN
Released in January of 2019 by the Healthcare and Public Health Sector Coordinating Council (HSCC), the Joint Security Plan (JSP) is a guide outlining leading practices that ensure uninterrupted product security through standardized procedures. Developed by various stakeholders including device manufacturers, HDOs, and regulatory professionals, the JSP provides a holistic approach to design considerations, risk assessments, as well as proactive mitigation and response strategies. It is critical for professionals to have an understanding of the JSP to measure improvement of device security and continuously enhance cybersecurity programs.

Anura Fernando, Chief Innovation Architect, UL

 

9:30 INITIATIVES TO FURTHER MEDICAL DEVICE CYBERSECURITY
MITRE is developing a rubric for the Common Vulnerability Scoring System (CVSS) to help medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) more consistently assess the severity and potential impacts of cybersecurity vulnerabilities. MITRE worked with a broad range of stakeholders to develop the CVSS rubric, which will be submitted to FDA to be qualified as a Medical Device Development Tool. MITRE has also developed a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to provide a framework for HDOs to improve communications (e.g. MDM-HDO interactions); what actions they might consider taking; and what resources are available to aid in their response when faced with a medical device cybersecurity incident.

  • Industry utilization of CVE to identify threats
  • Adopting the CVSS to prioritize patch activity
  • MITRE Preparedness & Response Playbook

Penny Chase, Senior Principal Scientist, Cybersecurity, MITRE

Margie Zuk, Senior Principal Cybersecurity Engineer, MITRE

 

10:00 BREAKOUT GROUPS: ENSURING RISK MANAGEMENT COMPLIANCE WITH INDUSTRY STANDARDS AND FRAMEWORKS
With a wide range of risk assessment standards throughout the industry, manufacturers are challenged to align with a variety of frameworks in order to showcase robust vulnerability analytical processes. This peer-to-peer learning session allows participants to discuss the particular nuances of each standard and best practices to implement framework requirements ensuring a detailed approach to risk management. To enable the exchange, the audience will break into smaller groups, focusing on a specific guidance, with the possibility of adding further risk assessment frameworks as deemed necessary by the audience.

GROUP ONE: NIST 800-30 Guidance Document
Mitch Mallough, Technical Lead, Software R&D, JOHNSON & JOHNSON VISION

GROUP TWO: UL 2900 Cybersecurity Standard
Christopher Beeman, Business Development Manager – Digital Health, UL

GROUP THREE: AAMI TIR57:2016 Principles
Sabyasachi Roy, PhD, Director, Regulatory Affairs, Quality Assurance & Compliance
BRAINSCOPE COMPANY, INC.

 

10:30 COFFEE AND NETWORKING BREAK

 

MULTI PART MODULE: DEEP DIVE INTO DEVICE REQUIREMENTS FOR THE CYBERSECURITY PRE-MARKET GUIDANCE

11:00 PART ONE: FDA UPDATE ON PRE-MARKET GUIDANCE COMPONENTS & INDUSTRY IMPLICATIONS
With the highly anticipated release of the FDA draft guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices, industry stakeholders await further clarification on areas such as the Cybersecurity Bill of Materials, differences in scoring risk assessments, and methods to alert users of product vulnerabilities. As the timeframe for comments closed in March of 2019, device manufacturers are seeking additional information regarding the final components of the regulation and the FDA process for the approval of premarket cybersecurity strategies. A review of the potential implementation timeline and compliance deadlines will equip cybersecurity professionals with mechanisms to internally prepare and develop premarket strategies for new products.

  • CBOM requirements for software & hardware units
  • Specifications on risk assessment & threat modelling
  • Outline of implementation process & projected timeline

Seth Carmody, PhD, Cybersecurity Program Manager, FDA

 

11:45 PART TWO: PROACTIVE IMPLEMENTATION STRATEGIES TO MEET PRE-MARKET CYBERSECURITY GUIDELINES
In preparation for the final premarket guidelines from the FDA, cybersecurity experts are focusing on implementing procedures to proactively address the new guidances and prepare for regulatory compliance. Many manufacturers are addressing specific elements of the guidance through internally established practices, such as circulating a list of software and hardware components that resembles the outlined CBOM requirements or employing robust risk assessment practices to alert end users of identified vulnerabilities. Demonstrating a proactive approach to executing guidance elements, these brief deep-dive case studies will highlight established systems to address the following components of the FDA draft document:

CASE STUDY ONE: INTERNAL APPLICATION & FORMAT OF BILL OF MATERIALS
Ken Zalevsky, Head of Medical Device Cybersecurity, BAYER

 

12:15 CASE STUDY TWO: METHODS TO COMMUNICATE VULNERABILITIES TO USERS
Hans-Martin von Stockhausen, PhD, Senior Product Manager for Cybersecurity
SIEMENS HEALTHINEERS

 

12:45 LUNCHEON FOR ALL ATTENDEES

 

2:00 SOFTWARE BILL OF MATERIALS: TRANSPARENCY IN THE SOFTWARE ECOSYSTEM

  • The history of the idea: from obvious to heresy, & back again
  • Ecosystem of transparency across sectors & supply chain
  • Road to current status: an overview of the NTIA process
  • Future expectations for the broader software industry

Allan Friedman, PhD, Director of Cybersecurity Initiatives
NATIONAL TELECOMMUNICATIONS & INFORMATION ADMINISTRATION

 

2:30 CO-PRESENTATION: NAVIGATING PROPOSED GUIDANCES OUTLINED IN THE SOFTWARE BILL OF MATERIALS
Following the National Telecommunications and Information Administration (NTIA) meeting in July of 2018, medical device manufacturers and HDO leaders have taken initiative to collectively collaborate on the Software Bill of Materials (SBOM), executing an outlined proposal and pilot program. As a means of sharing critical information about software components of connected devices, the SBOM gives the industry an opportunity to set clear responsibility expectations for both HDOs and manufacturers throughout the product’s lifecycle. Although there is an overall understanding of the proposed concept, stakeholders have numerous questions surrounding the long-term usefulness of the SBOM and implementing the document for a robust vulnerability management system.

  • Probable application of SBOM in an industry setting
  • Significant constituents evaluated for inclusion in the SBOM
    • Software vulnerabilities
    • Expiration for components
    • Lifecycle management practices
  • Potential implications for manufacturers & HDOs
  • Insight into the proposed scope & content of SBOM

Jim Jacobson, Chief Product and Solution Security Officer, SIEMENS HEALTHINEERS

Michael Dittamo, Information Security Risk Manager, NEW YORK PRESBYTERIAN HOSPITAL

 

3:15 COFFEE AND NETWORKING BREAK

 

3:45 CASE STUDY: DECREASING TIME TO MARKET WHILE NAVIGATING COMPETING SECURITY PRIORITIES

  • Evaluating security criteria for medical device platforms
  • Prioritization of security features for product inclusion
  • Determination to internally build or purchase components
  • Examining the effects on product development lifecycle

James Zug, Manager, Software Applications, REFLEXION MEDICAL

Mike Kijewski, CEO, MEDCRYPT

 

4:30 LEGAL PERSPECTIVE: EUROPEAN UNION CYBERSECURITY ACT’S IMPLICATIONS FOR MEDICAL DEVICE MANUFACTURERS

  • Proposed aspects within the outlined framework
  • Context within the broader European cybersecurity and data protection landscape
  • Aligning cybersecurity programs with European expectations
  • Implementation deadlines and next steps

Paul Otto, Partner, HOGAN LOVELLS

 

5:00 END OF DAY ONE CONFERENCE

Share This