Cyber Security for Healthcare & Med Device

Monday, October 24, 2022 — 9:30 AM – 4:30 PM

The Healthcare and Med Device Seminar brings together healthcare providers and medical device manufacturers to share knowledge that advances device safety and security. With a diverse set of speakers and range of industry perspectives, the full-day event emphasizes actionable lessons from large manufacturers and hospital systems that can also be applied to small and mid-size organizations to strengthen security programs. Participants include healthcare delivery organizations, device-makers, regulatory agencies, risk managers, insurers, security experts and more.

9:30 AM
Health Care & Medical Device Opening Remarks
Mary Diner, Information Security Director, Optum; Judd Larson, Medical Device Security, Medtronic

We built this agenda with the help of global healthcare cybersecurity experts and hope that you’re looking forward to it as much as we are! We focused on the needs of Medical Device and Healthcare Infosec leaders and other professionals. The people who solve unique and challenging problems in healthcare cybersecurity space that other cybersecurity experts have nightmares over. We’re keeping our Eyes Wide Open more than most 😉

This one day special track includes presentations from infosec managers, regulators, medical device companies, and leading edge suppliers that address these unique challenges. Even the most seasoned professional will find a new angle or ….something…. to take back to their organizations and put into practice.

Minnesota – Home to the Medical Alley Association, strong support from the University of Minnesota (Technological Leadship Institute, Archimedes, and Medical School), large medical device companies, world leading healthcare delivery organizations, strong innovation pipeline and history of world-changing healthcare technology.


9:40 AM
Frictionless & Secure Patient Care
Brian Kenyon, Chief Strategy Officer, Island.io

Healthcare and Care organizations spend significant time and capital in provisioning third-party care specialists access to web applications and critical systems. The process of sending physical hardware devices or asking care specialists to access via Virtual Desktop or Desktop as a Service offerings are costly, time-consuming and result in an unsatisfactory user experience. In this session learn how an Enterprise Browser can simplify access and security with your patient health information. In this talk we will discuss:
• Seamless onboard of care professionals
• Full control and visibility of all actions when accessing critical patient information
• Native and modern access and usage models


10:10 AM
Approach to Segmenting Medical Devices
Stefan Boehme, Medical Device Security Specialist, Children’s Healthcare of Atlanta

We’ve all heard the term “segmentation”. We’ve all learned that it is an important piece to our security program, but what does it mean? How do you turn it from a talking point to a list of actionable items? Where do you start? What is the goal? How do you maintain it? Stefan Boehme, Medical Device Security Specialist, will share his story on how he guided the segmentation of wired connected medical devices at Children’s Healthcare of Atlanta.


10:40 AM
A Single Source of Truth in Healthcare Asset Management
Derek Loomis, Subject Matter Expert, Axonius

Modern hospitals now have 10 to 15 connected devices per patient bed. This increase in devices, along with strict regulations around cybersecurity and personal health information security, create more challenges for healthcare security teams. Enter: cybersecurity asset management. Cybersecurity asset management can help healthcare organizations easily get a comprehensive, up-to-date inventory of their complex environment — one single source of truth that all teams can work from.
Join this session led by IT security expert Derek Loomis to learn:
• A typical organization’s various sources of truth — from HR, to network, to overall IT
• The challenges of maintaining a source of truth
• The value of all teams working from a single source of truth


11:10 AM
Medical device software end of life planning
Judd Larson, Medical Device Security, Medtronic

Every medical device company has products running code not written by them. That software ranges from components like a small software bridge that enables Bluetooth connectivity to an entire Windows operating system that runs underneath our clinical applications. As that software ages, there are inevitably vulnerabilities that introduce new risks. If they doesn’t control that software, how can we control these risks? This makes supporting our medical devices…tricky.


11:40 AM— Strategy Break

12:45 PM
Securing and Managing Connected Healthcare From Asset Inventory and Device Utilization to Zero Trust

Ben Stock, Director of Healthcare Product Management, Ordr

In the connected healthcare system, robots perform complex surgery, voice commands to Alexa devices are used as the nurse call button, and HVAC systems monitor air quality in surgery rooms. Telehealth and Telesitters are being used and will continue to be used across health systems to minimize patient movement and enable care.

These transformative hospital of the future initiatives vastly increase the stakes for healthcare cybersecurity. Connected medical devices can range widely, and often run outdated software even though they are a critical part of everyday operations and patient care. Unmanaged and unknown devices on the network create even more vulnerabilities, leaving hospitals open to ransomware and other malicious cyber-attacks.

Every conversation about the future of healthcare must include a strategy for securing medical technology. How can hospital leaders take responsibility now for determining what is connected to their networks and take the steps necessary to secure every IT, IoT and OT device on them?

Attend this session to learn about:


1:15 PM
Security Resilience Program and Medical Devices
Debra Breummer, Senior Manager, Mayo Clinic

Building upon its medical device security program, Mayo Clinic will share its journey to develop and implement a proactive, ongoing asset “certification/validation” process spanning the life-cycle of an asset. The program measures cybersecurity risk empirically at the asset level, which is consolidated to a fleet view. The talk will focus on key deliverables: secure baseline requirements, certification program, asset drift, and risk measurement. This program enables vulnerable assets to be identified and risks to be assessed and quantified.


1:45 PM
Crowdsourced Email Defense
Tonia Dudley, VP, CISO, Cofense

Phishing continues to be the preeminent approach attackers use to exploit an enterprise. Whether it’s ransomware, or credential theft, falling for email and social media attacks continues to cost people and businesses millions of dollars in damages and lost information. Attackers are constantly changing tactics and tradecraft against unwitting humans. Fortunately, there are people equipped to recognize and report these threats to their security teams. Cofense is in the business of preparing humans to be a first-line of defense, and equipping those humans and security professionals with information and tools to recognize and even stay ahead of attackers. Tonia Dudley will be discussing how Cofense leverages crowdsourced email threat intelligence to proactively position detection and mitigation tools to stop attacks, and how your employees play a critical part in your enterprise defense.


2:15 PM— Strategy Break

2:30 PM
Highlights from the new FDA Premarket Cybersecurity Guidance: Impacts that Medical Device Manufacturers Need to Know
Michelle Jump, Chief Regulatory Strategist, MedSec Security Services; Matt Hazelett, Cybersecurity Policy Analyst, FDA

The FDA released a new premarket cybersecurity guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff, on April 8, 2022. This guidance is the follow-up draft from the 2018 draft premarket cybersecurity guidance and significantly expands on several key areas, such as threat modeling, security risk management, SBOM, security architecture documentation, and overall security lifecycle processes. The FDA has paid particular attention to aligning these expectations to existing quality system regulations. As such, some of these expectations are currently being requested as part of submissions. This presentation will review the notable expectations in the guidance and identify those elements that are currently recommended to be included in an FDA submission even though the guidance is still draft.


3:00 PM
Essential Contract Provisions
Eran Kahana, Cybersecurity, AI and IP Attorney, Maslon LLP

Properly drafting data security language in a contract is essential for ensuring the data is protected from public exposure and misuse. All too often, however, parties opt for vague security provisions. Sometimes this is a result of the “drafting-by-momentum,” a tendency that relies on what’s been done before, by the organization, or other drafters. Other times it is just the result of carelessness. This session will highlight proper drafting considerations that can help effectively handle the various challenges organizations face in normal times and a pandemic environment.


3:30 PM
Translating G-speak to C-speak
Andrew Bomett, VP, CISO, Boston Scientific

Getting quality time with executives and decision makers isn’t easy in the fast-paced world we live in. It’s gets even more challenging, when communicating technical details to business-oriented leaders. This session on Translating G-speak to C-speak aims to provide you with some tips and insights to help you in your next engagement with the C-suite. We will review the different audiences in that group, their communication styles, and ideas of how to tailor your message so that you can get your message across and get the desired outcome.


Thank you to our Small Business Seminar Host

Supporters:

Thank you to our Small Business Track Planning Committee

**Sherwin Bothello, Medtronic

Debra Bruemmer, Mayo Clinic

Jon Crosson, H-ISAC

*Mary Diner, Optum

Dave Durham, Axonius

Ken Hoyme, Boston Scientific (Retired)

Michelle Jump, MedSec

Eran Kahana, Maslon

*Judd Larson, Medtronic

Michael Larson, EcoLab

John Linzy, Cofense

Dan Lyon, Boston Scientific

Adi Sitnica, Optum

* Program Chair
** Cyber Summit Executive Coordinator