4th Annual Medical Device Cybersecurity Risk Mitigation Conference

July 23-24, 2019 | Arlington, VA

Le Meridien Arlington

Download AgendaRegister Now

DAY TWO | WEDNESDAY, JULY 24

8:00 REGISTRATION & WELCOME COFFEE

8:20 CHAIRPERSON’S OPENING REMARKS
Bob Zemke, Director of Healthcare Solutions, EXTREME NETWORKS

8:30 CONNECTING THE PUBLIC & PRIVATE SECTORS TO INCREASE CYBERSECURITY RISK MITIGATION
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), announced a new initiative titled the National Risk Management Center (NRMC), focused on collaboration between the private and public sectors to recognize mutually identified points of critical risk. This innovative concept creates an opportunity for stakeholders, including Health Information and Technology companies, Direct Patient Healthcare organizations, and a Medical Materials Coordinating group, to detect serious risks and share methods to manage vulnerabilities. Through private and public sector collaboration, the medical device industry can further efforts to mitigate overall cyber risks and build a more secure patient health system.

Bob Kolasky, Director, National Risk Management Center, DEPARTMENT OF HOMELAND SECURITY

 

9:00 ADOPTING FDA CYBERSECURITY GUIDANCE INTO PRODUCT DEVELOPMENT AND MANUFACTURING
Building on FDA guidance with the intent of creating an implementable software BOM, this session articulates specific requirements to achieve compliance along with software and integration capabilities that enable medical device manufacturers to be first – and best – to market. This presentation will be in tandem with a white paper on How to Build Trusted & Secure IoMT Devices. The result will be an approach that allows for security not only at the time of manufacture but over the lifetime of the product and at massive scale.

  • Manufacture and distribute globally
  • Maintain cryptography into the age of Quantum
  • Facilitate MDM/HDO shared trust model
  • Simplify engineering and support

Tom Klein, Vice President of IoT Solutions, KEYFACTOR

 

9:45 COFFEE AND NETWORKING BREAK

 

10:15 CHIEF INFORMATION SECURITY OFFICER FIRESIDE CHAT: COLLABORATION THROUGHOUT THE PRODUCT LIFECYCLE
Medical device manufacturers are coordinating with health delivery organizations to ensure clear communication of device vulnerabilities and product risk profiles during the procurement process to accurately address security questionnaires and HDO primary considerations. Current FDA guidances outline the expectation of equally shared responsibility for cybersecurity risk mitigation between manufacturers and HDOs which necessitates robust information sharing practices be implemented following the procurement of a device. In instances when the manufacturer is unable to provide support, HDOs collaborate with third party solutions providers to patch vulnerabilities and administer additional assistance.

  • HDO benchmarks for qualifying devices during procurement
  • Information sharing efforts for equal responsibility
  • Consideration parameters for third party partnerships

INTERVIEWER: Mike Kijewski, MEDCRYPT

INTERVIEWEE: Chris Joerg, CEDARS-SINAI

 

11:00 CASE STUDY: SECURING MEDICAL DEVICES & REDUCING LIFECYCLE MANAGEMENT PRESSURE
The security posture of our medical device ecosystems is a growing concern to healthcare providers, device manufacturers, regulators, clinicians, and patients. Especially devices built on commercial software components are facing an onslaught of increasingly sophisticated and purposeful cyber threats, whether these are targeting the device specifically or are purely opportunistic as the device’s vulnerability may fit an exploit’s profile. In this session we will discuss available security technologies and their respective use cases and benefits.

Axel Wirth, Distinguished Technical Architect, SYMANTEC

 

11:45 MULTI PART MODULE: INFORMATION SHARING METHODOLOGIES TO COMMUNICATE MEDICAL DEVICE CYBER RISKS
With an abundance of available tools, device manufactures and HDOs utilize a diversified portfolio of strategies to disclose cybersecurity vulnerabilities as well as share valuable information for product management and risk mitigation. As some material can be presented in a detailed report such as white paper geared towards IT professionals in terms of product management, other information requires real-time communication for quick risk resolution to accommodate the fast paced environment of cyber events. Delegates will review industry information sharing techniques and how to leverage existing communication channels to be more equipped in choosing which approach is best suited for internal business needs.

CASE STUDY: HEALTH INFORMATION SHARING AND ANALYSIS CENTER (H-ISAC)

  • Encouraging global collaboration & information sharing
  • Real time use of H-ISAC to detect & share cyber risks
  • Securing industry participation & utilization of H-ISAC

Denise Anderson, President, HEALTH INFORMATION SHARING AND ANALYSIS CENTER

 

12:00 CASE STUDY: MANUFACTURER DISCLOSURE STATEMENT FOR MEDICAL DEVICE SECURITY (MDS2)

  • Navigating the recent updates to MDS2 form
  • Industry implementation & leading benefits
  • Procurement decision parameters from MDS2

Andrew Bomett, Senior Manager, Product Cybersecurity, BOSTON SCIENTIFIC

 

12:15 LUNCHEON FOR ALL ATTENDEES

 

1:15 PANEL: LEVERAGING EXISTING COMMUNICATIONS CHANNELS FOR CYBERSECURITY INFORMATION SHARING

  • Commonly utilized avenues for data sharing
  • Practices for real time information sharing
  • Aligning communication channel with stakeholders
  • Innovative tools for communicating cyber risk
  • Coordinating sharing between HDOs & MDMs

MODERATOR:
Denise Anderson, HEALTH INFORMATION SHARING AND ANALYSIS CENTER

PANELISTS:
Jim Jacobson, SIEMENS HEALTHINEERS

Uma Chandrashekhar, ALCON

Joann Mavus, GEISINGER

 

2:00 DEPLOYMENT OF PATCHING STRATEGIES IN COMPLIANCE WITH REGULATORY EXPECTATIONS

  • Interpreting post-market guidance requirements for routine patches
  • Patching devices that lack the infrastructure to support updates
  • Assessing the need for patches in new designs & legacy products
  • Time & cost effective practices to remediate vulnerabilities

Dave Hammond, Senior Software Engineer for DS Cybersecurity, BD

 

2:45 PANEL: MITIGATION STRATEGIES FOR CYBERSECURITY VULNERABILITIES IN LEGACY PRODUCTS
HDOs utilize medical equipment developed 10 to 20 years ago when cybersecurity was not considered a fundamental factor of product development and the industry is continuously working to evaluate the cyber risk of each device model in order to patch vulnerabilities. As HDOs operate on limited resources, it is of the utmost importance that healthcare providers’ budgets and manpower capabilities are equipped to perform outlined manufacturer recommendations for correcting potential threats. Reviewing cybersecurity programs that properly address legacy products will enable device manufacturers and HDOs to reduce risk with early threat detection and utilize clearly outlined standard response strategies.

  • Immediate communication of identified liabilities
  • Evaluating the cyber component of legacy products
  • Training HDO technical teams to patch vulnerabilities
  • Employing third party vendors to patch legacy products

MODERATOR:
Rob Bathurst, BLACKBERRY CYLANCE

PANELISTS:
Dave Hammond, BD

Axel Wirth, SYMANTEC

 

3:30 END OF CONFERENCE

Share This