9:15 - 9:30 am

Welcome

Kevin Fu, Ph.D

9:30 - 10:30 am

Keynote

Suzanne B. Schwartz, MD, MBA

Medical Device Cybersecurity Through the FDA Lens

Enhanced connectivity of medical technologies holds extraordinary promise for advancing patient care. Yet, with these benefits comes new kinds of threats—increasing cybersecurity risks. FDA encourages medical device manufacturers to carefully consider possible cybersecurity risks while designing medical devices and to have a plan to manage system or software updates. By focusing on cybersecurity during design, manufacturers can reduce vulnerabilities in their medical devices. But premarket considerations are only one aspect of medical device cybersecurity. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats and emergence of newly identified vulnerabilities means risks may arise throughout a device’s entire lifecycle.

A big part of effective cybersecurity is creating a proactive approach and fostering multi-stakeholder collaboration, which will help stay ahead of cybersecurity threats and protect patients.

This keynote session will provide an overview of the evolving medical device cybersecurity landscape with particular emphasis on what medical device ecosystem partners are presently doing to address current gaps as well as future challenges; a description of multi-stakeholder efforts; and regulatory policy under FDA’s premarket and postmarket authorities.

11:00 am - 12:00 pm

AAMI TIR57: Principles for Medical Device Security—Risk Management

Geoffrey Pascoe

Participants will learn how to perform security risk management for medical devices using the principles outlined in AAMI’s recently published technical report, AAMI TIR57: Principles for medical device security—Risk management. We will discuss the differences and similarities between security risk management and safety risk management, as well as how to integrate the two following practices outlined in ANSI/AAMI/ISO 14971:2007(R)2010 Medical devices—Application of risk management to medical devices. We will also cover basic concepts in security as they apply to medical device security, such as threats and threat actors, vulnerabilities, assets, security risk, mitigation and risk treatment, single loss expectancy, annualized loss expectancy, confidentiality, integrity, and availability. Participants will work through a simplified example, applying the principles of TIR57. A short Q&A session will follow.

All conference attendees will recieve a FREE copy of AAMI TIR57: Principles for Medical Device Security—Risk Management, which provides guidance for addressing information security within the risk management framework defined by ANSI/AAMI/ISO 14971.

12:00 - 1:30 pm

Meet the Experts Lunch

• Bill Alert, Former Director of Product Security, Global Privacy and Security Office, Medtronic
• Julio Auto, Principal Information Security Engineer, Mayo Clinic
• Andrew (Drew) Bomett, M.S.S.T, CISSP, Product Security Manager, Boston Scientific
• Debra Bruemmer, CISSP, Manager, Clinical Information Security, Mayo Clinic Office of Information Security
• Alexander Diekmann, CISA, CISM, Manager Post-Market Cyber Security Services, Roche Diagnostics
• Stephanie Domas, PE, CEH, Lead Medical Security Engineer, Battelle DeviceSecure Services
• Kevin Fu, Associate Professorm, Computer Science & Engineering, University of Michigan
• Denis Foo Kune, Ph.D, Co-Founder, Virta Laboratories, Inc.
• Dale Nordenberg, MD, Executive Director, Medical Device Innovation, Safety, and Security Consortium (MDISS)
• Gavin O’Brien, Computer Scientist, NIST
• Fubin Wu, Co-Founder, GessNet™

Join leaders from Mayo Clinic, the FDA, Medtronic, the University of Michigan, and AAMI’s Device Security Working Group for a first-come, first-served seat at the table with conference leaders, speakers, and invited experts. This is your chance to get your most pressing questions answered all while enjoying a delicious lunch.

1:30 - 3:00 pm

Cybersecurity Policy and Standards for Medical Devices Panel

• Chantal Worzala, Director of Policy, American Hospital Association
• Iliana Peters, Senior Advisor, HIPAA Compliance and Enforcement, HHS Office for Civil Rights
• Jarvis Rodgers, IT Audit Director, U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG)
• Suzanne B. Schwartz, MD, MBA
• Matthew Scholl

Panelists provide insights and commentary on federal policies for medical device cybersecurity in this spirited conversation moderated by Dr. Kevin Fu.

3:30 - 4:30 pm

Patient Harm? Analyzing Cyber Security Vulnerabilities for Patient Safety Issues

Billy Rios, CISSP

CVE, CCE, CPE, NVD, CVSS, CWE… What is this alphabet soup and can we use this information to help us determine whether a particular vulnerability presents a patient safety issue? This talk provides case studies involving specific medical device vulnerabilities and covers strategies to determine whether those vulnerabilities present patient safety issues. We’ll explore the problem from the perspective of both the manufacturer and healthcare delivery organizations.

6:15 - 8:30 pm

Gala Dinner

Sponsored by Synopsys

Step back in time and join conference speakers and fellow attendees for a relaxing dinner at Epcot’s American Adventure Rotunda, where American history comes alive. We’ll meet at 6:15 at the conference center in the Grand Harbor Lobby and board buses that will take us to Epcot Center for the evening activities.

8:30 - 9:30 pm

Dessert & Illuminations

Sponsored by Siemens

End the night on a sweet note with a buffet of delightful confections and delicious wines from around the world at Epcot’s Italy Isola as you enjoy an unparalleled view of Epcot’s Illuminations: Reflections of Earth fireworks extravaganza. You’ve never seen or tasted anything like it!