The Food and Drug Administration (FDA) is announcing the following public workshop titled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” FDA, in collaboration with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services and the Department of Homeland Security, seek to bring together diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem.
The purpose of this workshop was to highlight past collaborative efforts, increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development, and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.
- Date, Time and Location
- Federal Register Notice
- Program Book
- Cybersecurity Postmarket Guidance
- Cybersecurity Postmarket Guidance Public Comment Period
- Handshake Virtual Collaboration Space
- Contact Us
This meeting was held January 20-21, 2016, beginning at 9:00 am - 5:30 pm at the following location:
FDA White Oak Campus
10903 New Hampshire Avenue
Bldg. 31, Room 1503 (the Great Room)
Silver Spring, MD, 20993
- Program Book - Moving Forward: Collaborative Approaches to Medical Device Cybersecurity (PDF - 2.81 MB)
The public comment period for the recently released “Postmarket Management of Cybersecurity in Medical Devices” draft guidance is open, and we encourage all stakeholders to provide comment by April 21, 2016 to the docket of the Federal Register Notice at (www.regulations.gov docket number 2016-01172). In addition to general comments on the guidance, the Agency invites comment on the following questions, in particular:
- What factors contribute to a manufacturer's decision whether or not to participate in an Information Sharing and Analysis Organization (ISAO)?
- In the draft guidance, the FDA is proposing its intention to not enforce certain regulatory requirements for manufacturer's that are “participating members” of an ISAO. Should FDA define what it means to be a “participating member” of an ISAO and if so, how should such participation be verified?
- What are the characteristics (participation, expertise, policies, and practices) of an ISAO that would make it qualified to participate in the sharing and analysis of medical device cybersecurity vulnerabilities? What are the benefits and disadvantages of FDA “recognizing” specific ISAOs as possessing specialized expertise relevant to sharing and analysis of medical device vulnerabilities and what should such recognition entail?
- When cybersecurity vulnerability information is not reported to FDA, what information should be reported to the ISAO, and when?
- How should the FDA interact with ISAOs, manufacturers, HDOs, security researchers and other stakeholders to maximize the sharing of information concerning cybersecurity threats while maintaining confidentiality and protecting commercial confidential information?
One of the ways for interested healthcare and public health (HPH) stakeholders to continue the dialogue from the January 20-21, 2016 public workshop on medical device and healthcare cybersecurity is to join a virtual collaboration space the MITRE Corporation (MITRE) has set up on its Handshake website. The collaboration space is intended for use by all HPH stakeholders including but not limited to medical device manufacturers, healthcare delivery organizations (e.g. clinicians, biomedical engineers, IT system administrators), professional and trade organizations (including medical device cybersecurity consortia), insurance providers, vulnerability researchers, local, State and Federal Governments, and information security firms. Among its benefits, the collaboration space affords the community the opportunity to share best practices and to join subgroups of specific interests.
FDA invites all interested stakeholders to participate in MITRE’s Handshake collaboration space. To join the collaboration space, click on the link below and provide your full name, email address, organization, and type of HPH stakeholder. Prior to clicking on the link, please make note of the privacy statement below. Once you submit the required information, you will receive an email confirmation from MITRE indicating that you have been added to the “Collaborative Approaches to Medical Device and Healthcare Cybersecurity” group on the Handshake website.
Privacy statement: MITRE respects the privacy of its collaboration site users. When users apply for an account on this collaboration site, we (MITRE) collect identifying information including company affiliation and email address, the user’s name, profile photo, connections (social graph), and activity stream of non-access controlled activities are visible to all participants in this collaborative space. Your personal information may be used only for membership records and to maintain the security of this system.
(If you have difficulty opening the link above, please send an email with the subject line “Request to join Handshake” to email@example.com and include the information below)
Type of HPH stakeholder (check one):
Medical Device Manufacturer:
Healthcare Delivery Organization:
Professional and Trade Organization:
Information Security Vendor:
Other (please specify): ___________
We note that anything FDA employees communicate on the forum is not Agency guidance, does not necessarily reflect the views of the Agency, and is for discussion purposes only. Additionally, we wish to emphasize that the “Collaborative Approaches to Medical Device and Healthcare Cybersecurity” Handshake group is a group established by MITRE and that FDA is not establishing or utilizing this group for the purpose of obtaining advice or recommendations.
Agenda Day 1: January 20, 2016
|8:30am–9:00am||Registration (for pre-registered attendees)|
|9:05am–9:15am||Medical Device Cybersecurity: A Year in Reflection and Looking Ahead|
|9:15am–10:00am||Session I Plenary Panel: Cyber Threat Landscape within the Healthcare and Public Health Sector|
|10:00am–11:30am||Session II Plenary Panel: FDA's Current Thinking: Implementation of the NIST "Framework for Improving Critical Infrastructure Cybersecurity“ for Strengthening Security throughout the Total Product Life Cycle|
|11:40am–12:40pm||Information Sharing and Analysis Organization (ISAO) Breakout Session|
|1:40pm–2:55pm||Session III Plenary Panel: Key Ingredients for Effective Postmarket Management of Medical Device Vulnerabilities - Vulnerability Handling Processes and Coordinated Vulnerability Disclosure|
|3:05pm–3:55pm||Coordinated Vulnerability Disclosure Breakout Session|
|3:55pm–4:05pm||Return from Breakout|
|4:05pm–5:20pm||Session IV Plenary Panel: Overcoming Challenges Manufacturers face with Increased Cybersecurity Collaboration|
|5:20pm–5:35pm||ISAO Breakout Report Out, Adjourn|
Agenda Day 2: January 21, 2016
|8:30am–9:00am||Registration (for pre-registered attendees)|
|9:00am–9:35am||Welcome, Coordinated Vulnerability Disclosure Breakout Report Out, Recap Day 1|
|9:35am–9:55am||Keynote Address: Marty Edwards, Director of ICS-CERT|
|9:55am–10:55am||Session V Plenary Panel: Identifying and Crafting Action Plans to Address Gaps and Challenges in Strengthening the Cybersecurity Stance of the Medical Device Ecosystem|
|11:05am–12:15pm||Gaps & Action Plan Break Out Session|
|1:15pm–2:15pm||Session VI Plenary Panel: Gaining Situational Awareness of Current Activities in the Healthcare and Public Health Sector to Enhance Medical Device Cybersecurity|
|2:15pm–3:15pm||Session VII Plenary Panel: Risk Assessment Tools for the Medical Device Operational Environment|
|3:25pm–4:25pm||Session VIII Plenary Panel: Adapting and/or Implementing Medical Device Cybersecurity Standards|
|4:25pm–5:30pm||Gaps & Action Plan Breakout Report Outs, Workshop Recap, and Closing Remarks|
For questions regarding workshop content please contact:Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave, Bldg. 66 rm. 5428, Silver Spring MD 20993, 301-796-6937, email: Suzanne.firstname.lastname@example.org.