The Food and Drug Administration (FDA) has recently released new guidance on cybersecurity for medical devices. This presentation will provide an overview of this guidance and review what is required for 510(k) submissions. We will also discuss the upcoming European Union (EU) cybersecurity regulations and how they compare to the FDA guidance. This webinar with ICS and partner RTI, the largest software framework company for autonomous systems, will focus on threat modeling and cybersecurity risk assessments in light of the new guidance, and how these activities impact design requirements for medical devices. You will learn common pitfalls and mistakes to avoid when establishing organizational best practices in cybersecurity. We will also discuss the challenges to securing data in motion for connected medical devices and describe how a data-centric software framework based on open standards, addresses the design requirements for highly reliable, scalable and secure systems. Attendees will gain an understanding of the current regulatory expectations, best practices for cybersecurity risk assessments, and standards-based solutions for secure data connectivity.

1. Secure Your Medical Devices
From the Ground Up
February 9, 2023
ICS
Geoff Pollard
RTI
Darren Porras
PARTNER WEBINAR
© Copyright t 2023

2. About ICS
Established in 1987, Integrated Computer Solutions,
Inc. (ICS) delivers innovative software solutions with a
full suite of services to accelerate development of
successful next-gen products.
ICS is headquartered outside Boston in Waltham,
Mass. with offices in California, Canada and Europe.
Currently 160 people.
Boston UX is ICS’ design studio,
specializing in intuitive touchscreen
and multimodal interfaces for
high-impact embedded and connected
devices.

3. Delivering a
Full Suite of
Medtech Services
● Human Factors Engineering
● IEC 62366-UX/UI Design
● Custom Frontend and Backend Software
Development
● Development with IEC 62304-Compliant Platform
● Low-code Tools that Convert UX Prototype to
Product
● Medical Device Cybersecurity
● AWS and Azure Cloud Services and Analytics
● ISO 14971-Compliant Hazard Analysis
● Software Verification Testing
● Complimentary Software Technology Assessment

4. ©2022 Real-Time Innovations, Inc. Confidential.

5. Cybersecurity in Medical Devices - Why?
Business Risks
HIPAA violations : up to $10,000 each patient
GDPR : $10-$20M or 2-4% of revenue
FDA : [Draft] April 2022 Guidance for Premarket submissions
December 2022 Omnibus Appropriations Bill
EU : Harmonizing ISO 81001-5-1 in 2024

6. SDLC (Secure Product Development Lifecycle) QMS
Cybersecurity Architecture Design
Threat Modeling Design
Hazards / Risk Assessment Design
Static Analysis Development
SCA/BCA -> SBOM* Development
Penetration Testing Release Candidate
Labeling Additions User Manual (IFU)
Vulnerability Management Plan* QMS
Periodic Vulnerability Analysis* Post Release
Annual Cybersecurity Report Post Release
Deliverables in FDA’s Latest Guidance
* Included in December 2022 Omnibus Appropriations Bill

7. What about EU? ISO 81001-5-1;2022
SPDF (Secure Product Development Framework) 5.1.1
Cybersecurity Architecture 5.3.1
Threat Modeling 7.2
Risk Assessment 7.4
Static Analysis A.4 (c) Part of secure coding practices
SCA/BCA -> SBOM 5.7.3 (d)
Penetration Testing 5.7.4
Labeling Additions 5.8.2
Vulnerability Management Plan 6.1
Periodic Vulnerability Analysis 4.1.8
Annual Cybersecurity Report 4.1

8. How everything fits together

9. Architecture and Design

10. Security Architecture

11. Threat Modeling
STRIDE Threat Modeling output

12. Hazards / Mitigations

13. Summary
Complex design exponentially increases the cybersecurity requirements
More potential points of failure = more mitigations = more requirements = more tests
Comprehensive Assessment required
Increasing regulatory requirements
Starting to see specialized cybersecurity legislation (post market / pre-market / IoT)
—-------
Next: How secure connectivity can be used to address these challenges

14. ©2023 Real-Time Innovations, Inc.
Intelligent and Connected Devices
•Applications:
– Surgical Robotics
– Digital OR
– Imaging
– Critical Care
– Radiation Therapy
•Technology ecosystem:
– Sensors, Robotics, Imaging,
Real-Time Intelligence
Source: Advanced Intelligent Systems, Volume: 2, Issue: 8, First published: 11 June 2020, DOI: (10.1002/aisy.201900138)

15. ©2023 Real-Time Innovations, Inc.
Example: Surgical
Robotics
• Surgeon Console
• Vision Tower
• Patient Cart
• Robotic Arm
• Instruments
Liu, HH., Li, LJ., Shi, B. et al. Robotic surgical systems in maxillofacial surgery: a review.Int J Oral Sci 9,
63–73 (2017). https://doi.org/10.1038/ijos.2017.24

16. ©2023 Real-Time Innovations, Inc.
Data Connectivity Challenge
•Complexity
•Performance
•Reliability
•Scalability
•Cybersecurity
Md. Rashid Al Asif, Khondokar Fida Hasan, Md Zahidul Islam, Rahamatullah Khondoker, "STRIDE-based Cyber Security Threat Modeling for IoT-enabled Precision Agriculture Systems", Sustainable Technologies for Industry 4.0 (STI) 2021 3rd International Conference on, pp. 1-6, 2021
Surgical Robotics Communications

17. ©2023 Real-Time Innovations, Inc.
Solution: A Data-Centric Approach
Databus (Shared Data Model)
Robotic
Control
Sensors/
Actuato
rs
Algorith
ms
Device
Apps
Imaging Control
Device
Data
HMI
System
Control
Events
Alarms

18. ©2023 Real-Time Innovations, Inc.
Data Distribution Service (DDS)
•Data Flow:
– Defined by the Data
– Producers and Consumers
– Data is the interface
– Configurable
•Benefits:
– Distributed, modular
– Performance
– Scalable
– Reliable, resilient
– Secure
Monitor
Data
Fusion
HMI
Command
Data
Sensor
Data
State
Data
Databus

19. ©2023 Real-Time Innovations, Inc.
How does Data-Centricity
enable secure data flow?

20. ©2023 Real-Time Innovations, Inc.
Secure Communications By Design
• Limits data access to
authorized applications
• Configurable to
application and use case
• Independent of network
location
• Data segmentation
• Least Privilege
Databus
Monitor
Data
Fusion
HMI
Command
Data
Sensor
Data
State
Data
Service
Patient
Data

21. ©2023 Real-Time Innovations, Inc.
Framework Security Features
•Built-in plugins
•Fine-grained and configurable
– No change to Application
•Enables regulatory guidance:
– Secure by design
– Secure interfaces, least privilege
– Independent of network
location
DDS Secure
Authentication
Access Control
Encryption
Data Tagging
Logging
Application
Any Transport*
(e.g., TCP, UDP, multicast,
shared memory, more…)

22. ©2023 Real-Time Innovations, Inc.
Data-Centric Framework

23. ©2023 Real-Time Innovations, Inc.
Data-Centric Framework
Analytics Databus Network Stack
Socket Programming
Encryption and Authentication
Reliability
Serialization / Marshaling
Quality of Service
Node and Service Discovery
Addressing
Caching and Persistence
Message Filtering
Application Logic
RTI
Connext
DDS
Produce
r
Routing
Service
Connext
App
Connext
App
Connext
App App
Connext
Sensor Databus
©2021 Real-Time Innovations, Inc.
Consume
r
Producer and
Consumer
Monito
r

24. ©2023 Real-Time Innovations, Inc.
Benefits of Data-Centric Connectivity Framework
RTI Connext
• Decentralized, low-latency data connectivity
• Standards-based, cross-industry
• Resilient communication
Reliability and
performance
• Interoperable and flexible architectures
• Data flow management
• Scalable/upgradeable systems
Flexible and efficient
development
• Fine-grained and configurable
• Secure data interfaces- least privilege
• Built-in plugins
Cybersecurity by
design

25. ©2023 Real-Time Innovations, Inc.
Data-Centric Software Connectivity
RTI Connext

26. Questions?