Information security in healthcare is being taken more seriously by legislators with more stringent requirements and severe penalties which can run into many millions of Euros/Dollars for breaches. For medical device manufacturers, the risk of hazards that may arise as a result of even unintentional corruption of data must be made as low as possible, which in practice means applying information security controls which are state of the art and in line with harmonised standards. This is compounded by increasing use of data in healthcare settings and greater complexity of data systems resulting from opportunities offered by cloud service providers for cost effective and scalable data solutions.
New EU legislation, which comes into effect in 2018, mandates, amongst other things, privacy by design and many medical device manufacturers systems are non-compliant and may take significant development effort of both hardware and software components to achieve compliance.
Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly “connected” to the Internet, hospital networks, and to other medical devices.
In a recent study, it was found that a variety of medical devices and healthcare related IT systems currently in use in hospitals had serious security vulnerabilities that could be relatively easily exploited. These included drug infusion pumps (devices used for a variety of purposes including delivering anaesthetics, chemotherapy and life supporting drugs) that could be remotely manipulated to change the dose delivered to patients; Wireless implanted cardioverter-defibrillators that could be maliciously programmed to deliver unnecessary and potentially fatal shocks to a patient’s heart or to prevent a shock from occurring when it was needed; temperature settings on blood storage refrigerators that could be reset; and electronic health records that could be altered to potentially cause doctors to misdiagnose conditions and prescribe the wrong treatments.
What you will learn
This advanced training event will highlight the sources and scope of the threats and identify the common vulnerabilities. It will present practical, best practice guidelines that work within the framework of medical device software development standards including:
- Technical Requirements
- Administrative Requirements
- Physical Requirements
EU General Data Protection Legislation
- Health Data Scope
- Security Requirements
- Data Portability
- Right to be forgotten
- Export of Data
- Informed Consent
- Profiling Requirements
- Impact Assessment
- ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements.
- ISO/IEC 27002 — Code of practice for information security management.
- ISO/IEC 27003 — Information security management system implementation guidance.
- ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation.
- ISO/IEC 27005 — Information security risk management.
- Risk Management: What are the threats, how might they arise and what tools and technologies might they use.
- Development planning: How to incorporate effective strategies throughout development to deal with cybersecurity threats including correct resources required, expertise and verification and verification planning.
- Requirements Management: How and what to specify in Software Requirements Specifications.
- Architectural Design: How to create inherently secure software architectures.
- Detailed Design and Coding: How to design for security and eliminate coding errors that lead to vulnerabilities.
- Verification and Validation: How to test for security.
- Post Market Surveillance: What to include in PMS activities.
- Regulatory Submissions: What to include in regulatory submissions in the EU and US about cybersecurity.
Who should attend
- Medical Device Manufacturers: CEOs, COOs, Heads of Regulatory Affairs, Heads of QA, R&D Managers, Software Managers, Architects and Engineers;
- Healthcare Providers: IT Systems Managers, Purchasing Specialists
Our location in the heart of the city means that IET Birmingham: Austin Court is fully accessible by all major transport links across the Midlands and is conveniently located seconds from the National Indoor Arena.
Peter Brady is a healthcare and medical devices software and systems specialist with deep understanding of software development and international regulation and standards. Key skills in software development, safety risk management and information security with experience ranging from low cost embedded solutions to complex systems running on multi-core parallel processors. He has wide experience in healthcare sectors including oncology, proton therapy, imaging, implantable devices, renal therapy, diabetes management, vascular therapy, minimally invasive surgical devices, pressure area care, point-of-care diagnostics and drug delivery. He has worked as an engineer, manager and director and is also an approved EU Notified Body assessor for software submissions. He has successfully developed both Quality Management Systems and Information Security Systems for leading medical device manufacturers.
When & Where
Ascensys Medical Limited
Ascensys Medical is a specialist consulting firm focussed on medical device software, connected "smart" devices and software security in healthcare applications.