Medical Device Cybersecurity
Medical device cybersecurity has become a three alarm fire in the healthcare industry.
Medical devices are vulnerable to security breaches like other computer systems. However, the difference is that a cyber-attack not only impacts the safety and effectiveness of the medical device, it also jeopardizes the health and even lives of patients who depend on medical devices.
Unfortunately, threats and vulnerabilities cannot be eliminated, which makes cybersecurity risks especially challenging.
Medical device cybersecurity has become an especially critical area of concern due to IoT massive connectivity, which makes medical devices vulnerable to cyber-attacks.
The problem is that cybersecurity measures that work for standard PCs aren’t necessarily good solutions for embedded machinery such as medical devices. Installing new software on the system in the field often requires a specialized upgrade process or is simply not supported.
Medical devices are commonly optimized to minimize processing cycles and memory usage, so they lack extra processing resources. PC security solutions won’t solve the security challenges of these devices.
The big cybersecurity takeaway here should be that we are no longer talking about protecting a device from just malformed IP packets or DoS packet floods.
When cybercriminals target embedded equipment such as medical devices, they often have detailed information about the device they are targeting and have sophisticated toolkits and skills that can be used to develop attacks.
Cybersecurity professionals generally agree that manufacturers, hospitals, and facilities must work together to manage cybersecurity risks due to the complexities of the healthcare environment.
Medical Device Cybersecurity Course by Tonex
Medical Device Cybersecurity is a 2-day workshop. This course will provide a unique learning to explore vulnerabilities in medical devices that are commonly exploited. Participants will learn about key concepts, techniques, tools, risk assessment and management and strategies for integrating cybersecurity mitigation and measures into medical devices and products. Learn the best practices to integrate into medical device requirements, architecture & design, implementation, verification & validation, and operations & maintenance processes. Risk Management Framework (RMF) is used during this training. We will apply RMF to medical devices cybersecurity. Participants will learn how to translate from RMF to Cybersecurity engineering requirements and medical devices.
We will show you tools for Deriving Security Functional Requirements Traceable to Controls used in RMF.
As part of its efforts to ensure medical device cybersecurity safety, U.S. Food and Drug Administration, FDA is adding new requirements and cybersecurity framework.
Learn about Cybersecurity Medical Device Development Tool (MDDT), Applying the Cybersecurity Common Vulnerability Scoring System (CVSS) to Medical Devices, Ways to Protect Your Medical Devices and Cybersecurity Guidelines.
The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information. We will discuss FDA’s Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices and Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software requirements and guidelines.
Manufacturers should address cybersecurity during the design and development of the
medical device, as this can result in more robust and efficient mitigation of patient risks.
Manufacturers should establish design inputs for their device related to cybersecurity, and
establish a cybersecurity vulnerability and management approach as part of the software
validation and risk analysis that is required by 21 CFR 820.30(g).
The approach should appropriately address the following elements:
- Identification of assets, threats, and vulnerabilities
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
- Assessment of the likelihood of a threat and of a vulnerability being exploited
- Determination of risk levels and suitable mitigation strategies
- Assessment of residual risk and risk acceptance criteria
Who Should Attend
This course is designed for engineers, analysts, application developers, system designers, embedded system programmers, hardware engineers, test and evaluation engineers, modeling and simulation developers, technical project and product managers and cybersecurity professionals using embedded systems and medical devices.
What You Will Learn
- Learn about foundation of medical devices cyber security and emerging threats
- Ensure best-in-class user and device authentication, content integrity, and confidentiality of data, ensuring defensible in-depth security.
- Perform a risk analysis (using RMF)
- Best practices for identifying and documenting the risks from your device’s potential threats and vulnerabilities.
- Guidance for Cybersecurity in Medical Devices, showing a Defense-in-Depth Design Strategy.
- Learn how to generate the necessary regulation submission documentation (including Cybersecurity Design documentation and Risk Management documentation).
- Generate the documentation package per the FDA and EU MDR MDCG 2019 – 16
Course Modules/topics
Cyber Risks in Healthcare
- Medical Device and System Cybersecurity Engineering
- Medical Device Assets, Vulnerabilities and Threats
- Cybersecurity and Threats applied to Medical Devices
- Communicating cybersecurity vulnerabilities
General Medical Device Cybersecurity Principles
- Device Safety and the Quality System Regulations
- Designing for Security
- Transparency
- Manage Cybersecurity Risks
Security Control Categories and Associated Recommendations
- Authentication
- Authorization
- Cryptography
- Code, Data, and Execution Integrity
- Confidentiality
- Event Detection and Logging
- Resiliency and Recovery
- Firmware and Software Updates
- Concept of Trusted Execution Environment (TEE)
- Trusted Platform Modules (TPM) for Medical Devices
Overview of Medical Device Security Risk Management
- Overview of Security Risk Management
- Vulnerability Management Plans
- Threat Modeling
- Threat Vectors
- Threat Actors
- Third-Party Software Components
- Security Assessment of Unresolved Anomalies
- Security Risk Management Documentation
Medical Device Security Architecture
- Implementation of Security Controls
- Security Architecture Views
- Global System View
- Multi-Patient Harm View
- Updatability and Patchability View
- Security Use Case Views
- Cybersecurity Testing
- Cybersecurity Transparency
Overview of Guidelines
- Cybersecurity Lexicon for Medical Devices and Converged Systems
- The changing landscape of healthcare cybersecurity
- The relationship between security and safety risks
- Evaluation of Risk to Essential Clinical Performance
- Postmarket Management of Cybersecurity in Medical Devices Guidance
- Cyber physical assurance framework
- Defense in depth philosophy for medical device secure product lifecycle
- Managing safety and security risk convergence
- Labeling Recommendations for Devices with Cybersecurity Risks
- Submission Documentation for Security Architecture Flows
- Call-Flow Diagrams
- Information Details for an Architecture View
- Submission Documentation for Investigational Device Exemptions
Hacking/Exploitation Techniques (Tools and Entry Points for Medical Devices)
- Medical Device Encryption and Authentication (Defensive technologies)
- Risk Management Framework (RMF) for medical device systems cybersecurity assessments and control
- Integrating security into your systems engineering processes
- Deriving medical devices security functional requirements traceable to controls
Offensive Hacking/Exploitation Techniques, Tools, and Medical Devices Vulnerabilities
- Medical device defensive technologies
- Wireless connectivity vulnerabilities and medical devices
- Medical device application, software, RTOS, firmware and hardware analysis
- Secure medical device software/firmware practices
- Medical device reverse engineering
Case Studies
- Case Study: Overview of Security Vulnerabilities Identified in Implantable Cardiac Devices
- Case Study: Overview of Security Vulnerabilities Identified in Wireless Connectivity: RFID, Bluetooth, WiFi and Cellular (4G/5G)
- Case Study: Security Vulnerabilities and IT Network Attacks
- Case Study: Malware Vulnerabilities in Embedded Systems and Medical Devices
Workshop 1: Managing Medical Device Cybersecurity
- Applicable Standards, Technical Specifications and Reports US Food and Drug Administration
- European Union Regulation
- Adversaries to Healthcare and their Motivations
- Generic Threats (Healthcare sector and specific threats to medical devices)
- Overview of Medical Device Security Incidents
- Security Configuration
- Medical Device Cybersecurity Risk Management
- RMF and Security Control Strategies for Medical Device Risk Mitigating
- RMF to Cybersecurity Engineering Requirements
- Security Requirements Decomposition
- Medical Device Cybersecurity Test and Evaluation (T&E)
- RMF Workshop for a Simple Medical Device
- 510(k) Pre-Market Cybersecurity Controls Assessment
- 510(k) Post-Market Cybersecurity Controls Assessment
- Medical Device Software – SDLC (ISO/IEC 62304) and best-practices
- Medical Devices – Application of Risk Management (ISO/IEC 14971)
- FDA – 510(k) Submissions for Medical Devices
- FDA – Cybersecurity in Medical Devices: Quality System Considerations
- FDA – Pre-Market Submissions for Management of Cybersecurity in Medical Devices
Workshop 2: Medical Devices Cybersecurity Best Practices
- Medical Device Cybersecurity Program Audits
- Medical Device Pre-Market Cybersecurity Requirements
- Medical Device Post-Market Cybersecurity Requirements
- Manufacturing Plant Cyber Risk Assessments
- Medical Device Hardware Threat Models
- Medical Device Software – SDLC (ISO/IEC 62304) and best-practices
- NIST (SP800 Series, CSF, SP1800 Series)