Day 1

08:15 AM

CHAIRPERSON’S OPENING REMARKS

As the demand for shared health data and interconnected clinical systems rises to meet quality and pay-for-performance needs, the use of personal and commercial IOT is also accelerating. Meanwhile recent very public cybersecurity breaches have helped galvanize the healthcare and technology industries, government and law enforcement while bringing cybersecurity to the attention of patients and the general public. We must together identify threats, solutions, and realistic paths forward to ensure not just our privacy and security, but the viability of our Healthcare Industry. This presentation will offer a summary and analysis of recent concerning and damaging cybersecurity breaches in healthcare, from the Hollywood Presbyterian Medical Center ransomware attack, to WannaCry, the Anthem Breach Settlement, the Equifax breach and the sale of Australian Medicare records on the web.
Michael Robkin, MBA, CISSP, Founder & President, Xelnt Healthcare Inc.

08:45 AM

KEYNOTE ADDRESS: THE ECONOMICS AND ECOSYSTEM OF THE DARK WEB

An overview of the supply chain, ecosystem, and value propositions of hacking, virus writing, sabotage, and ransomware will from the “bad guys” point of view, along with strategies for proactively combatting cyber threats at their source.
Ron Williams, Chief Architect, IBM Security Systems

09:30 AM

KEYNOTE ADDRESS: MEDSEC VS. ST. JUDE MEDICAL: IMPLANTABLE DEVICES, VULNERABILITIES, AND THE LAW

In 2016, the security research firm MedSec and hedge fund Muddy Waters disclosed the presence of serious vulnerabilities in St. Jude Medical (SJM) implantable cardiac devices. In August 2017, SJM announced a historical recall of approximately 465,000 implantable devices. Dr. Green was one of the outside researchers invited to validate MedSec's findings. This talk will explain the technical aspects of the vulnerability and explore the long-term implications for medical device security.
Matthew Green, PhD, Assistant Professor, Department of Computer Science, Johns Hopkins University

10:45 AM

KEYNOTE ADDRESS: MEDICAL DEVICE CYBERSECURITY – ENGAGING WITH NON-TECHNICAL STAKEHOLDERS

Concerns about the cybersecurity posture of our medical device ecosystem have been growing and so has our awareness of the risk to patient safety, care delivery, and the business of healthcare. With 2017 behind us, we have now seen the first actual impact: hospital shutdown due to the WannaCry Ransomware (including infection of medical devices) as well as a first FDA recall and recommended firmware upgrade of a pacemaker due to a cyber vulnerability. Besides the security and regulatory implications of these events, we also realized how cyber incidents are now impacting and require decisions by care providers and patients. And we find that we are not well equipped to make these new types of complex decisions, how to communicate about them, and how to train the non-technical stakeholders. In this session we will discuss the need for cybersecurity education for the clinical community as well as define the clinicians’ role in cybersecurity. Besides medical decisions resulting from a cyber situation, clinicians are also called on to support a hospital’s procurement process for new medical equipment and actively engage in and support decision making that balances clinical needs with cyber risks. Further, patients are now coming to their care providers with medical device cyber concerns and are looking for advice. Yet, we are ill equipped and have not developed the tools required to make these decisions and to provide sound advice to the patient community.
Axel Wirth, Distinguished Technical Architect, Symantec  

11:30 AM

INCREASING THE ADOPTION OF STANDARDS-BASED CYBERSECURITY TECHNOLOGIES

This presentation will provide an overview of the National Cybersecurity Center of Excellence (NCCoE) and the NCCoE Healthcare Sector Team’s recently completed project, Securing Wireless Infusion Pumps in the Healthcare Delivery Organization. The NCCoE, part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. Through consortia, the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. Today’s wireless infusion pumps connect to a variety of healthcare systems, networks, and other devices improving the healthcare delivery processes. Using a medical device’s connectivity capabilities can create significant cybersecurity risk, which could lead to operational or safety risks.
Jennifer Cawthra, Healthcare Sector Lead, National Cybersecurity Center of Excellence (NCCoE), National Institutes of Standards and Technology (NIST)

01:15 PM

US LEGAL AND REGULATORY FRAMEWORK

Numerous legal obligations have emerged for managing cyber risk for connected medical devices. This session will explore various cybersecurity laws, regulations, and standards governing design, development, deployment, and support for such devices. Learn about legal considerations for incident response and vulnerability disclosures.
Paul Otto, Senior Associate, Hogan Lovells

02:00 PM

INNOVATIONS IN SECURE IOT MEDICAL DEVICE APPLICATION SUPPORT

Many medical device companies now have applications servers that require support and also upgrades of application software. Devices have evolved from standalone devices to modern complex IT systems. The traditional way to provide this support is by either on-site service or by the use of a VPN (virtual private network). On site service is costly. The traditional device service model for devices doesn’t work with modern software deployment architectures. Healthcare institutions are often reluctant to provide VPN access to a vendor without a lengthy legal approval process. Some institutions refuse VPN access. Hospitals face legal/liability/regulatory/quality barriers to enabling vendor access to their systems (both the vendor product, and hospital systems that must be accessed to support the vendor’s product). For example, hospitals often deny vendors VPN access because of privacy, legal, compliance reasons. Security of the network is the highest priority of the institution. Security is a high priority, but can never be perfect. Security is a trade-off between convenience, cost, support, etc. New support/service models in the industry that look to address these issues are discussed and compared.
David Hoglund, Founder & CEO, Integra Systems

02:45 PM

COGNITIVE DEVICES, INTERNET OF HOSPITAL THINGS – IOHT, SMART DEVICES; SAFER CARE

In today’s clinical environment, the myriad of device information can be staggering and are error prone; clinicians are struggling with what it all means. The sensor data available today creates an issue of data deluge along with false alarms that create overwork. With the advent of Cognitive computing, we now have the ability to create digital agents to address many aspects of this device information tsunami and opportunities to synthesize device data. Cognitive computing at the edge offers up the potential to eliminate false alarms, connect data streams for diagnosis, and engage in new models of predictive care. The cognitive agents can now live on the instrument, can combine with other systems, and create smart localized systems that provide continuous monitoring.  This self-assembling and cognitive collaboration enable smarter sensing and predictive capabilities not available today. In addition, with the advent of cognitive computing at the edge, we can enable smarter systems that can enable new security models. These devices, by bringing AI technology to the device and network, can create smart systems that can detect unusual activity quicker, react and enable ever-changing encryption and security models. This session will cover the enablement of devices, the cognitive networking and the security capabilities that can now be enabled in Healthcare and Life Sciences.
Chuck Parker, Global Healthcare Lead, Beyond Limits

03:45 PM

NEW THREAT REPORT ON IOT MEDICAL DEVICES

The rapid adoption of connected IoT medical devices has both enhanced the quality of care and increased the vulnerability of healthcare organizations. Although almost 10 months have passed since WannaCry first disrupted the industry, many organizations continue to struggle to implement a comprehensive security plan against such attacks. Reliable real-world data of Connected Medical Devices from the perspective of cyber security, simply did not exist.

In this session, we will share the exclusive details and statistics based on analysis of tens of thousands connected medical devices deployed in real-world environments. Learn how your organizations compare with the studies that outline the types of devices in-service, devices with the most security issues and the most common cause of security issues in connected medical devices. Most importantly, learn how to plan your security implementations based on concrete research data not previously available.
May Wang, PhD, Chief Technology Officer, ZingBox

04:30 PM

ON THE FLY CONTEXTUAL SECURITY RISK MANAGEMENT

With medical devices getting increasingly connected and cyber threats becoming more targeted and sophisticated, there is growing recognition of the need to secure these critical devices. But with the wide variety of systems and vendors on one hand yet extremely limited resources on the other, providers have a difficult time prioritizing the critical risks they need to focus on. To prioritize, they need to understand their inventory, criticality of every device and the likelihood of having a security incident. Further, since security threats change daily and attacks are moving rapidly, they need to have a real-time view into their environment. This session will focus on the challenges of implementing a mature and continual risk management program and will map out a path forward.
Shankar Somasundaram, CEO, Asimily
Day 2

08:00 AM

CHAIRPERSON’S OPENING REMARKS

Michael Robkin, MBA, CISSP, Founder & President, Xelnt Healthcare Inc.

08:15 AM

KEYNOTE ADDRESS: THREAT MODELING 101 – LEARNINGS FROM REAL DESIGN

Threat modeling is often relegated to a simple approach and performed in a non-systematic way. Threat modeling is actually one of the most important aspects of any security architecture or analysis. Security threat modeling must drive the software architecture and inform validation ‘hooks’ that are integral to the software design. This session will discuss practical approaches that can be considered when generating a threat model. Real-world threat model examples and corresponding system design will be presented.
Michael Taborn, Chief Architect, IOTG Healthcare Sector, Intel Corporation

09:00 AM

SECURE MIDDLEWARE

Cybersecurity has concentrated on “detect and remediate” as the primary method of defending systems against cyberattack. “We can’t keep them out” has been the conventional wisdom for many years and is largely the result of the one-size-fits-all approach to cybersecurity that tries to protect all kinds of systems. This approach has resulted in limited success as we see the rate of successful cyberattacks rising each year. Our approach is to specialize cybersecurity for a particular use, and perform that cybersecurity extremely well. Control systems are the new favorite target of cyberattackers.  We use the highly constrained nature of control system’s messages to construct a secure middleware, which builds specialized cybersecurity into the messaging communications to achieve high confidence in the security of the control systems network communications.
David W. Viel, PhD, Founder & CEO, Cognoscenti Systems, LLC

09:30 AM

THIRD PARTY RISK MANAGEMENT FOR MEDICAL DEVICES

How to perform automated and low-lift third party risk management (TPRM) for medical devices – hospitals and health systems manage a myriad of devices across their multiple facilities but are usually unaware of what risks are present in their devices. Shahid Shah, a cybersecurity expert and medical device software architect, will show how to manage third party risks assessments across multiple med device vendors so that it almost eliminates the scoring and ranking work on the health system side and pushes it to suppliers.
Shahid Shah, CEO, Netspective Communications

10:30 AM

LEVERAGING EXPLOITS TO MANIPULATE CARE WORKFLOWS

Presented by organizers of security research concept IoT Village, this session delivers live demos of exploits against biomedical devices, including patient monitors -- a piece of security research that was recently featured on a CBS Network On Assignment segment. The presentation addresses the impacts that such exploits could have on the delivery of care, and the correlating impacts to patient safety. Attendees will leave with actionable insights on how to remedy similar underlying security flaws across all connected devices.
Sam Levin, Community Specialist, Independent Security Evaluators

11:00 AM

A MEDICAL DEVICE RISK ASSESSMENT PLATFORM

Healthcare has become an information industry and medical devices are a critical source of that information. Healthcare systems have thousands of medical devices and anywhere from 15% to 35% of them can maintain data. The MDISS Medical Device Risk Assessment Platform (MDRAP) is a unique risk assessment platform that helps stakeholders from manufacturers to end users better understand the risks inherent in their medical devices. This data commons approach enables providers to identify those devices creating the greatest risk and to identify security attributes to which applied controls can reduce the threat surface. This discussion will review the environment, and present a strategy for understanding and addressing medical device cyber controls.
Phil Englert, VP Health Systems, Medical Device Innovation, Safety, & Security Consortium, (MDISS)

11:30 AM

APPLICATION OF MEDICAL DEVICE CYBERSECURITY TO THE MILITARY HEALTH SYSTEM (MHS)

This talk will summarize previous, current and future efforts under execution by the Defense Health Agency as it develops the policies, procedures, standards and guidelines necessary to cybersecure the Medical Devices and Equipment that are interconnected to other medical facility OT / IT systems and to the Electronic Health Record system.
Michael Schroeder P.E., GICSP, PMP, LEED AP, Director of Programs, 3 Territory Solutions, LLC

12:00 PM

PANEL AND AUDIENCE DISCUSSION: WHERE DO WE GO FROM HERE?

A moderated discussion to collect ideas, solutions, and advocacy topics necessary to improve the security of the Healthcare Industry.
  • Healthcare has unique security and safety requirements and diverse stakeholders; Medical Device Manufacturers, the FDA, Government Agencies, Hospitals, ONC, Physicians, Suppliers, and Payers each have different security roles. This panel will discuss their boundaries and where there may be gaps or overlap in the responsibilities or capabilities of the major stakeholder groups.
  • Discussion and debate on security and privacy from the patient’s perspective: Do privacy breaches impact the patient/provider relationship? When does security become a safety issue? Who owns the patient’s data? Who should?
Moderator:
Joseph Ternullo, JD, MPH, President, Society for Participatory Medicine
Panelists:
Dena S. Puskin, ScD, , Consultant, DJP Consulting
Tina Wellman, Vice President of Sales, North America, Pulse Infoframe
Axel Wirth, Distinguished Technical Architect, Symantec

01:00 PM