This invitation-only event brings together solution-oriented experts in medical device manufacturing and computer security to meet and discuss effective ways to improve information security and the new FDA guidance on cybersecurity.
SUZANNE B. SCHWARTZ, MD, MBA
Associate Director for Science and Strategic Partnerships
Center for Devices and Radiological Health
U.S. Food and Drug Administration
Suzanne Schwartz, MD, MBA is the Associate Director for Science & Strategic Partnerships at FDA’s Center for Devices & Radiological Health (CDRH). Her portfolio includes medical device cybersecurity and efforts that span incident response, increasing awareness, outreach, partnering, policy, and coalition-building. Suzanne chairs CDRH Cybersecurity Working Group. She also co-chairs the Government Coordinating Council for Healthcare & Public Health. Suzanne earned an MD from Albert Einstein College of Medicine, trained in General Surgery & Burn Trauma at the New York Presbyterian Hospital-Weill Cornell Medical Center; an executive MBA from NYU Stern School of Business; and she completed the National Preparedness Leadership Initiative at the Harvard School of Public Health & Kennedy School of Government.
Former Director of Product Security
Global Privacy and Security Office
Bill Aerts is the recently retired Director of Product Security within Medtronic’s Global Privacy and Security Office. In this role, Bill accounted for the company-wide Global Product Security Program, which brings together product R&D functions, security subject matter experts, and business unit and corporate leadership throughout the company to continually improve security and privacy in the devices, systems, and services that Medtronic sells. Throughout his 30+ years working in security roles, Bill has created and championed information and product security programs in the insurance, transportation, retail, and healthcare industries. Bill received his bachelor’s degree from the University of Wisconsin, and holds CISSP and CISM certifications.
Senior Security Engineer, AdRoll
Co-chair, AAMI Medical Device Security Working Group
Geoffrey Pascoe is a software architect and consultant with 25 years of experience in health IT and medical device development. He has served as Product Security Manager for a large medical device manufacturer; was a consultant at Deloitte, helping medical device manufacturers secure their devices and establish medical device security programs; and currently co-chairs AAMI’s Medical Device Security Working Group. Geoffrey holds a bachelor’s degree in Electrical Engineering from The Catholic University of America, a master’s degree in Computer Science from Boston University, and teaches Enterprise Information Security and Computer Networks at Boston University’s Metropolitan College.
Session Speakers & Panelists
I am The Cavalry
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. Josh’s unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serves as an adjunct faculty for Carnegie Mellon’s Heinz College and he’s on the 2016 HHS Cybersecurity Task Force.
Kevin Fu, Ph.D
Computer Science & Engineering
University of Michigan
Dr. Kevin Fu is Associate Professor of Computer Science & Engineering at the University of Michigan, where he conducts research on computer security and healthcare as part of the National Science Foundation’s Trustworthy Health and Wellness (THAW.org) Frontiers project. He also directs the Archimedes Center for Medical Device Security, whose mission is to improve medical device security through research and education, and he co-founded Virta Labs, a healthcare cybersecurity company based in Ann Arbor, Michigan. Over the last decade, Kevin has given nearly 100 invited talks on medical device security to industry, government, and academia—including Senate and House hearings, the Institute of Medicine, and National Academy of Engineering events. Beginning with his 2006 security seminar at FDA CDRH, Kevin’s medical device security efforts were recognized with a Fed100 Award, Sloan Research Fellowship, NSF CAREER Award, MIT TR35 Innovator of the Year award, and best paper awards on medical device security by organizations such as IEEE and ACM. Kevin earned a Ph.D., master’s degree, and bachelor’s degree from MIT and he also holds a certificate of achievement in artisanal bread making from the French Culinary Institute.
Chief Information Security Officer
University of Michigan Health System (UMHS)
Jack Kufahl was appointed to the role of UMHS Chief Information Security Officer in February 2016. Prior to this position, he spent 15 years with the University of Michigan Medical School and its information service operations. Jack began his career as a departmental systems administrator in the basic sciences, where he developed a healthy understanding of the academic enterprise. During his time with the medical school, Jack’s role grew to include teams of approximately 100 staff and $13M in budgetary responsibility where he leveraged service-oriented delivery through partnerships with both distributed and centralized service providers. While perhaps an unconventional candidate for the CISO with his educational background in history and professional experience in the research departments, Jack applies the same motives of advancing customer service and process improvement to his new areas of accountability at the University of Michigan Health System.
Kevin McDonald, BSN, ME-PD, CISSP
Director, Clinical Information Security
Office of Information Security
Kevin McDonald has over 35 years of healthcare experience in various roles. He holds degrees in Nursing, Education and Information Systems. His work experience includes direct patient care, management, electronic medical record implementation, and information technology and security. Kevin’s current role at Mayo Clinic is Director of Clinical Information Security in the Office of Information Security, with one of his primary responsibilities being the security of medical devices.
Michael McNeil, MBA
Global Product Security & Services Officer
Michael C. McNeil is the current Global Product Security & Services Officer for Royal Philips. In this capacity, McNeil is responsible for leading the global product security program for the company and ensuring consistent repeatable processes are deployed throughout their products and services in the healthcare market. Prior to this assignment, McNeil was the former Global Chief Privacy & Security Officer at Medtronic responsible for the development and design of their initial product security and incident response management programs; Chief IT Security Officer at Liberty Mutual Group; Global Chief Privacy Officer at Pitney Bowes; and Vice President, Chief Privacy Officer of Data Services for Reynolds & Reynolds.
HIPAA Compliance and Enforcement
HHS Office for Civil Rights
Ms. Peters is the national lead for OCR enforcement of the HIPAA Rules and works closely with OCR’s regional offices to promote compliance with and enforcement of the rules, including through resolution agreements. She also supports many additional OCR policy and outreach initiatives, including cybersecurity and training and guidance on the rules. Prior to joining the team in D.C., Ms. Peters worked as an investigator in the Dallas Regional Office. Ms. Peters received her Law Degree from Duke and her Masters of Law in Health Care Law from the University of Houston’s Health Law and Policy Institute.
Billy Rios, CISSP
Billy Rios the founder of WhiteScope LLC, a leading, independent provider of expert training and professional security services. At WhiteScope, Billy leads the execution of strategic initiatives and drives the architecture, development, and engineering associated with embedded, Internet of Things (IoT), and smart building security solutions. Before founding Whitescope, Billy was a Web and Products Security Response Lead at Google, where he led the front-line response for externally reported cybersecurity issues and incidents. Prior to Google, Billy was the Security Program Manager at Internet Explorer (Microsoft) where he led the company’s response for several high-profile incidents, including the response for the cyber attack known as “Operation Aurora.” Billy has also worked as a penetration tester and an intrusion detection analyst, and served as an active duty Marine Corps officer. An accomplished author and speaker, Billy currently holds an MBA, a master’s degree in information systems, and a master’s degree in military operational arts and sciences.
IT Audit Director
U.S. Department of Health and Human Services (HHS)
Office of Inspector General
Jarvis Rodgers is the Information Technology Audit Director at the Department of Health and Human Services (HHS), Office of Inspector General (OIG). One of OIG’s top management challenges is “Ensuring the Safety of Food, Drugs, and Medical Devices.” Jarvis leads a team of talented IT auditors and security analysts who conduct independent IT audits and penetration tests of HHS’s 12 operating divisions and grant recipients. Jarvis holds a bachelor’s degree in Computer Information Systems and a master’s degree in Business Administration. He is also a Certified Information Systems Auditor and a Certified Information Systems Security Professional.
Matthew Scholl is the Chief of the Computer Security Division at the National Institute of Standards and Technology (NIST). His responsibilities include cryptographic standards used by the US Government and Internationally, Cybersecurity Research and Development, and Standards and Guidelines for Federal Agency Security Programs. He also leads NIST participation with Cybersecurity National and Internationals Standards Development Organizations (SDOs) and associated conformance testing programs.
Mr. Scholl has a Masters Degree and Bachelors Degrees in computer science and information systems from the University of Maryland and the University of Richmond. He is a US Army veteran and has over 20 years of federal service.
Dr. Chantal Worzala, Ph.D, M.P.A
Director of Policy
American Hospital Association
Chantal Worzala, Ph.D., is vice president of health information and policy operations at the American Hospital Association. Her primary area of focus is health information technology (IT) use and policy development. Chantal has more than 20 years of experience in international and domestic health policy and has focused primarily on policy for health IT and related technologies since 2005. She has also been a consultant to providers, patient advocates, and technology companies. Chantal previously served as Senior Analyst for the Medicare Payment Advisory Commission. She holds a Ph.D. from the Johns Hopkins School of Public Health and an MPA from the Woodrow Wilson School at Princeton University.
Principal Information Security Engineer
Julio Auto is an information security engineer at Mayo Clinic, where he oversees and conducts vulnerability assessments on medical devices and clinical support systems. Having been engaged with the information security industry for the past 10 years, Julio gained broad experience on various security-related fields and technologies, leading and presenting research on topics such as reverse engineering and software security.
Andrew (Drew) Bomett, M.S.S.T, CISSP
Product Security Manager, Boston Scientific
Andrew Bomett is the manager of product security at Boston Scientific, focused on the safety and security of the company’s products, applications and supporting infrastructure. Prior to that, he was a principal security analyst in Mayo Clinic’s Clinical Information Security team. He has over 8-years’ experience in risk-driven healthcare security architecture—ranging from embedded systems to IT infrastructure—with a focus on medical device security. Andrew holds a bachelor’s degree in computer science from Southwest Minnesota State University and a master’s degree in security technologies (MSST) from the University of Minnesota. He is certified as both CISSP and GCFE.
Chief Information Officer
University of New Mexico
Matt Braun is the Chief Information Officer for the Health Sciences Center at the University of New Mexico. He previously served as Executive Director for IT at UNM’s Sandoval Regional Medical Center as well as the Director of Network & Infrastructure for UNM Hospitals. He previously worked for MIT Information Systems where he led the Academic Computing Server Operations Team and the Network Security Team. He has Bachelors’ degrees in Mechanical Engineering and Theater from MIT and a Master’s degree in Biomedical Engineering from UNC Chapel Hill where he was an NIH/NLM Medical Informatics Fellow.
Debra Bruemmer, CISSP
Manager, Clinical Information Security
Mayo Clinic Office of Information Security
Debra Bruemmer is the manager of the Clinical Information Security team at Mayo Clinic’s Office of Information Security in Rochester, Minnesota. In this role, Debra leads efforts to assess and improve the security of medical devices, facility systems, and clinical support systems used within the Mayo Clinic environment. She is responsible for understanding medical devices in the Mayo Clinic environment, assessing the vulnerability of medical devices, and partnering with vendors and internal staff to improve security. During her 17-year career at Mayo Clinic, Debra has worked in finance, information technology, and the Office of Information Security. Debra received her bachelor’s degree in finance from Winona State University, a master’s degree in business administration from Cardinal Stritch University, and is CISSP certified.
Manager Post-Market Cyber Security Services
Alexander joined the Roche Diagnostics Germany in 2007. After various internships in IT-related functions and graduating as a B.Eng. IT in 2010, he moved to Switzerland to join Roche Diagnostics International as a Product Cyber Security Expert. In this Role, Alexander established Cyber Security Testing in Product Verification & Validation, made key contributions to establish the risk-based Product Cyber Security approach Roche Diagnostics now follows, and supported over 100 product / platform development projects in the cyber security domain. Since 2016, Alexander drives the establishment of Post-Market Cyber Security Processes in Roche Diagnostics and manages several associated division-wide cyber security services. Furthermore, Alexander has worked as an Internal Auditor in the RDI Quality Audit Team (2011-2016) and frequently provides process design and optimization advice to owners of software-related governance processes.
Stephanie Domas, PE, CEH
Lead Medical Security Engineer
Battelle DeviceSecure Services
Stephanie (Preston) Domas is Lead Security Engineer for Battelle’s DeviceSecure®Services. In this role, she is responsible for the design, architecture, verification, and execution of security best practices in the development of new medical devices as well as the testing and cybersecurity risk mitigation of legacy systems. Battelle has current active cybersecurity design and testing programs with many of the world’s largest medical device manufacturers.
Ms. Domas is an invited active member of the Association for the Advancement of Medical Instrumentation (AAMI)-UL Joint Committee 2800 - Medical / health device communication standards, the UL 2900 working group, and AAMI TIR 57 – Principles for medical device information security risk management . Ms. Domas has expertise in firmware reverse engineering (x86, x86_64, MIPS, 8051), penetration testing, application fuzzing, as well as application development (C/C++). Ms. Domas is a registered Professional Engineer (PE) in the state of Ohio, and a Certified Ethical Hacker (CEH). She has been published and widely quoted on medical cybersecurity topics in Journal of mHealth, MedDeviceOnline, MD+DI, FDANews, MassDevice, Reuters, The Hill, Neurotech Reports, Healthegy, Today’s Medical Developments, and Medical Design and Outsourcing. She has spoken at events for MassMEDIC, AdvaMed, and the Neurotech Leaders Forum and delivered technical webinars focused on cybersecurity best practices for medical device manufacturers for AAMI and FDANews. In addition, Ms. Domas serves as an adjunct faculty member at the Ohio State University College of Computer Engineering.
Denis Foo Kune, Ph.D.
Co-Founder, Virta Laboratories, Inc.
Dr. Denis Foo Kune is the co-founder of the cybersecurity company Virta Laboratories, Inc., where he protects healthcare companies and hospitals from cyber attacks. His academic research concerns side channels for data exfiltration, and analog injection attacks on medical devices. Through his volunteer efforts, Dr. Foo Kune has contributed to improving availability of cardiac implantable devices in developing countries. He has spent over a decade in the industry at the Honeywell Labs focusing on security for automation, avionics, and industrial control systems. He has a Master’s and Ph.D. in Computer Science from the University of Minnesota and did his postdoctoral research at the University of Michigan.
Dale Nordenberg, MD
Medical Device Innovation, Safety, and Security Consortium (MDISS)
Dr. Nordenberg, Executive Director for the Medical Device Innovation, Safety, and Security Consortium (MDISS), is a member of the Health Information Technology Standards Advisory Committee (ONC, HHS) and the FDA’s National Evaluation System for Technology Planning Board. He co-chairs the NHISAC’s Medical Device Security Information Sharing Council, including the medical device ISAO. He was CIO at CDC’s National Center for Infectious Diseases, and a member of the FDA Science Advisory Board’s technology review committee, 2007 and 2009. Dr. Nordenberg, also CEO of Novasano, is board certified in pediatrics and medical informatics. He completed medical epidemiology training at CDC.
Computer Scientist, NIST
Gavin O’Brien is a computer scientist with the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST). He launched the center’s first health IT use case and, since early 2013, has been overseeing a use case for mobile device security.
Prior to joining the NCCoE in 2012, Mr. O’Brien spent 13 years at NIST’s IT Laboratory where he spent much of his time working on healthcare testing tools. While working with groups inside the Nationwide Health Information Network (NwHIN), he also participates as a monitor for the IHE USA North American Connectathon.
Before his career with NIST, Mr. O’Brien worked in the startup community during the dot-com era in the mid 90’s for a few B2B companies. Mr. O’Brien received a bachelor’s of science in mathematics from Bates College and subsequently earned a master’s degree in computer science from the University of Tennesse
Fubin Wu is the Co-Founder of GessNet™, a software solution and consulting service provider for risk management and cybersecurity. He is also a voting member of the AAMI Medical Device Security Working Group. With over 16 years of experience in medical device quality management systems and hardware/software reliability engineering and risk management, Fubin has worked on a variety of medical device platforms including implantable devices and remote monitoring systems at Medtronic, infusion pumps at Hospira, and blood management standalone software devices at Haemonetics. Fubin has an MS degree in Electrical and Computer Engineering from Oregon Health & Science University (OHSU), and was a software developer at Intel prior to his career in the medical device industry.