Archived Content

The content on this page is provided for reference purposes only. This content has not been altered or updated since it was archived.

Medical Devices

Public Workshop - Collaborative Approaches for Medical Device and Healthcare Cybersecurity, October 21-22, 2014

In recognition of National Cybersecurity Awareness Month, the Food and Drug Administration (FDA) in collaboration with the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) is announcing a public workshop “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.” 

This workshop will bring together all stakeholders in the healthcare and public health (HPH) Sector including but not limited to medical device manufacturers, healthcare facilities and personnel (e.g. healthcare providers, biomedical engineers, IT system administrators), professional and trade organizations (including medical device cybersecurity consortia), insurance providers, cybersecurity researchers, local, State and Federal Governments, and information security firms in order to identify HPH cybersecurity challenges and ways the Sector can work together to address these challenges.


Introduction

The purpose of this public workshop is to catalyze collaboration among all HPH Sector stakeholders. Participantsidentify barriers to promoting medical device cybersecurity; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity.

Specifically, the workshop will focus on the following general themes:

  1. Envisioning a collaborative environment for information sharing and developing a shared risk-assessment framework using a common lexicon; overcoming barriers (perceived and real) to create a community of “shared ownership and shared responsibility” within the HPH Sector to increase medical device cybersecurity;
  2. Gaining situational awareness of the current cyber threats to the HPH Sector including those that impact medical devices;
  3. Identifying cybersecurity gaps and challenges, especially end-of-life support for legacy devices and interconnectivity of medical devices;
  4. Adapting and implementing the “Framework for Improving Critical Infrastructure Cybersecurity” to support management of cybersecurity risks involving medical devices;
  5. Developing tools and standards to build a comprehensive cybersecurity program to meet the unique needs of the sector’s critical infrastructure including medical devices;
  6. How to leverage the technical subject matter expertise of the cybersecurity researcher community working with HPH stakeholders to identify, assess, and mitigate vulnerabilities; and
  7. Building potential solutions: Exploring collaborative models to gather diverse experts and establish medical device security benchmarks which are continuously validated.

Date, Time, Location and Additional Information

This meeting was held October 21-22, 2014, beginning at 9:00 a.m. at the following location:

National Intellectual Property Rights Coordination Center
1st Floor Auditorium
2451 Crystal Drive Suite 200
Arlington, VA 22202

The workshop was webcast.

The workshop was held in a public meeting format, with interactive panel style discussions. Panels discussed topics along with interactive public/audience engagement (comment/questions).

Agenda

Preliminary Agenda Day 1: October 21, 2014
TimeTopic 
8:30am-9:00amRegistration 
9:00am-9:15amWelcome & Introductory RemarksSuzanne Schwartz, MD, MBA - Director Emergency Preparedness/Operations and Medical Countermeasures Program (EMCM), Center for Devices and Radiological Health (CDRH) / U.S Food and Drug Administration (FDA)
9:15am-9:30amKeynote SpeakerMarty Edwards, Assistant Deputy Director, National Cybersecurity and Communications Integration Center (NCCIC) and Director Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Department of Homeland Security (DHS)
9:30am-11:00amEnvisioning Collaboration for Medical Device and Healthcare Cybersecurity

Panel Moderator:

William H. Maisel, MD, MPH Chief Scientist and Deputy Center Director for Science

Discussants: CDRH/FDA

  • Stephen Curren, MS - Acting Director of the Division of Resilience and Infrastructure Coordination, Office of Emergency Management (OEM) / Assistant Secretary for Preparedness and Response (ASPR) / HHS
  • Rick Hampton - Wireless Communications Manager, Partners Healthcare System
  • Lee Kim, JD, FHIMSS - Director of Privacy and Security, Healthcare Information and Management Systems Society (HIMSS) North America
  • Carlos Kizzee (Invited), JD, LLM - Deputy Director, Stakeholder Engagement and Cyber Infrastructure Resilience / Office of Cybersecurity and Communications (OCS&C) / DHS
  • Deborah Kobza, CGEIT, JIEM - Executive Director, National Healthcare Information Sharing and Analysis Center (NH-ISAC)
  • Jackie McCarthy, JD - Director of Wireless Internet Development, CTIA-The Wireless Association®
  • Kevin McDonald, BSN, ME-PD, CISSP - Director of Clinical Information Security, Mayo Clinic
  • Suzanne Schwartz, MD, MBA - EMCM / CDRH / FDA
  • Jeffrey Secunda, MS, MBA - Vice President of Technology & Regulatory Affairs, Advanced Medical Technology Association (AdvaMed)
  • Kevin Stine - Manager of the Security Outreach & Integration Group, National Institute of Standards and Technology (NIST)
  • Chantal Worzala, PhD - Director of Policy, American Hospital Association (AHA)
  • Margie Zuk, MS - Senior Principal Cyber Security Engineer, MITRE
11:00am-11:15amBREAK 
11:15am-11:25amSpecial SpeakerEdward J. Gabriel, MPA, EMT-P, CEM, CBCP Principal Deputy, Assistant Secretary of Preparedness and Response (ASPR)
11:25am-12:30pmCyberthreat Landscape - ‘Framing the Problem’Panel Moderator:
Stephen Curren, MS
Acting Director
Division of Resilience and Infrastructure Coordination (OEM) / ASPR / HHS

Presenters:
  • Marty Edwards - Assistant Deputy Director, NCCIC and Director Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) / DHS
  • Jason Lay - Manager, Cyber Threat Information / HHS
  • Ray Strucker - Special Agent, Senior Operations Manager, Office of Criminal Investigation (OCI) / FDA

Discussants:

  • Terry Dunlap, MS - Partner and Managing Member, Tactical Network Solutions
  • Elisabeth George, MS - VP of Global Regulations & Standards, Philips Healthcare
  • Kevin Hemsley, CISSP - Project Manager, Idaho National Lab (INL) supporting ICS-CERT
  • Kevin McDonald, BSN, ME-PD, CISSP - Mayo Clinic
  • Billy Rios, MS, MBA, CISSP - Director of Vulnerability Research and Threat Intelligence, Qualys
  • Wesley Snell, CISSP - Director, Computer Security Incident Response Center (CSIRC) / HHS
  • CDR Nikhil Thakur - Regulatory Policy Advisor, EMCM / CDRH / FDA
  • Axel Wirth, MSc, CPHIMS, CISSP, HCISPP - Distinguished Systems Engineer, Solutions Architect, Symantec
12:30pm-1:40pmLUNCH
1:40pm-2:30pmCybersecurity Gaps and Challenges: Part 1. Need to share vs. Need to Secure

Panel Moderator:

Julian Goldman, MD 
Medical Director of Biomedical Engineering
Partners Healthcare System; 
Director, Medical Device Interoperability Program, Mass Gen Hospital

Discussants:

  • LTC James Beach, MS, MIS, DAU-PMT III, 70D Medical Information Management Officer - Chief, Medical Device Cybersecurity Cell, US Army Medical Materiel Agency (USAMMA)
  • Sherman Eagles - Partner, Software CPR
  • Ramya Krishnan, MS - Senior Project Engineer, Health Devices Group, ECRI Institute
  • Darren Lacey, JD - Chief Information Security Officer, Johns Hopkins University/Johns Hopkins Medicine
  • Jackie McCarthy, JD - CTIA-The Wireless Association®
  • Linda Ricci - Branch Chief Cardiac Diagnostic Devices / Office of Device Evaluation (ODE) / CDRH / FDA
  • Billy Rios, MS, MBA, CISSP - Qualys
  • Jeffrey Secunda, MS, MBA - AdvaMed
2:30pm-3:15pmCybersecurity Gaps and Challenges: Part II. Legacy Devices

Panel Moderator:

Kevin Fu, PhD, Director of the Archimedes, Center for Medical Device Security Associate Professor, Sloan Research Fellow Computer Science and Engineering Electrical Engineering and Computer Science University of Michigan 

Discussants:

  • Steven Abrahamson, MBA - Director, Product Security Engineering, GE Healthcare
  • Penny Chase, MS, MA - Information Technology and Cyber Security Integrator in the Information Technology Technical Center, MITRE
  • Josh Emperado, MS - Senior Market Development Manager, Toshiba America Medical Systems, & Vice Chair Medical Imaging Informatics Section, Medical Imaging and Technology Alliance (MITA)
  • Brian Fitzgerald - Deputy Director of the Division of Electrical and Software Engineering, Office of Science and Engineering Labs (OSEL) / CDRH /FDA
  • Thaddeus Flood, JD - Industry Director for X-Ray and Medical Imaging Informatics, MITA
  • Elisabeth George, MS - Philips Healthcare
  • Darren Lacey, JD - Johns Hopkins University/Johns Hopkins Medicine
  • Jay Radcliffe, MS, CISSP - Senior Security Consultant and Researcher, Rapid7
3:15pm-3:30pmBREAK
3:30pm-4:15pmCybersecurity Gaps and Challenges: Part III. Forward Looking Design

Panel Moderator:

Thaddeus Flood, JD Industry Director for X-Ray and Medical Imaging Informatics Medical Imaging and Technology Alliance (MITA

Discussants:

  • Bill Aerts, CISSP, CISM - Director of Information & Product Security, Global Privacy and Security Office, Medtronic
  • Debra Bruemmer, MBA, CISSP - Principle Information Security Analyst, Mayo Clinic
  • Abiy Desta - Senior Policy Analyst / ODE / CDRH / FDA
  • Ken Hoyme, MS - Distinguished Scientist, Adventium Labs and Co-chair Device Security Workgroup Association for the Advancement of Medical Instrumentation (AAMI)
  • Darren Lacey, JD - Johns Hopkins University/Johns Hopkins Medicine
  • Michael McNeil, MBA - Global Product Security and Services Officer, Philips Healthcare
  • Billy Rios, MS, MBA, CISSP - Qualys
  • • LTC James Beach, MS, MIS, DAU-PMT III, 70D Medical Information Management Officer - USAMMA
4:15pm-4:55pmOverview of the NIST "Framework for Improving Critical Infrastructure Cybersecurity"

Panel Moderator:

CDR Nikhil Thakur Regulatory Policy Advisor, EMCM /CDRH / FDA

Speaker: Kevin Stine - Manager of the Security Outreach & Integration Group, NIST

4:55pm-5:05pmDay 1 Recap, Set Stage for Day 2, AdjournCDR Nikhil Thakur, EMCM / CDRH / FDA

 
Preliminary Agenda Day 2: October 22, 2014
8:30am-9:00amRegistration 
9:00am-9:05amWelcome RemarksSuzanne Schwartz, MD, MBA - EMCM / CDRH / FDA
9:30am-10:15amKeynote SpeakerMichael Daniel, MS, MPP Special Assistant to the President and Cybersecurity Coordinator White House
9:30am-10:15amAdapting and Implementing the NIST "Framework for Improving Critical Infrastructure Cybersecurity"

Panel Moderator:

Debora Kobza, CGEIT, JIEM Executive Director NH-ISAC 

Presenters:

  • Kevin Stine - NIST
  • Thad Odderstol, MS - Industry Engagement and Resilience, C3 Voluntary Program, OCS & C / DHS
  • Deborah Kobza, CGEIT, JIEM - NH-ISAC

Discussants:

  • Kevin Hemsley, CISSP - ICS-CERT / DHS
  • Jeffery Goldthorp, MS - Associate Bureau Chief for Cybersecurity and Communications Reliability and Acting Chief of the Communications Systems Analysis Division in the Public Safety and Homeland Security Bureau, Federal Communications Commission (FCC)
  • Deborah Kobza, CGEIT, JIEM - NH-ISAC
  • Thad Odderstol, MS - C3 Voluntary Program, OCS & C / DHS
  • Brian Peretti, Esq. - Director of the Office of Critical Infrastructure Protection and Compliance Policy (Acting), Department of the Treasury
  • Kevin Stine - NIST
  • Bakul Patel, MS, MBA - Associate Director for Digital Health (acting) CDRH / FDA
10:15am-11:30amAdapting the Vision for Information Sharing and Shared Risk Assessment: Implementation within the HPH Sector

Panel Moderator:

Margie Zuk, MS Senior Principal Cyber Security Engineer MITRE

Discussants:  

  • Bill Aerts, CISSP, CISM - Medtronic
  • Helen Caton-Peters, MSN, RN – Health IT Privacy and Security Specialist, Office of the National Coordinator for Health Information Technology (ONC) / Department of Health and Human Services (HHS)
  • Penny Chase, MS, MA - MITRE
  • Michael Frederick, MS, CISSP - Vice President of Assurance Services and Product Development, HITRUST
  • Rick Hampton - Partners Healthcare System
  • Deborah Kobza, CGEIT, JIEM - NH-ISAC
  • Bakul Patel, MS, MBA - CDRH / FDA
  • CDR Nikhil Thakur - EMCM / CDRH / FDA
  • Axel Wirth, MSc, CPHIMS, CISSP, HCISPP - Symantec
11:30am-1:00pmLUNCH
1:00pm-1:10pmKeynote SpeakerMary Logan, JD, CAE
President and CEO, Association for the Advancement of Medical Instrumentation (AAMI)
1:10pm-2:40pmDevelopment of Cybersecurity Tools, Risk Assessments, and Standards for the Healthcare and Public Health (HPH) Sector

Panel Moderator:

Ken Hoyme, MS Distinguished Scientist Adventium Labs Co-chair Device Security Workgroup AAMI

Discussants:

  • Steven Abrahamson, MBA - GE Healthcare
  • Mike Ahmadi, CISSP - Global Director of Medical Security, Codenomicon
  • Bryan Cline, PhD, CISSP-ISSEP, CISM, CISA, ASEP, CCSFP, HCISPP - Senior Advisor, HITRUST
  • Steve Christey Coley - Principal Information Security Engineer in the Cyber Security Division, MITRE
  • Brian Fitzgerald - OSEL / CDRH / FDA
  • Deborah Kobza, CGEIT, JIEM - NH-ISAC
  • Ronald Mehring, MBA, CISSP - CISO-Senior Director of Information Security, Texas Health Resources
  • Henri “Rik” Primo, MS - Director of Strategic Relationships for the SYNGO (Imaging Informatics) Division, Siemens Medical Solutions USA
2:40pm-2:55pmBREAK
2:55pm-4:50pmBuilding Potential Cybersecurity Solutions/Paths Forward for HPH

Panel Moderator:

Dale Nordenberg, MD Executive Director Medical Device Innovation, Safety and Security Consortium (MDISS)CEO Novasano Health & Science

Discussants:

  • Debra Bruemmer, MBA, CISSP - Mayo Clinic
  • Steve Christey Coley - MITRE
  • Rick Comeau, MBA - VP, Security Controls & Automation and Strategic Advisor to the CEO & President, Center for Internet Security (CIS)
  • Sherman Eagles - Software CPR
  • Brian Fitzgerald - OSEL / CDRH / FDA
  • Thaddeus Flood, JD - MITA
  • Kevin Fu, PhD - University of Michigan
  • Ken Hoyme, MS - Adventium Labs/AAMI
  • John Lu, MBA, MS, CISSP - Life Sciences Principal, Deloitte & Touche
  • Michael McNeil, MBA - Philips Healthcare
  • Ronald Mehring, MBA, CISSP - Texas Health Resources
  • Gavin O’Brien, MS - National Cybersecurity Center of Excellence (NCCoE) Project Manager, NIST
  • Jeffrey Secunda, MS, MBA - AdvaMed
  • Axel Wirth, MSc, CPHIMS, CISSP, HCISPP - Symantec
  • Timothy Skutt - Director Security Portfolio, Wind River Systems
  • LTC James Beach, MS, MIS, DAU-PMT III, 70D Medical Information Management Officer - USAMMA
4:50pm-5:00pmWorkshop Recap and Closing RemarksSuzanne Schwartz, MD, MBA, EMCM / CDRH / FDA

Webcast

Day 1 (10/21/2014)

Day 2 (10/22/2014)

Program Book

Workshop Slides

Transcripts

Questions & Answers

Questions and Comments on the workshop session content and potential next steps may be submitted now through November 24, 2014 to: AskMedCyberWorkshop@fda.hhs.gov

Contact Us

For questions regarding workshop content please contact

Suzanne Schwartz, MD, MBA
Center for Devices and Radiological Health
Food and Drug Administration, 10903 New Hampshire Avenue, Bldg. 66, Rm 5418
Phone: 301-796-6937, Fax: 301-847-8510, Email: Suzanne.Schwartz@fda.hhs.gov.

Handshake Virtual Collaboration

We are delighted to announce that the MITRE Corporation (MITRE) has set up a virtual collaboration space on its Handshake website as one way for interested healthcare and public health (HPH) stakeholders to continue the dialogue from the October 21-22, 2014 public workshop around common challenges and possible paths forward in medical device and healthcare cybersecurity. The collaboration space is intended for use by all HPH stakeholders including but not limited to medical device manufacturers, healthcare delivery organizations (e.g. clinicians, biomedical engineers, IT system administrators), professional and trade organizations (including medical device cybersecurity consortia), insurance providers, vulnerability researchers, local, State and Federal Governments, and information security firms. Among its benefits, the collaboration space affords the community the opportunity to share best practices and to join subgroups of specific interests.

FDA invites all interested stakeholders to participate in MITRE’s Handshake collaboration space. To join the collaboration space, click on the link below and provide your full name, email address, organization, and type of HPH stakeholder. Prior to clicking on the link, please make note of the privacy statement below. Once you submit the required information, you will receive an email confirmation from MITRE indicating that you have been added to the “Collaborative Approaches to Medical Device and Healthcare Cybersecurity” group on the Handshake website.

Privacy statement: MITRE respects the privacy of its collaboration site users. When users apply for an account on this collaboration site, we (MITRE) collect identifying information including company affiliation and email address, the user’s name, profile photo, connections (social graph), and activity stream of non-access controlled activities are visible to all participants in this collaborative space. Your personal information may be used only for membership records and to maintain the security of this system.

cybermed@mitre.org

(If you have difficulty opening the link above, please cut and paste the following link into your web browser.)

mailto:cybermed@mitre.org?subject=Request%20to%20join%20Handshake&body=Full%20Name:%0D%0AOrganization:%0D%0AEmail:%0D%0AType%20of%20HPH%20Stakeholder%20(check%20one):%0D%0A%20%20%20%20Medical%20Device%20Manufacturer:%0D%0A%20%20%20%20Healthcare%20Delivery%20Organization:%0D%0A%20%20%20%20Professional%20and%20Trade%20Organization:%0D%0A%20%20%20%20Insurance%20Provider:%0D%0A%20%20%20%20Vulnerability%20Researcher:%0D%0A%20%20%20%20Information%20Security%20Vendor:%0D%0A%20%20%20%20Government:%0D%0A%20%20%20%20Other%20(please%20specify)%0D%0A______%0A%0DMITRE%20respects%20the%20privacy%20of%20its%20collaboration%20site%20users.%20When%20users%20apply%20for%20an%20account%20on%20this%20collaboration%20site,%20we%20collect%20identifying%20information%20including%20company%20affiliation%20and%20email%20address.%20The%20user’s%20name,%20profile%20photo,%20connections%20(social%20graph),%20and%20activity%20stream%20of%20non-access%20controlled%20activities%20are%20visible%20to%20all%20participants%20in%20this%20collaborative%20space.%20Your%20personal%20information%20may%20be%20used%20only%20for%20membership%20records%20and%20to%20maintain%20the%20security%20of%20this%20system

We note that anything FDA employees communicate on the forum is not Agency guidance, does not necessarily reflect the views of the Agency, and is for discussion purposes only. Additionally, we wish to emphasize that the “Collaborative Approaches to Medical Device and Healthcare Cybersecurity” Handshake group is a group established by MITRE and that FDA is not establishing or utilizing this group for the purpose of obtaining advice or recommendations.

We are very excited about the creation of this forum and hope that you will take advantage of it so that, together, we can transform these important conversations into actionable initiatives. Working together as a community, we can enhance patient safety by improving medical device and healthcare cybersecurity.

Page Last Updated: 01/12/2016
Note: If you need help accessing information in different file formats, see Instructions for Downloading Viewers and Players.