15 Jan 2017

Sunday


4:00 - 6:00 pm
On-site Registration

Disney’s Yacht & Beach Club Convention Center—Asbury Lobby



16 Jan 2017

Monday - Single Track Sessions


8:00 am - 9:00 am
On-site Registration

Disney’s Yacht & Beach Club Convention Center—Asbury Lobby


9:00 - 9:30 am
Breakfast — Salon 5 & 6

9:15 - 9:30 am
Welcome
Kevin Fu, Ph.D

9:30 - 10:30 am
Keynote
Suzanne B. Schwartz, MD, MBA

Medical Device Cybersecurity Through the FDA Lens

Enhanced connectivity of medical technologies holds extraordinary promise for advancing patient care. Yet, with these benefits comes new kinds of threats—increasing cybersecurity risks. FDA encourages medical device manufacturers to carefully consider possible cybersecurity risks while designing medical devices and to have a plan to manage system or software updates. By focusing on cybersecurity during design, manufacturers can reduce vulnerabilities in their medical devices. But premarket considerations are only one aspect of medical device cybersecurity. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats and emergence of newly identified vulnerabilities means risks may arise throughout a device’s entire lifecycle.

A big part of effective cybersecurity is creating a proactive approach and fostering multi-stakeholder collaboration, which will help stay ahead of cybersecurity threats and protect patients.

This keynote session will provide an overview of the evolving medical device cybersecurity landscape with particular emphasis on what medical device ecosystem partners are presently doing to address current gaps as well as future challenges; a description of multi-stakeholder efforts; and regulatory policy under FDA’s premarket and postmarket authorities.


10:30 - 11:00 am
Coffee Break

11:00 am - 12:00 pm
AAMI TIR57: Principles for Medical Device Security—Risk Management
Geoffrey Pascoe

Participants will learn how to perform security risk management for medical devices using the principles outlined in AAMI’s recently published technical report, AAMI TIR57: Principles for medical device security—Risk management. We will discuss the differences and similarities between security risk management and safety risk management, as well as how to integrate the two following practices outlined in ANSI/AAMI/ISO 14971:2007(R)2010 Medical devices—Application of risk management to medical devices. We will also cover basic concepts in security as they apply to medical device security, such as threats and threat actors, vulnerabilities, assets, security risk, mitigation and risk treatment, single loss expectancy, annualized loss expectancy, confidentiality, integrity, and availability. Participants will work through a simplified example, applying the principles of TIR57. A short Q&A session will follow.

All conference attendees will recieve a FREE copy of AAMI TIR57: Principles for Medical Device Security—Risk Management, which provides guidance for addressing information security within the risk management framework defined by ANSI/AAMI/ISO 14971.


12:00 - 1:30 pm
Meet the Experts Lunch
  • Bill Alert, Former Director of Product Security, Global Privacy and Security Office, Medtronic
  • Julio Auto, Principal Information Security Engineer, Mayo Clinic
  • Andrew (Drew) Bomett, M.S.S.T, CISSP, Product Security Manager, Boston Scientific
  • Debra Bruemmer, CISSP, Manager, Clinical Information Security, Mayo Clinic Office of Information Security
  • Alexander Diekmann, CISA, CISM, Manager Post-Market Cyber Security Services, Roche Diagnostics
  • Stephanie Domas, PE, CEH, Lead Medical Security Engineer, Battelle DeviceSecure Services
  • Kevin Fu, Associate Professorm, Computer Science & Engineering, University of Michigan
  • Denis Foo Kune, Ph.D, Co-Founder, Virta Laboratories, Inc.
  • Dale Nordenberg, MD, Executive Director, Medical Device Innovation, Safety, and Security Consortium (MDISS)
  • Gavin O’Brien, Computer Scientist, NIST
  • Fubin Wu, Co-Founder, GessNet™

Join leaders from Mayo Clinic, the FDA, Medtronic, the University of Michigan, and AAMI’s Device Security Working Group for a first-come, first-served seat at the table with conference leaders, speakers, and invited experts. This is your chance to get your most pressing questions answered all while enjoying a delicious lunch.


1:30 - 3:00 pm
Cybersecurity Policy and Standards for Medical Devices Panel
  • Chantal Worzala, Director of Policy, American Hospital Association
  • Iliana Peters, Senior Advisor, HIPAA Compliance and Enforcement, HHS Office for Civil Rights
  • Jarvis Rodgers, IT Audit Director, U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG)
  • Suzanne B. Schwartz, MD, MBA
  • Matthew Scholl

Panelists provide insights and commentary on federal policies for medical device cybersecurity in this spirited conversation moderated by Dr. Kevin Fu.


3:00 - 3:30 pm
Coffee Break

3:30 - 4:30 pm
Patient Harm? Analyzing Cyber Security Vulnerabilities for Patient Safety Issues
Billy Rios, CISSP

CVE, CCE, CPE, NVD, CVSS, CWE… What is this alphabet soup and can we use this information to help us determine whether a particular vulnerability presents a patient safety issue? This talk provides case studies involving specific medical device vulnerabilities and covers strategies to determine whether those vulnerabilities present patient safety issues. We’ll explore the problem from the perspective of both the manufacturer and healthcare delivery organizations.


6:15 - 8:30 pm
Gala Dinner

Sponsored by Synopsys

Step back in time and join conference speakers and fellow attendees for a relaxing dinner at Epcot’s American Adventure Rotunda, where American history comes alive. We’ll meet at 6:15 at the conference center in the Grand Harbor Lobby and board buses that will take us to Epcot Center for the evening activities.


8:30 - 9:30 pm
Dessert & Illuminations

Sponsored by Siemens

End the night on a sweet note with a buffet of delightful confections and delicious wines from around the world at Epcot’s Italy Isola as you enjoy an unparalleled view of Epcot’s Illuminations: Reflections of Earth fireworks extravaganza. You’ve never seen or tasted anything like it!



17 Jan 2017

Tuesday - Dual Track Sessions


8:00 - 9:00 am
Breakfast

Health Delivery Organizations
Asbury Hall: A & B
Manufacturers
Asbury Hall: C & D

9:00 am - 10:30 am
Introduction to Medical Device Security
Kevin Fu, Ph.D

Read abstract

Today, it would be difficult to find medical device technology that does not critically depend on computer software. Network connectivity and wireless communication has transformed the delivery of patient care. The technology often enables patients to lead more normal and healthy lives. However, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators, pacemakers) also inherit the pesky cybersecurity risks endemic to computing. What’s special about medical devices and cybersecurity? What’s hype and what’s real? What can history teach us? How are international standards bodies and regulatory cybersecurity requirements changing the global manufacture of medical devices? This talk will introduce attendees to the risks, benefits, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.

9:00 am - 10:30 am
Introduction to Medical Device Security
Kevin Fu, Ph.D

Read abstract

Today, it would be difficult to find medical device technology that does not critically depend on computer software. Network connectivity and wireless communication has transformed the delivery of patient care. The technology often enables patients to lead more normal and healthy lives. However, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators, pacemakers) also inherit the pesky cybersecurity risks endemic to computing. What’s special about medical devices and cybersecurity? What’s hype and what’s real? What can history teach us? How are international standards bodies and regulatory cybersecurity requirements changing the global manufacture of medical devices? This talk will introduce attendees to the risks, benefits, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.


10:30 am - 11:00 am
Coffee Break

Health Delivery Organizations
Asbury Hall: A & B
Manufacturers
Asbury Hall: C & D

11:00 am - 11:45 pm
Safer, Sooner, Together: A Hippocratic Oath for Connected Medical Devices
Joshua Corman

Read abstract

The promise of connected medicine is to improve and prolong life.

The perils of connectivity may lead to loss of life and limb and a shattering of public confidence.

Our dependence on connected technologies has grown faster than our ability to secure them.

We believe we can be safer, sooner, if we work together.

Modern healthcare increasingly depends on connected technologies to improve the quality, effectiveness, and availability of the best that medical innovations can offer. The promise of Precision Medicine may unlock new cures and breakthroughs to help us treat and conquer some of our most perplexing diseases. Unfortunately, with this promise comes the perils of hyper-connectivity, exposing us all to a bevy of new accidents and adversaries in cyberspace. Sadly, we are not prepared.

While the FDA and industry have made incredible strides over the last two years in cybersafety, 2016 continues to remind us just how much further we have to go. In 2015, an epidemic of ransomware ran havoc through health delivery organizations. In one case, Hollywood Presbyterian was hit so badly it affected patient care and the hospital had to turn ambulances away. Muddy Waters Capital shorted St. Jude’s Medical over what it considered to be material hacking weaknesses in its line of pacemakers.

All systems fail. How prepared we are for failure will make all the difference. To this end, “I am The Cavalry” published a Hippocratic Oath for Connected Medical Devices exploring how to avoid failure, take help avoiding failure, learn from failure, mitigate failure, and inoculate against future failure. We will explore this framework and these five postures toward failure to accelerate our corrective actions across a diverse and challenging stakeholder ecosystem.

We don’t yet have all the answers, but we know we’ll all be safer, sooner, together.


11:45 am - 12:30 pm
How to Set Up a Medical Device Security Program for Health Delivery Organizations
Kevin McDonald, BSN, ME-PD, CISSP

Read abstract

Health delivery organizations can benefit significantly from a solid medical device security program. With a security program in place, you can identify vulnerable devices, assess risks, and plan remediations. But for your medical device security program to be effective, you must have a strong base in place in the areas of governance, policies, standards, process, and staff skills. In this session, members of health delivery organizations will learn how to set up the foundational structure and processes necessary for creating a strong medical device security program.

11:00 am - 11:45 am
How to Set up a Medical Device Security Program for Manufacturers
Bill Aerts, CISSP, CISM

Read abstract

With the future of the Internet of Things, medical devices will become infinitely connected. For those providing and using those devices, security will become a huge challenge. In order to address these challenges, manufacturers and healthcare providers need to create a dedicated program to monitor and maintain medical device security throughout a device’s lifecycle. This session will discuss these challenges and provide insight on how to build a strong medical device security program.


11:45 pm - 12:30 pm
Safer, Sooner, Together: A Hippocratic Oath for Connected Medical Devices
Joshua Corman

Read abstract

The promise of connected medicine is to improve and prolong life.

The perils of connectivity may lead to loss of life and limb and a shattering of public confidence.

Our dependence on connected technologies has grown faster than our ability to secure them.

We believe we can be safer, sooner, if we work together.

Modern healthcare increasingly depends on connected technologies to improve the quality, effectiveness, and availability of the best that medical innovations can offer. The promise of Precision Medicine may unlock new cures and breakthroughs to help us treat and conquer some of our most perplexing diseases. Unfortunately, with this promise comes the perils of hyper-connectivity, exposing us all to a bevy of new accidents and adversaries in cyberspace. Sadly, we are not prepared.

While the FDA and industry have made incredible strides over the last two years in cybersafety, 2016 continues to remind us just how much further we have to go. In 2015, an epidemic of ransomware ran havoc through health delivery organizations. In one case, Hollywood Presbyterian was hit so badly it affected patient care and the hospital had to turn ambulances away. Muddy Waters Capital shorted St. Jude’s Medical over what it considered to be material hacking weaknesses in its line of pacemakers.

All systems fail. How prepared we are for failure will make all the difference. To this end, “I am The Cavalry” published a Hippocratic Oath for Connected Medical Devices exploring how to avoid failure, take help avoiding failure, learn from failure, mitigate failure, and inoculate against future failure. We will explore this framework and these five postures toward failure to accelerate our corrective actions across a diverse and challenging stakeholder ecosystem.

We don’t yet have all the answers, but we know we’ll all be safer, sooner, together.


12:30 pm - 2:00 pm
Lunch

Health Delivery Organizations
Asbury Hall: A & B
Manufacturers
Asbury Hall: C & D

2:00 pm - 3:00 pm
Building security programs in the academic medical center and not destroying it in the process
Jack Kufahl

Read abstract

Academic medical centers are one of the most complex organizations that combine the promise and challenges of the research, patient care, training and education missions all within the context of the greater university. We are expected to be equally as open as we are private at the epicenter of two of the most targeted industries in the nation, healthcare and higher education.

The University of Michigan Health System has been strategically investing in an assurance program that looks to leverage the unique nature of the opportunities we have at our disposal while keeping the day-to-day operations protected in an ever increasingly dynamic environment.

Perhaps apart from some of our healthcare delivery organization counterparts, we must account for our relative programmatic immaturity while sleuthing out those rare but critical leapfrogging moments when we can move beyond the expected median and have information assurance inclusive of the overall information service delivery.

2:00 pm - 3:00 pm
The Why and How of Medical Device Security – a Manufacturers Perspective
Michael McNeil, MBA

Read abstract

During this discussion, we will review some of the key do’s and don’ts associated with the deployment of a product security program executed by a medical device manufacturer. We will look into the key relationships of the ecosystem and their management to ensure an optimal program is executed. The session will cover the following:

  • Product security risk assessment
  • What steps and measures determine appropriate testing
  • How to implement an effective Coordinated Responsible Disclosure process
  • When to consider deploying a Secure Build of Material (SBOM) process

3:00 pm - 3:30 pm
Coffee Break

3:30 - 4:00 pm
Closing Remarks