Cybersecurity Seminar Series
UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering
Takes place monthly, on the third Thursday of each month from 9-10 am Pacific time
Overview
This joint FDA and UCSF-Stanford Center of Excellence in Regulatory Science and Innovation (CERSI) speaker series consists of one-hour virtual lectures on cybersecurity topics with application to medical device security and biomedical engineering. The key goal is to introduce key concepts of cybersecurity science and engineering via distinguished academic speakers to the biomedical engineering and manufacturing communities. Topics covered include human factors for cybersecurity, trustworthy medical device software, security engineering for machine learning, cybersecurity of computer vision, threat modeling, software bills of materials, software safety, cybersecurity regulations, and the science of cybersecurity. This speaker series is an educational opportunity, not intended to discuss FDA policy.
Schedule
2024 - 2025 |
||
Date | Talk Title | Speaker(s) |
11/21/24 |
Penetration Testing of Medical Devices In this presentation, Jan Küfner, Team Leader of Penetration Testing at TÜV SÜD, will discuss penetration testing of medical devices. As the healthcare sector becomes increasingly reliant on connected medical devices, ensuring their cybersecurity is essential for patient safety. This presentation will delve into the critical need for medical device penetration testing (pen-testing) in identifying vulnerabilities and protecting both devices and patient data from cyber threats. We will begin by explaining the role of notified bodies in the medical device industry, particularly their involvement in assessing compliance with regulatory requirements. The growing importance of effective pen testing will be discussed in light of rising cyber threats and the increasing connectivity of medical devices. The current state of medical device cybersecurity will be examined, with a forward-looking glance at upcoming challenges and innovations. Key topics include the regulatory requirements for pen-testing, the gap between those requirements and the realities of current practices, and how standards like CVSS scores, attack surface assessments, and economically feasible testing approaches come into play. We will also explore the role of threat modeling, and how cyber audits conducted by authorities are shaping the landscape of medical device security. Attendees will gain a comprehensive understanding of the challenges and solutions surrounding medical device pen-testing, equipping them with the knowledge needed to navigate this rapidly evolving field. |
Jan Küfner Team Leader, Penetration Testing, TÜV SÜD |
10/17/24 |
Protecting the Hospital Landscape against Ransomware Attacks and the Loss of Life The healthcare industry is at a crossroads due to cyberattacks. Specifically, the hospital industry is viewed as being overwhelmed in its attempts to protect itself from cybersecurity attacks. As compared to other industry sectors, the healthcare sector is, in fact, more vulnerable. However, the reason why the hospital sector is not as cyber resilient as other sectors is not due to their lack of awareness or interest. Admittedly the healthcare industry’s awareness has improved, giving credit to these organizations. However, this improvement may also be largely due to ransomware attackers” following the money by turning their attention to better-capitalized industries.” For sustained impactful longevity and success, partnerships between an array of stakeholders are immediately required to strengthen the industry’s resiliency. How this can be accomplished will be explored, as well as the reasons why hospitals remain vulnerable, despite heightened awareness. The focus is on the enactment of a comprehensive solution, as failure in the hospital industry can have infinite and catastrophic consequences in terms of patient safety and access, as well as long-term national security implications. Further, emerging AI and quantum computing use both further complicate this scenario but can set up hospitals for huge successes with key partnerships established and plans executed. Video Recording |
Andrea Greene-Horace, MHA, EMCS Senior Advisor, Cybersecurity/Deputy Program Manager-COOP-Business Continuity |
9/19/24 |
A Fireside Chat on Public-Private Partnerships for Healthcare Cybersecurity Join Terry Rice and Dr. Kevin Fu for a fireside chat on public-private partnerships for healthcare cybersecurity. Terry Rice is the Vice President of IT Risk Management and Security and Chief Information Security Officer (CISO). In this role, he is responsible for the IT organization’s risk management and cybersecurity program, including IT policy, information security engineering, identity and access management engineering, threat intelligence, security incident response, and eDiscovery. He is a member of the IT Leadership Team. Terry also serves on the board of the Health Information Sharing and Analysis Center (H-ISAC) and is a former chairman of the Healthcare Sector Coordinating Council Cyber Working Group. He recently served as a member of the Healthcare Industry Cybersecurity Task Force. |
Terry Rice Vice President, IT Risk Management and Security & Chief Information Security Officer (CISO), Merck
|
2023 - 2024 |
||
Date | Talk Title | Speaker(s) |
5/16/24 |
FDA Cybersecurity Focus Areas in 2024 and Beyond --- What Should We Prepare For? In this presentation, Division Director of Medical Science Cybersecurity Nastassia Tamari of the Food and Drug Administration (FDA) will be discussing FDA Cybersecurity focus areas in 2024 and beyond. Nastassia is the Division Director for Medical Device Cybersecurity within the Division of Medical Device Cybersecurity (DMDC), housed within the Office of Readiness and Response (ORR) in the Office of Strategic Partnerships and Technology Innovation (OST) in FDA CDRH. As part of DMDC, she leads a team that develops policy related to medical device cybersecurity to advance national preparedness and response to cybersecurity incidents involving medical devices. |
Nastassia Tamari Division Director, Medical Device Cybersecurity, U.S. FDA CDRH
|
4/18/24 |
A Fireside Chat on Testing Like a Hacker Join Dr. Kevin Fu and Dr. David Brumley for a fireside chat on testing like a hacker. How do you find and exploit new zero days in software? Hackers answer this question one way, while software development another. No wonder there is a disconnect, and we often ship unsafe software. This talk will focus on offense, and how elite hackers think and work to find new zero days. We’ll show how you can use the same zero-day methodology to put testing like a hacker in your pipeline so that you can ship safer software faster. We’ll also connect this to pen testing, SBOM, and medical device security. |
David Brumley, PhD CEO, ForAllSecure, Inc/Professor of Electrical and Computer Engineering, Carnegie Mellon University |
3/21/24 |
A Fireside Chat on Strengthening the Cybersecurity of the Healthcare and Public Health Sector and Keeping Patients Safe Join Dr. Kevin Fu and Dr. Brian Mazanec for a fireside chat on strengthening the cybersecurity of the healthcare and public health sector and keeping patients safe. Dr. Mazanec is the Deputy Director of the Office of Preparedness within the Administration for Strategic Preparedness and Response (ASPR) at the U.S. Department of Health and Human Services (HHS). He helps lead the office responsible for all aspects of preparation for events such as disease outbreaks, natural disasters, and intentional attacks with chemical, biological, radiological, or nuclear (CBRN) weapons. This work is closely coordinated with other offices within ASPR, as well as other related components within HHS, such as CDC's Office of Readiness and Response, other U.S. government departments and agencies, and international allies and partners. Brian’s responsibilities include oversight and management of the following component offices: Security and Intelligence; Information Management, Data and Analytics; Critical Infrastructure Protection; Health Care Readiness; Medical Reserve Corps; Planning and Exercises; Continuity; and the Secretary’s Operations Center.
|
Brian M. Mazanec, PhD Deputy Director, Office of Preparedness HHS Administration for Strategic Preparedness and Response |
2/15/24 |
Overview of FDA’s Medical Device Cybersecurity Authorities and Program In this presentation, Senior Cybersecurity Policy Advisor and Medical Device Cybersecurity Team Lead Jessica Wilkerson of the US Food and Drug Administration (FDA) will be discussing FDA updates on medical device cybersecurity. Jessica is a Senior Cyber Policy Advisor and the Medical Device Cybersecurity Team Lead within the Division of Medical Device Cybersecurity (DMDC), housed within the Office of Readiness and Response (ORR) in the Office of Strategic Partnerships and Technology Innovation (OST) in FDA CDRH. As part of DMDC, she examines issues and develops policy related to medical device cybersecurity.
|
Jessica Wilkerson, JD Senior Cyber Policy Advisor and Medical Device Cybersecurity Team Lead, Division of Medical Device Cybersecurity (DMDC) |
11/16/23 |
A Fireside Chat on ARPA-H and DIGIHEALS The Advanced Research Projects Agency for Health (ARPA-H) Digital Health Security (DIGIHEALS) initiative supports innovative research that aims to protect the US healthcare system's electronic infrastructure against hostile threats. Focusing on cutting-edge security protocols, vulnerability detection, and automatic patching, DIGIHEALS seeks to reduce the ability for bad actors to attack digital health software and hardware, and to enable the prevention of large-scale cyberattacks.
|
Andrew Carney, MS Program Manager, Advanced Research Projects Agency for Health (ARPA-H) |
10/19/23 | Canceled | N/A |
9/21/23 |
A Fireside Chat on FDA Updates on Medical Device Cybersecurity Dr. Suzanne Schwartz directs the Office of Strategic Partnerships and Technology Innovation at FDA's Center for Devices and Radiological Health. Her team is tasked with providing our industry with leadership and strategic direction on medical device cybersecurity, software, and digital health. Today, she will discuss the landscape of medical device security and significant changes to the federal regulatory processes that take full effect on October 1, 2023.
|
Suzanne Schwartz Director, Office of Strategic Partnerships & Technology Innovation, Center for Devices & Radiological Health, U.S. Food and Drug Administration |
2022 - 2023 |
||
Date | Talk Title | Speaker(s) |
5/18/23 |
Hacking to Healing: How Penetration Testing Improves Cyber Safety Get beyond buzzwords and hacker cliches to understand how to turn hacking techniques against medical devices into healing tools for physicians and patients. Penetration testing is the practice of emulating security circumvention techniques while simulating accidents and adversaries to identify and mitigate reasonably foreseeable cybersecurity threats to patient safety and clinical effectiveness. Using storytelling and real-life examples, this session will provide practical framing, hands-on insights, and actionable recommendations for integrating penetration testing and vulnerability assessment into your product lifecycle. By joining this session, you'll learn the methods, tools, and techniques penetration testers use, and understand why regulatory bodies such as the FDA value these as a complement to other parts of the design and development process to ensure compliance and protect patients.
|
Beau Woods
|
4/20/23 |
A Fireside Chat on Public and Private Collaboration in Healthcare Cybersecurity Preparedness Join Dr. Kevin Fu and Greg Garcia, Executive Director for Cybersecurity at the Healthcare Sector Coordinating Council (HSCC), for a fireside chat on public and private collaboration in healthcare cybersecurity preparedness. With relentless ransomware and other cyber attacks on health providers and companies, how do we protect ourselves, as individual enterprises and as a collective industry sector? Where do volunteer best practices end and government regulations begin? Where is that balance, both politically and operationally? Learn how the nation’s healthcare cybersecurity advisory council mobilizes a collaborative approach to the sector’s cybersecurity preparedness and advises the government about its appropriate partnership role. What have we done so far to move the needle left of boom and what lies ahead?
|
Greg Garcia
|
3/16/23 |
A Fireside Chat on FDA Updates on Medical Device Cybersecurity In this fireside chat with Dr. Kevin Fu, Cybersecurity Policy Analyst Matthew Hazelett of the US Food and Drug Administration (FDA) will be discussing FDA updates on medical device cybersecurity. Matthew started at the FDA as a biomedical engineer within the Implantable Electrophysiology Devices Branch (IEDB) at the Center for Devices and Radiological Health (CDRH). His review areas included pacemakers, defibrillators, leads, and supporting devices (programmers, home monitors, etc.). Since starting at FDA, he developed a review focus in cybersecurity, participates in cybersecurity guidance development, and supports cybersecurity vulnerability assessments and premarket reviews across CDRH. He started his position as the Cybersecurity Policy Analyst in the Office of Product Evaluation and Quality (OPEQ) in February 2020. His role is focused on premarket and postmarket cybersecurity policy development and implementation across the clinical review offices. He also serves as a Digital Health Center of Excellence Program Director for the OPEQ Cybersecurity Focal Point Program.
|
Matthew Hazelett |
2/16/23 |
A Fireside Chat on Lessons Learned After Two Decades of Medical Device Security Engineering In this fireside chat with Dr. Kevin Fu, the recently retired Ken Hoyme will offer engineering perspectives on how to design medical devices to manage cybersecurity risks. Ken brings 40 years of experience in designing regulated, safety-critical secure systems as well as his knowledge of medical device security and regulation. Ken recently retired from Boston Scientific as a Senior Product Security Fellow, where he established the company-wide product security program, incorporating security requirements across their Quality System. Ken has been active in many industry initiatives, including (1) co-chairing H-ISAC's Medical Device Security Information Sharing Council (MDSISC); (2) serving as one of the original co-chairs of AAMI's Device Security Working Group, which produced AAMI TIR57, a report outlining the principles of medical device security and risk management; (3) serving as a member of AAMI's BI&T Editorial Board; participating in several HSCC JCWG working groups including the development of the Joint Security Plan; (4) participating and leading cybersecurity projects with the Medical Device Innovation Consortium (MDIC); (5) participating in every meeting of the Archimedes Center for Health Care and Medical Device Cybersecurity now at Northeastern University; (6) instigating the creation of the Center for Medical Device Cybersecurity (CMDC) at the University of Minnesota; (7) and serving as co-instructor for CMDC's initial short courses.
|
Ken Hoyme |
1/19/23 |
Cyber Risk and Impact to Patient Care: A Medical Device Imperative As healthcare moves rapidly toward fully integrated care, interoperability, telehealth and cloud based services, our reliance on network and internet connected medical technology has grown exponentially. This adoption and integration of advanced technologies has no doubt improved patient outcomes and increased clinical and business efficiencies. However, this operational and clinical dependency has created cyber risk in two ways – it has increased our digital attack surface and created dependency on the availability of the technology to perform our healthcare mission. Based upon real world events, learn what happens when high impact ransomware attacks shut down medical technology. We will discuss how to prepare for clinical continuity without the availability of technology. We will also discuss the latest cyber legislative and policy developments, including the new law aimed at improving the cybersecurity of medical devices.
|
John Riggi |
12/15/22 |
Regulatory Affairs for Medical Device Security Cybersecurity has proven to be a challenge not only with regard to ensuring the security of medical devices, but also preparing documents for regulatory submissions. Health authorities in many regions, including the US, Australia, Canada, and Japan, have released new cybersecurity guidance documents. In addition to premarket concerns, some of these guidance documents also include expectations for post market expectations. Medical device companies struggle to build security programs into quality systems that were likely not designed to address typical security issues such as hardening, vulnerability management, and global incident response. Ms. Jump will provide an overall summary of the current regulatory environment, summarize some of the challenges that the industry faces in keeping up with these expectations while also covering the logistical drivers for these expectations. Healthcare is part of every country's critical infrastructure and the security protections in place are essential to protecting that infrastructure.
|
Michelle Jump |
11/17/22 |
Virtual Panel on Medical Device Security: Physician Perspectives from Cardiology, Neurosurgery, Emergency Medicine, and Anesthesiology
Moderated by: Kevin Fu, PhD, Archimedes Center for Healthcare and Medical Device Security, University of Michigan
|
Christian Dameff, MD Daniel Kramer, MD, MPH Erika A. Petersen, MD, FAANS, FACS Jeffrey Tully, MD |
10/20/22 |
Canceled
|
N/A |
9/15/22 |
Security Engineering for Medical Products: Sensors, Signals, Semiconductors, Software Systems Medical devices, healthcare delivery, and other cyber-physical systems depend on sensors to make safety-critical, automated decisions. My research lab investigates the problem of how to protect cyber-physical systems from adversaries who can maliciously control sensor output by subverting its semiconductor physics. Finding principled, systematic solutions is extremely important to give consumers confidence in innovative medical devices and other emerging technology. Unique to our embedded security research contributions is an emphasis on protecting the longevity of implanted batteries and using software-only approaches to mitigate design flaws in legacy hardware. These contributions were important to creating the field of medical device security; advancing the academic community's ability to measurably defend against signal injection attacks on sensors; and changing how international regulators evaluate security of consumer products. In this talk, I will highlight academic research on protecting sensor semiconductors from maliciously modulated sound waves, radio waves, and lasers that can compromise software systems in cyber-physical systems such as pacemakers and vaccine cold-chain transportation.
|
Kevin Fu, PhD |
2021 - 2022 |
||
Date | Talk Title | Speaker |
5/19/2022 |
Security Engineering of Machine Learning Statistical machine-learning techniques have been used in security applications for over 20 years, starting with spam filtering, fraud engines and intrusion detection. In the process we have become familiar with attacks from poisoning to polymorphism, and issues from redlining to snake oil. The neural network revolution has recently brought many people into ML research who are unfamiliar with this history, so it should surprise nobody that many new products are insecure. In this talk I will describe some recent research projects where we examine whether we should try to make machine-vision systems robust against adversarial samples, or fragile enough to detect them when they appear; whether adversarial samples have constructive uses; how we can do service-denial attacks on neural-network models; on the need to sanity-check outputs; and on the need to sanitise inputs. We need to shift the emphasis from the design of "secure" ML classifiers, to the design of secure systems that use ML classifiers as components.
|
Ross J. Anderson, PhD |
4/21/2022 |
Unringing the Bell: A Physician's Perspective on the Future Of Medical Device Security Healthcare delivery across the globe is critically and increasingly dependent on computerized hardware and software including electronic health records and connected medical devices. Healthcare cyber attacks have resulted in technology failure, compromised data integrity, and breaches of sensitive patient information. Though the proliferation of cyber attacks in healthcare has raised serious concerns about patient privacy violations through healthcare data theft, the impacts of cyber attacks on patient safety and clinical outcomes are poorly understood. This talk will discuss historical barriers to developing a strong, data driven foundational body of knowledge in healthcare cyber security, and the impacts cyber attacks may have on patient outcomes. We will discuss novel patient cyber safety risks inherent in digitized clinical workflows, as well as possible sector wide defensive mitigation strategies resulting in safer and more resilient patient care.
|
Christian Dameff, MD |
3/17/2022 |
Modern Automotive Vulnerabilities: The Science Behind the Fast and the Furious Over the last decade, a range of research has transformed our understanding of automobiles. What we traditionally envisioned as mere mechanical conveyances are now more widely appreciated as complex distributed systems "with wheels." A car purchased today has virtually all aspects of its physical behavior mediated through dozens of microprocessors, themselves networked internally, and connected to a range of external digital channels. As a result, software vulnerabilities in automotive firmware potentially allow an adversary to obtain arbitrary control over the vehicle. Indeed, led by UC San Diego and the University of Washington, multiple research groups have been able to demonstrate such remote control of unmodified automobiles from a variety of manufacturers. In this talk, I'll highlight how our understanding of automotive security vulnerabilities has changed over time, how unique challenges in the automotive sector give rise to these problems and create non-intuitive constraints on their solutions and, finally, the forces that naturally limit the kinds of automotive attacks seen in the wild.
|
Stefan Savage, PhD |
2/17/2022 |
What Biomedical Engineering Can Learn from Research and Academic Programs in Embedded Cybersecurity Biomedical engineering students learn how to ensure the safety and effectiveness of medical products ranging from medical devices to pharmaceutical products. Today, that advanced degree skill set must include embedded cybersecurity because of endemic cyber threats to technology inside medical products. A lot can be learned from advances in Internet of Things (IoT) security education and research. The mission of the Cybersecurity Assurance and Policy (CAP) Center at Morgan State University is to provide the defense and intelligence community with the knowledge, methodology, solutions, and highly skilled cybersecurity professionals to mitigate penetration and manipulation of our nation’s cyber-physical infrastructure. The Internet of Things (IoT) permeates all areas of life and work, with unprecedented economic effects. The IoT is a network of dedicated physical objects (things) whose embedded system technology senses or interacts with its internal state or external environment. Embedded systems perform dedicated functions within larger mechanical or electrical systems. Critical infrastructures in transportation, smart grid, manufacturing, and health care, etc. are highly dependent on embedded systems for distributed control, tracking, and data collection. While it is paramount to protect these systems from hacking, intrusion, and physical tampering, current solutions rely on a patchwork of legacy systems, and this is unsustainable as a long-term solution. Transformative solutions are required to protect these systems. In this talk, we will present our current research that addresses security vulnerabilities in IoT ecosystems to provide secure, resilient, and robust operation.
|
Kevin T. Kornegay, PhD |
1/20/2022 |
Security and Privacy for Humans Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, 20+ years ago that started to change when a seminal paper asked "Why Johnny Can't Encrypt" and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings. In this talk I will highlight some of the research from my lab that evaluates security and privacy for humans and proposes some new solutions. Recommended Reading:
|
Lorrie Faith Cranor, DSc |
12/16/2021 |
Laws for Cybersecurity? Cyber-security today is focused largely on defending against known attacks. We learn about the latest attack and find a patch to defend against it. Our defenses thus improve only after they have been successfully penetrated. This is a recipe to ensure some attackers succeed---not a recipe for achieving system trustworthiness. We must move beyond reacting to yesterday's attacks and instead start building systems whose trustworthiness derives from first principles--laws that relate attacks, defense mechanisms, and security properties. This talk will explore examples of such laws, suggest avenues for future exploration, and discuss risks implicit in using such a deductive framework. Related Reading:
|
Fred B. Schneider, PhD |
11/18/2021 |
Innocence and Experience: Regulatory Tales The history of attempts to regulate technology is long and varied. This talk will review examples from a range of technical areas, some successful, some less so, and will draw a few lessons from them. Topic areas will include building construction, automobiles, airplanes, cybersecurity, and perhaps others. Discussion will be encouraged. Presentation Slides with Notes
|
Carl Landwehr, PhD |
Moderator
Kevin Fu, PhD
Professor of Electrical & Computer Engineering, Northeastern University
Director, Archimedes Center for Healthcare and Device Security
Disclaimer
This seminar series does not represent official FDA policy or guidance. The contents are those of the speaker(s) and do not necessarily represent the official views of, nor an endorsement by, FDA/HHS or the U.S. Government.
Contact
Please email Kevin Fu ([email protected]) and Holly Ly ([email protected]) with any questions.