Secrets of successful medical device connectivity … · 4/5/17 9 Selected Cybersecurity References...
Transcript of Secrets of successful medical device connectivity … · 4/5/17 9 Selected Cybersecurity References...
4/5/17
1
Secretsofsuccessfulmedicaldeviceconnectivity
BillSaltzsteinCodeBlueCommunicationsPlaybookVancouver2017
* Thesecrets:* Allmedicaldevicesshallbeconnected* Youshallunderstandtherequirementsrequirements
* Wanderingandwonderingthewideworldofwireless* Twokeys/pleasfromme* Q&A
Agenda
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 2
4/5/17
2
* Why?* Where?* How?
Allmedicaldevicesshallbeconnected
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 3
Allmedicaldevicesshallbeconnected–Why?
* Replacewiredconnections* Mobility/safety* Datacollection
* Telemedicine* Remoteconsultation&review(photo)* HomeHealth* AginginPlace
* HealthandFitness* Cloudconnectivity* ElectronicHealthRecord(EHR)* BigDataanalytics
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 4
Emergency!1972-1977
4/5/17
3
* Classicanswers:* Hospital* EMS* Home
* Realanswers:* Starbucks* 37,000feet* StuckonI-5* Inthebathroom* Intheelevator
* Realenvironmentsrequirecreativesolutionsforconnectivity
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 5
Allmedicaldevicesshallbeconnected– Where?
Example:ChronoTherapeuticsTechnology+Psychology
Wearable:Sensors,button,
Rxdelivery Usage,data
Settings,software
Patientinfo,data
Settings,software
AIcoaching
Usedata
EHR?
Real-timePersonalCoaching/Analytics
Billing
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 6
Short-range Long-range
Enterprise
Photosandinformationobtainedfromwww.chronothera.com
4/5/17
4
* Toomanytimeswecomeupwiththeanswerbeforethequestion(42)* Connectivitydoesn’tmaketheproduct* Connectivityenablestheproduct* Behaviormodification:TechnologycannotdirectlyaddressPsychology
* Understandingtheusemodelisessentialforconnectivitydecisions* Users–notethe‘s’* Environment–home,Starbucks,hospital,EMS,airplane,…* International
* Requirementstoconsiderformobility* Powermanagementandcharging–batteries,batteries,batteries!* Bodyproximity–antennas,antennas,antennas!* BYOD(BringYourOwnDevice)
How:Understandtherequirementsrequirementsforconnectivity
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 7
* Tworealchoicesforshortrange1) WiFi2) Bluetooth
* MultipleflavorsofCellularforlongrange(nG,lowrate)* Everythingelse* MICS(MedicalImplantCommunicationSystem)* MBAN(MedicalBodyAreaNetwork)* ZigBee,Thread(802.15.4)
* Heresy:rememberthatawirecanstillbeagoodthing* Remembertoconsider/comparethewiredexperience
Wanderingandwonderinginthewideworldofwireless
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 8
4/5/17
5
* Gobacktoyourrequirementsandenvironment!* Ifyouneedlong-range,independentconnectivityàcellular* Ifyou’reinhospitalandneedEHRconnectivityàWiFi* ForanythingelseàBluetooth* Fulldisclosure:I’maBluetoothgeek…
* Right,nowwhichflavorofBluetooth?* Bluetoothclassicif* Audio* High-ratestreaming* Longrange
* Fornow…Bluetooth5providesforthoseneedsifyoucanwait
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 9
Howtochoose?
* Theissues:* Isthererealcompatibility?* Marketplace–iscompatibilityanassetoraliability?* Regulatoryandtesting
* Wirelessstandardsbodies* BluetoothSIG–legalrequirement* WiFiAlliance–marketplacerequirement?
* Industrycompatibilityspecifications* AAMI–primarilyforin-hospitaldevices* ContinuaAlliance* BluetoothSIG
* BluetoothTranscodingWhitepaper* Health/medicalprofiles–usethemifyouwish* WithBluetoothlowenergyyoucanmakeyourown
* Medicalregulatoryrequirements* FDA* Europeanregulations(andwhatabouttheUK?)* Othercountryspecificrequirements
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 10
Thedual-edgeofstandards
4/5/17
6
* Designforregulatory* Understandingtestingrequirements* Real-worldenvironmentbased* Interoperability/compatibility
* Design-intestabilityfeatures* Designforsecurity* Securityaspartofhazardanalysis&mitigation* Don’tdothisà
Mypleas–Please!
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 11
Features
ship
implementsecurity
* ThetruesecretsareinUnderstandingandPlanning* Understandwhereandhowconnectivitybenefits/enablesyoursystem* Understandtheusemodels* Pickthetechnologyandsystemcomponentsbasedontherequirements,notthecool-factor* Design-inforregulatoryandsecurityupfront
Summary
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 12
4/5/17
7
* BillSaltzsteinCodeBlueConsultingbill@consultcodeblue.com425-442-5854
Q&A
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 13
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 14
Backupslidesandreferencematerial
4/5/17
8
Notesonrequirements
* Extractrequirements,notsolutions* Yes:“batterypowered”,“disposable”,“body-wornusingadhesive”,“interfaceto
smartphones”* No:“Bluetoothlowenergy”
* IdentifyInteroperabilityandCompatibility* Medicaldeviceinteroperability–howdoesitoperate/interfacetoothersystemsor
devices* Infrastructure–“shallconnectusingin-hospitalwirelessinfrastructure”* Informationsystems–“shallsupportdataflowtoEHSincludingCernerandMcKessen”
* IdentifyObsolescenceandtechnologylifecycle* ConsidermismatchbetweenMedicalDevicelifecycleandWirelesstechnologylifecycle* “shallbemaintainedfor5yearsofsales,10yearsofsupport”
* ConsiderCyberSecurity* “shallcomplywithHIPAA”* “shallsupportUSVAsales”(eg:FIPS140-2specificationrequirement)
* IdentifyCountry-specificregulatoryrequirements* “shallsupportsalestothefollowingcountries”* Goodtoincludetheseingroups–initialcountries,2ndwave,3rdwave,…
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 15
RecommendedFDAguidance
* FDAlandingpageforDigitalHealth* http://www.fda.gov/medicaldevices/digitalhealth/
* GeneralWellness:PolicyforLowRiskDevices* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM429674.pdf
* MobileMedicalApplications* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf
* MedicalDeviceDataSystems,MedicalImageStorageDevices,andMedicalImageCommunicationsDevices* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM401996.pdf
* RadioFrequencyWirelessTechnologyinMedicalDevices* ohttp://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077272.pdf
* GuidanceforIndustry,FDAReviewersandComplianceonOff-The-ShelfSoftwareUseinMedicalDevices* http://www.fda.gov/downloads/MedicalDevices/.../ucm073779.pdf
* SOFTWAREASAMEDICALDEVICE(SAMD):CLINICALEVALUATION(draft)* http://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm524904.pdf
* Enforcementdiscretion* http://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/ucm368744.htm
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 16
4/5/17
9
SelectedCybersecurityReferences
* GuidanceforIndustry-CybersecurityforNetworkedMedicalDevicesContainingOff-the-Shelf(OTS)Software* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077823.pdf
* ContentofPremarketSubmissionsforManagementofCybersecurityinMedicalDevices* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
* PostmarketManagementofCybersecurityinMedicalDevices* http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf
* NIST:CybersecurityPracticeGuide,SpecialPublication1800-1:"SecuringElectronicHealthRecordsonMobileDevices”* https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices
* NIST:GuidetoBluetoothSecurity* http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-121r1.pdf
* ISO14971:2007Medicaldevices--Applicationofriskmanagementtomedicaldevices* http://www.iso.org/iso/catalogue_detail?csnumber=38193
* HHS:YourMobileDeviceandHealthInformationPrivacyandSecurity* https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
* Archimedes–AnnArborResearchCenterforMedicalDeviceSecurity* https://secure-medicine.org
* BITAG:InternetofThings(IoT)SecurityandPrivacyRecommendations* http://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf
4/5/1717MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications
AAMI
* TIR57:Principlesformedicaldevicesecurity—Riskmanagement* https://standards.aami.org/kws/public/projects/project/
details?project_id=876* TIR59:RiskAssessmentofradio-frequencywirelesscoexistenceformedicaldevicesandsystems* https://standards.aami.org/kws/public/projects/project/
details?project_id=1114* AMSIC63.27
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 18
4/5/17
10
* Transcoding(andother)Whitepapers:https://www.bluetooth.com/develop-with-bluetooth/white-papers
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 19
BluetoothSIG
The2.4GHzworld…
4/5/17MEDICALDEVICEPlaybookVancouver2017.Copyright(c)CodeBlueCommunications 20