In recognition of National Cybersecurity Awareness Month, the Food and Drug Administration (FDA) in collaboration with the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) is announcing a public workshop “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.”
This workshop will bring together all stakeholders in the healthcare and public health (HPH) Sector including but not limited to medical device manufacturers, healthcare facilities and personnel (e.g. healthcare providers, biomedical engineers, IT system administrators), professional and trade organizations (including medical device cybersecurity consortia), insurance providers, cybersecurity researchers, local, State and Federal Governments, and information security firms in order to identify HPH cybersecurity challenges and ways the Sector can work together to address these challenges.
- Date, Time, Location and Additional Information
- Federal Register Notice
- Program Book
- Workshop Slides
- Questions & Answers
- Contact Us
- Final Guidance Webinar: Premarket Submissions for Management of Cybersecurity in Medical Devices, October 29, 2014
- Handshake Virtual Collaboration Space
The purpose of this public workshop is to catalyze collaboration among all HPH Sector stakeholders. Participantsidentify barriers to promoting medical device cybersecurity; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity.
Specifically, the workshop will focus on the following general themes:
- Envisioning a collaborative environment for information sharing and developing a shared risk-assessment framework using a common lexicon; overcoming barriers (perceived and real) to create a community of “shared ownership and shared responsibility” within the HPH Sector to increase medical device cybersecurity;
- Gaining situational awareness of the current cyber threats to the HPH Sector including those that impact medical devices;
- Identifying cybersecurity gaps and challenges, especially end-of-life support for legacy devices and interconnectivity of medical devices;
- Adapting and implementing the “Framework for Improving Critical Infrastructure Cybersecurity” to support management of cybersecurity risks involving medical devices;
- Developing tools and standards to build a comprehensive cybersecurity program to meet the unique needs of the sector’s critical infrastructure including medical devices;
- How to leverage the technical subject matter expertise of the cybersecurity researcher community working with HPH stakeholders to identify, assess, and mitigate vulnerabilities; and
- Building potential solutions: Exploring collaborative models to gather diverse experts and establish medical device security benchmarks which are continuously validated.
This meeting was held October 21-22, 2014, beginning at 9:00 a.m. at the following location:
National Intellectual Property Rights Coordination Center
1st Floor Auditorium
2451 Crystal Drive Suite 200
Arlington, VA 22202
The workshop was webcast.
The workshop was held in a public meeting format, with interactive panel style discussions. Panels discussed topics along with interactive public/audience engagement (comment/questions).
|Preliminary Agenda Day 1: October 21, 2014|
|9:00am-9:15am||Welcome & Introductory Remarks||Suzanne Schwartz, MD, MBA - Director Emergency Preparedness/Operations and Medical Countermeasures Program (EMCM), Center for Devices and Radiological Health (CDRH) / U.S Food and Drug Administration (FDA)|
|9:15am-9:30am||Keynote Speaker||Marty Edwards, Assistant Deputy Director, National Cybersecurity and Communications Integration Center (NCCIC) and Director Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Department of Homeland Security (DHS)|
|9:30am-11:00am||Envisioning Collaboration for Medical Device and Healthcare Cybersecurity|
William H. Maisel, MD, MPH Chief Scientist and Deputy Center Director for Science
|11:15am-11:25am||Special Speaker||Edward J. Gabriel, MPA, EMT-P, CEM, CBCP Principal Deputy, Assistant Secretary of Preparedness and Response (ASPR)|
|11:25am-12:30pm||Cyberthreat Landscape - ‘Framing the Problem’||Panel Moderator:|
Stephen Curren, MS
Division of Resilience and Infrastructure Coordination (OEM) / ASPR / HHS
|1:40pm-2:30pm||Cybersecurity Gaps and Challenges: Part 1. Need to share vs. Need to Secure|
Julian Goldman, MD
|2:30pm-3:15pm||Cybersecurity Gaps and Challenges: Part II. Legacy Devices|
Kevin Fu, PhD, Director of the Archimedes, Center for Medical Device Security Associate Professor, Sloan Research Fellow Computer Science and Engineering Electrical Engineering and Computer Science University of Michigan
|3:30pm-4:15pm||Cybersecurity Gaps and Challenges: Part III. Forward Looking Design|
Thaddeus Flood, JD Industry Director for X-Ray and Medical Imaging Informatics Medical Imaging and Technology Alliance (MITA
|4:15pm-4:55pm||Overview of the NIST "Framework for Improving Critical Infrastructure Cybersecurity"|
CDR Nikhil Thakur Regulatory Policy Advisor, EMCM /CDRH / FDA
Speaker: Kevin Stine - Manager of the Security Outreach & Integration Group, NIST
|4:55pm-5:05pm||Day 1 Recap, Set Stage for Day 2, Adjourn||CDR Nikhil Thakur, EMCM / CDRH / FDA|
|Preliminary Agenda Day 2: October 22, 2014|
|9:00am-9:05am||Welcome Remarks||Suzanne Schwartz, MD, MBA - EMCM / CDRH / FDA|
|9:30am-10:15am||Keynote Speaker||Michael Daniel, MS, MPP Special Assistant to the President and Cybersecurity Coordinator White House|
|9:30am-10:15am||Adapting and Implementing the NIST "Framework for Improving Critical Infrastructure Cybersecurity"|
Debora Kobza, CGEIT, JIEM Executive Director NH-ISAC
|10:15am-11:30am||Adapting the Vision for Information Sharing and Shared Risk Assessment: Implementation within the HPH Sector|
Margie Zuk, MS Senior Principal Cyber Security Engineer MITRE
|1:00pm-1:10pm||Keynote Speaker||Mary Logan, JD, CAE|
President and CEO, Association for the Advancement of Medical Instrumentation (AAMI)
|1:10pm-2:40pm||Development of Cybersecurity Tools, Risk Assessments, and Standards for the Healthcare and Public Health (HPH) Sector|
Ken Hoyme, MS Distinguished Scientist Adventium Labs Co-chair Device Security Workgroup AAMI
|2:55pm-4:50pm||Building Potential Cybersecurity Solutions/Paths Forward for HPH|
Dale Nordenberg, MD Executive Director Medical Device Innovation, Safety and Security Consortium (MDISS)CEO Novasano Health & Science
|4:50pm-5:00pm||Workshop Recap and Closing Remarks||Suzanne Schwartz, MD, MBA, EMCM / CDRH / FDA|
Day 1 (10/21/2014)
- Welcome Remarks
- Keynote Speaker – Marty Edwards
- Session I: Envisioning Collaboration for Medical Device and Healthcare Cybersecurity
- Keynote Speaker – Edward Gabriel
- Session II: Cyberthreat Landscape - Framing the Problem
- Session III: Cybersecurity Gaps and Challenges: Need to Share vs. Need to Secure
- Session IV: Cybersecurity Gaps and Challenges: Legacy Devices
- Session V: Cybersecurity Gaps and Challenges: Forward Looking Design
- Session VI: Overview of the NIST "Framework for Improving Critical Infrastructure Cybersecurity"
- Day 1 Wrap-Up
Day 2 (10/22/2014)
- Welcome Remarks
- Keynote Speaker – Michael Daniel
- Session VII: Adapting and Implementing the NIST "Framework for Improving Critical Infrastructure Cybersecurity"
- Session VIII: Adapting the Vision for Information Sharing and Shared Risk Assessment: Implementation within the Healthcare and Public Health Sector
- Keynote Speaker – Mary Logan
- Session IX: Development of Cybersecurity Tools, Risk Assessments, and Standards for the Healthcare and Public Health Sector
- Session X: Building Potential Cybersecurity Solutions/Paths Forward for the Healthcare and Public Health Sector
- Closing Remarks
- Slides (PDF - 5MB)
Questions and Comments on the workshop session content and potential next steps may be submitted now through November 24, 2014 to: AskMedCyberWorkshop@fda.hhs.gov
For questions regarding workshop content please contact:
Suzanne Schwartz, MD, MBA
Center for Devices and Radiological Health
Food and Drug Administration, 10903 New Hampshire Avenue, Bldg. 66, Rm 5418
Phone: 301-796-6937, Fax: 301-847-8510, Email: Suzanne.Schwartz@fda.hhs.gov.
We are delighted to announce that the MITRE Corporation (MITRE) has set up a virtual collaboration space on its Handshake website as one way for interested healthcare and public health (HPH) stakeholders to continue the dialogue from the October 21-22, 2014 public workshop around common challenges and possible paths forward in medical device and healthcare cybersecurity. The collaboration space is intended for use by all HPH stakeholders including but not limited to medical device manufacturers, healthcare delivery organizations (e.g. clinicians, biomedical engineers, IT system administrators), professional and trade organizations (including medical device cybersecurity consortia), insurance providers, vulnerability researchers, local, State and Federal Governments, and information security firms. Among its benefits, the collaboration space affords the community the opportunity to share best practices and to join subgroups of specific interests.
FDA invites all interested stakeholders to participate in MITRE’s Handshake collaboration space. To join the collaboration space, click on the link below and provide your full name, email address, organization, and type of HPH stakeholder. Prior to clicking on the link, please make note of the privacy statement below. Once you submit the required information, you will receive an email confirmation from MITRE indicating that you have been added to the “Collaborative Approaches to Medical Device and Healthcare Cybersecurity” group on the Handshake website.
Privacy statement: MITRE respects the privacy of its collaboration site users. When users apply for an account on this collaboration site, we (MITRE) collect identifying information including company affiliation and email address, the user’s name, profile photo, connections (social graph), and activity stream of non-access controlled activities are visible to all participants in this collaborative space. Your personal information may be used only for membership records and to maintain the security of this system.
(If you have difficulty opening the link above, please cut and paste the following link into your web browser.)
We note that anything FDA employees communicate on the forum is not Agency guidance, does not necessarily reflect the views of the Agency, and is for discussion purposes only. Additionally, we wish to emphasize that the “Collaborative Approaches to Medical Device and Healthcare Cybersecurity” Handshake group is a group established by MITRE and that FDA is not establishing or utilizing this group for the purpose of obtaining advice or recommendations.
We are very excited about the creation of this forum and hope that you will take advantage of it so that, together, we can transform these important conversations into actionable initiatives. Working together as a community, we can enhance patient safety by improving medical device and healthcare cybersecurity.