Kevin McDonald
Director, Clinical Information Security, Mayo Clinic
Kevin McDonald has over 35 years of healthcare experience in various roles. He holds degrees in Nursing, Education and Information Systems. His work experience includes direct patient care, management, electronic medical record implementation, and information technology and security. Kevin's current role at Mayo Clinic is Director of Clinical Information Security in the Office of Information Security, with one of his primary responsibilities being the security of medical devices.
Keynote Address: Medical Device Security in a Connected World
Dr. Robert Jamieson, Ed.D., CISSP
Chief Information Security & Privacy Officer
Mallinckrodt Pharmaceuticals
Dr. Robert (Bob) Jamieson is currently the Chief Information Security Officer for Mallinckrodt Pharmaceutics and is responsible for leading a global effort to provide a secure information/digital environment for Mallinckrodt’s clients and internal users. Prior to this he was the Information Security Director for UL, LLC. Before working within the private sector, Bob served 22 years in the US Marine Corps where his primary focus was on Information/Data Security. His final assignment within the Marines was as the Commanding Officer of the Marine Corps School for Electronics. Bob holds a Bachelor’s of Business Information Systems from National University, a Masters of Business Administration from University of Redlands, and a Doctor of Education in Organizational Leadership from Argosy University.
Historical Perspective - Solving the Mode 1 Cybersecurity Problem
We have already transitioned into an era of device to device communications (commonly known as the Internet of Things) and are rapidly adding the number of things that participate in these new ecosystems. As we do this, we are adding tremendous capabilities to benefit mankind and enhance our lives. Unfortunately these new technologies also come with significant increased cybersecurity risks that need to be addressed so that the devices aren’t used to harm people or the systems that they were designed to benefit. To address these risks we must first solve our current cybersecurity problems (our Mode 1 problem) so we can create the cybersecurity solutions that will enable these technologies (Mode 2). This talk provides specific steps to solve the Mode 1 problem.
Shelby Kobes
Health Security Architect / President
Kobes Security, INC
Shelby Kobes has been a medical device health industries consultant for the past 13 years, most currently with Kobes Security INC. Shelby has over 13 years of technical experience in a variety of roles across healthcare and technology organizations. Shelby has deep technical and academic experience in the security testing and organizational architecture of how to secure a variety of medical and diagnostic devices. Shelby has been involved in many initiatives domestically including a range of IT HIPAA/HITRUST assessments and medical device program development architectures for healthcare organizations. Shelby has worked on medical device projects with Unity Point Healthcare System, OPTUM, UHG, Welmed, South West Medical Associates, and PWC Healthcare IT Risk and Privacy. Shelby has a MS in Information Security from Iowa State University College of Engineering, MA in Leadership, and a BA in Education.
Managing Risk Across Diverse Devices
Security systems are more complex than ever, but we are still seeing major systems being compromised. IT departments have developed very mature systems and processes that allow them to protect some data and secure networks from a network systems development and engineering perspective. Even with these systems in place, there is a disconnect between clinical engineering and information technology that are causing vulnerabilities.
In this presentation I will discuss my findings and security issues associated with medical devices from my current research and large hospital medical device security projects I have completed. I will discuss common challenges and improvements that can be made by both hospitals and manufactures that will help improve security, privacy and health of the patient. I will present a plan that can be used to help prioritize medical devices. Finally, if time permits, I will demonstrate current over the market hacking devices and their potentials to cause issues within the hospital setting.
Rebecca Herold, CISSP, CISM, CISA, CIPT, CIPM, CIPP/US
CEO, The Privacy Professor
Co-Founder & President, SIMBUS360
Rebecca is an information privacy, security and compliance consultant, author and instructor who has provided assistance, advice, services, tools and products to organizations in a wide range of industries during the past two decades. Rebecca is a widely recognized and respected information security, privacy and compliance expert.
Rebecca has over 25 years of systems engineering, information security, privacy and compliance experience, is CEO of The Privacy Professor ® consultancy she established in 2004, and is co-founder of SIMBUS360 Information Security, Privacy & Compliance cloud services. She has authored 17 books and hundreds of articles. Rebecca appears monthly on the KCWI23 Great Day television show to raise public awareness of current information security and privacy topics. She has been leading the NIST SGIP Smart Grid Privacy Subgroup since 2009, and has been in the IEEE Par 1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group since mid-2015. She has also been an Adjunct Professor for the Norwich University MSISA program since 2005. Rebecca holds the following certifications: CISSP, CISA, CISM, CIPT, CIPM, CIPP/US, FLMI
Panel Moderator: Development of Cybersecurity Guidelines for Medical Devices
What types of cybersecurity protections and privacy controls should engineers build into medical devices? During this insightful roundtable discussion session the HHS OCR will describe the types of controls they expect to see in medical devices collecting, transmitting and storing PHI, along with the obligations of medical device vendors that qualify as business associates under HIPAA. The FDA will discuss their recommendations for medical device cybersecurity. The DHS will describe the importance of medical device security for protecting the critical infrastructure. NIST and IEEE will describe the standards that medical device engineers can use to build in security and privacy controls. Discussion will also occur for how all government agencies and standards bodies can provide each other support for ensuring medical device security and privacy is appropriately addressed by device manufacturers.
Seth Carmody
Cybersecurity Project Manager,
FDA Center for Devices and Radiological Health,
Office of the Center Director,
Emergency Preparedness/Operations & Medical Countermeasures
Dr. Carmody is currently on detail as the Cybersecurity Project Manager in the Office of the Center Director, Emergency Preparedness/Operations & Medical Countermeasures. Seth also serves as a subject matter and policy expert with CDRH’s Cybersecurity Working Group. Seth joined the FDA’s Center for Devices and Radiological Health in 2011 as a medical device reviewer in the Division of Chemistry and Toxicology Devices where his duties focused on premarket approval of diabetes-centric devices and software recalls.
Nicholas Heesters
JD, CIPP, Health Information Privacy & Security Specialisst,
HIPAA Compliance & Enforcement,
U.S. Department of Health and Human Services,
Office for Civil Rights
Nicholas Heesters is a certified information privacy professional with over 25 years of experience supporting technology and information security efforts in many diverse industries including financial services, government, defense, education and healthcare. Mr. Heesters earned his Bachelor of Science in Computer Science from the University of Delaware, his Master of Engineering in Computer and Software Engineering from Widener University, and his Juris Doctor from the Widener University School of Law. Currently, Mr. Heesters works for the U.S. Department of Health and Human Services Office for Civil Rights supporting HIPAA compliance and enforcement activities.
Gavin W. O’Brien
Computer Scientist
NIST
Gavin O’Brien is a computer scientist with the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST). He launched the center’s first health IT use case and, since early 2013, has been overseeing a use case for mobile device security. Prior to joining the NCCoE in 2012, Mr. O’Brien spent 13 years at NIST’s IT Laboratory where he spent much of his time working on healthcare testing tools. While working with groups inside the Nationwide Health Information Network (NwHIN), he also participates as a monitor for the IHE USA North American Connectathon. Before his career with NIST, Mr. O’Brien worked in the startup community during the dot-com era in the mid 90’s for a few B2B companies. Mr. O’Brien received a bachelor’s of science in mathematics from Bates College and subsequently earned a master’s degree in computer science from the University of Tennessee.
Panel Discussion: Development of Cybersecurity Guidelines for Medical Devices
William Ash
Strategic Program Manager for the
IEEE Standards Association
Bill Ash is the Strategic Technology Program Director for IEEE-SA. He received his BSEE from Rutgers University School of the Engineering.
His background is in the RFindustry as he worked as applications engineer on wireless communications systems. Bill has been with the IEEE Standards Association (IEEE-SA) for over 12 years working with standards development groups covering technologies such as RF emissions, distributive generation and the National Electrical Safety Code®. He is currently leading the eHealth, smart grid , and smart cities, for the
IEEE-SA.
Panel Discussion: Development of Cybersecurity Guidelines for Medical Devices
According to some studies done by leading firms, nearly $30B to $50B of inefficiencies was attributed to the lack of healthcare data interoperability. Standards provide the mechanism by which to allow data and system interoperability to occur. Standards also important for security as it is important role in exchanging information while protecting privacy. Using standards to allow for a secure and interoperable system would allow for all touch points within the healthcare information and assessment chain to utilize the information in a meaningful way.
Michael Geraghty
Acting Director of Cybersecurity,
Director of the New jersey Cybersecurity and Communication Integration Cell (NJCCIC)
Mike Geraghty is the Director of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the State's Information Sharing and Analysis Organization (ISAO). He was named to the position in July 2016. Prior to his appointment, Mr. Geraghty served as Chief Information Security Officer (CISO) of the Hudson's Bay Company, Chief Information Officer of the National Center for Missing and Exploited Children, and Vice President of High Technology Investigations at Prudential Financial. Previously, Mr. Geraghty served 12 years with the New Jersey State Police, where he led the formation and development of the High technology Crimes Investigation Unit.
Mitchell Parker
Chief Information Security Officer
Temple University Health System
Mitchell Parker, CISSP, is the CISO at Temple Health, an academic health system in Philadelphia, Pennsylvania. He is also an adjunct professor in the Information Technology Auditing and Cyber Security program at the Fox School of Business, Temple University, where he teaches the Cyber Security Capstone. Mitch developed and implemented the information security program at Temple Health, and regularly works with multiple non-technology stakeholders to improve it. He also speaks regularly at multiple conferences and workshops, including HIMSS Privacy and Security, SC Congress NY, and HealthImpact Chicago. Mitch has a Bachelor's degree in Computer Science from Bloomsburg University, a MS in Information Technology Leadership from LaSalle University, and his MBA from Temple University.
Engineering Keynote: Setting Expectations with Vendors
The major issue with third parties these days is vendor communication. This is because there haven’t been many expectations set with how medical devices need to be operated and maintained in customer environments, or who is responsible for what aspects of support. Mitch will talk about his experiences in reviewing biomedical products and electronic medical record systems for operational security requirements, and working with vendors to improve theirs not only for Temple, but for other customers.
Dave Saunders
VP Product Management and Development
Galen Surgical Robotics
Serial tech sector entrepreneur, Dave Saunders has taken over 40 Internet-based products from inception to market since 1991. He has led diverse product development programs including desktop Internet software, access concentration, telco switching, virtual machine clustering and computer-vision-guided surgical tools. An ardent supporter of the Internet of Things, he continues pursuing his vision of a connected world that enriches lives as co-founder and vice president of product development for Silicon Valley-based medical systems creator Galen Robotics.
Engineering Case Study/Workshop: Security by Design
The recently published FDA guidance for Post-market Management of Cybersecurity in Medical Devices shows that companies must show a best-effort approach to cybersecurity challenges when designing new medical devices. Developers also need to address and manage vulnerabilities after the product has entered the market. In his talk, Dave Saunders will present details of a surgical robotic system under development and its paths of communication for operation, monitoring, remote service and EMR integration. Following his talk will be a panel discussion exploring potential points of vulnerability, mitigation strategies and how to relate these to other Internet-of-Medical-Things integration capabilities for attendees seeking cybersecurity management strategies for their own devices.
Wade Trappe
Professor, Dept. of Electrical and Computer Engineering
Associate Director, Wireless Information Network Laboratory (WINLAB)
Rutgers, The State University of New Jersey
Wade Trappe is a Full Professor of Electrical and Computer Engineering at Rutgers University, a Fellow of the IEEE for his contributions to information and communication security, and Chair of the IEEE Information Forensics and Security Technical Committee. He is Associate Director of the Wireless Information Network Laboratory (WINLAB), where he directs the lab’s research in wireless security. He has led numerous NSF and DoD projects that have resulted in new approaches for securing wireless and sensor networks, and countermeasures that ensure the operational security for tactical networks. Prof. Trappe research has resulted in over 200 articles, and five textbooks on information security.
Engineering Case Study/Workshop: Security by Design
The purpose behind this short workshop is to walk the audience through the thought processes associated with identifying and understanding security risks that might exist in medical devices. The talk will first examine specific real-world scenario involving surgical robots. With this example as motivation, the talk will then storyboard a hypothetical IoMT system, called WellMon, intended to support elder care. The audience will be interactively guided through the process of identifying attacks against this synthetic example, as well as outline potential countermeasures that can be applied to enhance WellMon’s security.
Bhavesh Chauhan
Principal Client Partner-Global Security Evangelist
Verizon Enterprise Solutions
Emerging Data Breaches
Colin Morgan, CISSP, GPEN
Global Product Security, Sr. Manager
Johnson & Johnson
Colin Morgan, Johnson & Johnson Information Security & Risk Management, is leading the company’s Global Product Security initiative to integrate cybersecurity into the Johnson & Johnson product development lifecycle and post market surveillance processes. This effort is focused on developing fundamental cybersecurity policies, standards and processes; establishing integral partnerships with both internal and external organizations; driving education and awareness plans; and monitoring and assessing industry and regulatory trends. Colin has worked in the cybersecurity field for a number of organizations including the Central Intelligence Agency and the National Oceanic & Atmospheric Administration. He is a featured speaker on cybersecurity and is passionate about the integration of the competency across all industries. Colin has his Bachelor’s degree in Computer Engineering from The College of New Jersey, a Master’s degree in Telecommunications from George Mason University, and is CISSP and GPEN certified.
Roundtable: The Road Ahead - Pharma/Device Perspectives
Roberta Hansen
Director, Digital Product Cybersecurity
Abbott
Roberta is the Director of Medical Device Cybersecurity in the BTS Organization. Focused on connected medical devices and product software, her group ensures that Abbott pipeline and on market products are designed and developed safely and securely.
Roberta began her Abbott career in 1997 as a Project Manager for the Controllership in our Corporate Engineering Division. She led many project and program management roles within Research & Development, Commercial, Supply Chain, Human Resources, and IT Risk Management. Recent FDA Medical Device Regulations paved the way for her governance of medical device design and development and integration with cybersecurity controls.
Roberta holds a Masters in Business Administration from Lake Forest Graduate School of Management where she was also Valedictorian. She holds a Bachelor of Arts from The University of Michigan – Ann Arbor in Global Business. She is also holds the Project Management Professional (PMP) designation.
Roundtable: The Road Ahead - Pharma/Device Perspectives