Exercises

For a copy of the workshop exercises, go to this page.

References

Health Care Industry Cybersecurity Task Force report
https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf

“Medical Device Security: An Industry Under Attack and Unprepared to Defend”
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf

A Brief Chronology of Medical Device Security
Chronology-MedDeviceCybersecurity.pdf
https://cacm.acm.org/magazines/2016/10/207766-a-brief-chronology-of-medical-device-security/fulltext

“Report On Improving Cybersecurity In The Health Care Industry”
https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf

“Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality”
http://s3.amazonaws.com/rdcms-aami/files/production/public/FileDownloads/BIT/2016_BIT_JF_CybersecurityManufacturers.pdf

Mayo Clinic “Medical Device Risk Assessment Vendor Packet Instructions”
https://www.mayoclinic.org/documents/medical-device-vendor…/doc-20389647

Healthcare Sector Coordinating Council
https://healthsectorcouncil.org/

The Healthcare Sector Coordinating Council: Shared Challenge and Shared Responsibility 
https://aehis.org/wp-content/uploads/2017/11/HSCC-101-GARCIA.pdf

HHS Cyber Security Guidance Material
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

Health Information Sharing and Analysis Center
https://h-isac.org/

“IEC 80001-2-1:2012 – Application of risk management for IT-networks incorporating medical devices — Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples”
https://www.iso.org/obp/ui/#iso:std:iec:tr:80001:-2-1:ed-1:v1:en

“Principles for Medical Device Security – Risk Management”
http://my.aami.org/store/detail.aspx?id=TIR57-PDF &
http://my.aami.org/aamiresources/previewfiles/TIR57_1607_Preview.pdf

“Baseline Security Recommendations for IoT in the Context of Critical Information Infrastructures”
https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

Securing Picture Archiving and Communications Systems
https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/hit-pacs-project-description-final.pdf

Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
NIST.SP.1800-8_SecuringInfusionPumps.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-8.pdf

Framework for Improving Critical Infrastructure Cybersecurity
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Zingbox_2nd_Annual_Healthcare_Survey_Report_Medical_Devices.pdf
http://go.zingbox.com/rs/562-ZPO-907/images/Zingbox_2nd_Annual_Healthcare_Survey_Report_Medical_Devices.pdf?mkt_tok=eyJpIjoiTXpRNE1URTVOMkpsTjJWayIsInQiOiJXOXRyc2doWjNnWTBWWk5Vd1VEUTJhOVE4emI0WndGSkZTNDhFOEhDbERHTVJzZjg3VWt5S215Nit6WE1cL3JzelJSSTNha1wvanJETEdhTzlKU0h1VWFkVkc1YzhScVoyS1BJSElEMXVVWCt5cFkwT1BEaVFHbUpGajVjTDkreFQ1In0%3D

Zingbox_Medical_Device_Cyberattack_Trend_Report.pdf
http://go.zingbox.com/rs/562-ZPO-907/images/Zingbox_Medical_Device_Cyberattack_Trend_Report.pdf

HTA Medical Device Cybersecurity for HTM Professionals – An Update on Resources and Practices
http://www.healthtechnologyalliance.org/sites/healthtechnologyalliance.org/files/HTA%20Medical%20Device%20Cybersecurity%20for%20HTM%20Professionals%20-%20An%20Update%20on%20Resources%20and%20Practices%20%28sans%20animation%29_0.pdf

Managing-Medical-Device-Cybersecurity-Vulnerabilities
https://health.mitre.org/wp-content/uploads/2018/03/HIMSS18_Managing-Medical-Device-Cybersecurity-Vulnerabilities.pdf

Medical-Device-Cybersecurity-Playbook.pdf
https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf

Medical Device Cybersecurity: A Guide for HTM Professionals
http://my.aami.org/aamiresources/previewfiles/MDC_preview.pdf

OVERVIEW OF UL 2900
https://cybersecuritysummit.org/wp-content/uploads/2017/10/4.00-Justin-Heyl.pdf

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
https://www.rsaconference.com/writable/presentations/file_upload/mbs-w05-wireless-infusion-pumps-securing-hospitals_-most-ubiquitous-medical-device.pdf

Cyberattacks_Attacks_Poster_052016.pdf
http://s3.amazonaws.com/rdcms-aami/files/production/public/FileDownloads/HT_Wireless/Cyberattacks_Attacks_Poster_052016.pdf

IHE Patient Care Device (PCD) White Paper
Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide
https://www.ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Cyber-Security_Rev1.1_2015-10-14.pdf

IEEE: Building Code for Medical Device Software Security
https://www.computer.org/cms/CYBSI/docs/BCMDSS.pdf

Manufacturer Disclosure Statement for Medical Devices Security (MDS2)
https://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx

OWASP Secure Medical Device Deployment Standard: Purchasing Assessment Criteria
https://www.owasp.org/images/7/73/MedicalDevicePurchasing.pdf

OWASP_Secure_Medical_Devices_Deployment_Standard_7.18.18.pdf
https://www.owasp.org/images/9/95/OWASP_Secure_Medical_Devices_Deployment_Standard_7.18.18.pdf

Medical Device Security Considerations – Case Study
https://www.jointcommission.org/assets/1/6/sbx2-w3-medical-device-security-considerations-case-study.pdf

Designing Cyber Exercises
https://apps.dtic.mil/dtic/tr/fulltext/u2/a613366.pdf

Cyber Exercise Playbook
https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf

U.S. Food and Drug Administration (FDA);

THE FDA’S ROLE IN MEDICAL DEVICE CYBERSECURITY
Dispelling Myths and Understanding Facts
https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf

FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices
https://oig.hhs.gov/oei/reports/oei-09-16-00220.pdf

FDA: Medical Devices > Digital Health > Cybersecurity
https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

FDA-Medical Device Safety Action Plan
https://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDRH/CDRHReports/UCM604690.pdf

Software as a Medical Device (SAMD): Clinical Evaluation
https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM524904.pdf

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff
https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm623529.pdf

Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and FDA Administration Staff (Dec 2016) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM48202 2.pdf

Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software“ (updated July 2015) http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm

Content of Premarket Submission for Management of Cybersecurity in Medical Devices: Guidance for Industry and FDA Administration Staff (Oct. 2014) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM35619 0.pdf

Cybersecurity for Networked Medical Devices is a Shared Responsibility: FDA Safety Reminder (updated Oct. 2014) http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm

Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication (2013)
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm?source=govdelivery

Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (Jan. 2005) http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm

Off-The-Shelf Software Use in Medical Devices (Sept. 1999)
http://www.fda.gov/downloads/MedicalDevices/…/ucm073779.pdf