AdvaMed Cybersecurity Summit

December 5, 2023
8:15 AM – 3:45 PM

View more events

Join AdvaMed for the 2023 Cybersecurity Summit as experts from across the medical device and health care cybersecurity industry help you navigate the complex threat environment and the evolving FDA requirements.

AdvaMed Cybersecurity Summit

December 5, 2023
8:15 AM – 3:45 PM

View more events

  1. Overview
  2. Agenda
  3. Speakers
  4. Pricing
  5. Location

AdvaMed Cybersecurity Summit

December 5, 2023
8:15 AM – 3:45 PM

View more events

Medical device cybersecurity has never been more important than it is now and as device capabilities advance and become more connected the threat landscape continues to grow. Join medical device product security experts to receive in-depth and timely updates on the state of medical device cybersecurity, including issues related to FDA requirements and cybersecurity management practices. After three years of hosting this Summit virtually, we’re excited to finally meet in person in Washington, D.C. Our 2023 Cybersecurity Summit will address the future of medical device cybersecurity as well as recent changes in the industry landscape to ensure you’re well equipped to protect your organization.

Please join us for a Cybersecurity Summit Welcome Reception on Monday, December 4th in the AdvaMed office from 5:00 PM – 6:00 PM. Don’t miss this pre-event opportunity to mingle, connect, and establish valuable relationships with fellow professionals and experts in the cybersecurity field!

Download the full 2023 Cybersecurity Summit agenda here.

Join us for a pre-event Welcome Reception on Monday, December 4, 2023, from 5:00 PM – 6:00 PM at the AdvaMed office (1301 Pennsylvania Ave, NW Suite 400 Washington, DC)
8:15 am – 9:00 amContinental Breakfast and Registration Open  
9:00 am – 9:05 amWelcome Remarks

Anita Nosratieh, VP Technology & Regulatory, AdvaMed  
9:05 am – 9:50 amRegulatory Update

Aftin Ross, Deputy Division Director (Acting), Division of All Hazards Response, Science and Strategic Partnerships (DARSS), CDRH, FDA

FDA will provide an update on medical device cybersecurity regulation, including implications of the omnibus, discussion of the recently released FDA Final Guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and a preview of what’s ahead for FDA’s cybersecurity policy focus in FY24 and beyond.
9:50 am -10:50 amFDA Implementation of Cybersecurity Requirements

Chris Reed, Vice President, Product Security, Medtronic
Edison Alvarez, Sr. Director, Regulatory Strategic Planning for Cybersecurity, BD
Matt Hazelett, Cybersecurity Policy Analyst, Clinical and Scientific Policy Staff; Digital Health Center of Excellence Program Director, OPEQ, CDRH, FDA
Michelle Jump, CEO, MedSec
Colin Morgan, Managing Director, Apraciti, LLC

In this insightful session on FDA implementation of Cyber requirements, we will discuss the FDA perspective on essential reviewer training, navigation of challenges and opportunities and establishment of best practices. Industry representatives will share firsthand accounts – the good, the bad, the ugly – with FDA submission reviews involving cybersecurity with respect to the RTA/Focal Point program. 
10:50 am – 11:05 amNetworking Break  
  11:05 am – 11:50 amRisk Scoring Methodology for Security Risk

Michelle Jump, CEO, MedSec

Medical device manufacturers are under significant pressure to manage security risk, but with limited guidance for optimizing this process. In this session, we will discuss the difficulties associated with security risk scoring, one of the most challenging areas of security risk management, as well as opportunities in risk scoring methodology. 
11:50 am – 12:35 pm Cybersecurity is Now a Non-Negotiable With Mature Expectations. Here’s How to Play Catch-Up if You’re Feeling Behind the Eight-Ball

Naomi Schwartz, Senior Director of Cybersecurity Quality and Safety, MedCrypt

We will review regulations, standards, and guidelines that are foundational to a cooperative relationship between device manufacturers and device consumers, from procurement to device decommissioning. Medical device cybersecurity is a multi-stakeholder responsibility, and a common understanding of roles can lead to a constructive and successful partnership. After participating in this session, attendees will be able to define and articulate their cybersecurity maintenance needs.  
12:35 pm – 1:30 pmNetworking Lunch  
1:30 pm – 2:30 pmA Mock FDA Cybersecurity Submission Review

Colin Morgan, Managing Director, Apraciti, LLC
Matt Hazelett, Cybersecurity Policy Analyst, Clinical and Scientific Policy Staff; Digital Health Center of Excellence Program Director, OPEQ, CDRH, FDA  

In this session, attendees will have the opportunity to watch a mock FDA Cybersecurity Submission Review, covering many of the key topics in the latest Guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. We will cover topics such as cybersecurity architecture diagrams, threat models, details of a cybersecurity management plan and cybersecurity quality systems.   
2:30 pm – 3:15 pm What Happens When You Do Get Hacked?  Best Practices for Handling Worst Case Scenarios

Randy Horton, Chief Solutions Officer, Orthogonal
Jim Jacobson, Chief Product and Solution Security Officer, Siemens Healthineers

What happens when, despite all technical, compliance and preventative measures in place, a medical device manufacturer gets hacked? We will explore a real-world example and the lessons learned and best practices for responding to a potential worst-case cybersecurity scenario.
3:15 pm – 3:45 pmPublic Sector Cybersecurity Requirements Heat Up: Increased Attention on StateRAMP and ATO Compliance

Joe Bartos, Senior Manager, Deloitte
Kate Upton, Senior Consultant, Deloitte  

Cybersecurity requirements from the US Government for contracts with medical device manufacturers have always existed, but their enforcement has historically been inconsistent. In this session, we will discuss emerging trends in compliance requirements commonly seen in contracts with the U.S. Government when purchasing connected medical devices and platforms, such as federal and state Authorizations to Operate (ATO’s) and the Federal and State Risk and Authorization Management Programs (FedRAMP and StateRAMP). Our conversation will include a practical, day-in-the-life view of how medical device manufacturers can navigate government contracting for their devices. The session will include an overview of upticks the industry is seeing in this area, discussion on what is driving the change, and what makes these requirements difficult to implement and maintain. After this session – attendees will better understand how to interpret cybersecurity compliance requirements listed in their government contracts and what it takes to obtain and maintain authorizations to successfully sell and field their medical products within the US government.  
3:45 pmClosing Remarks

Summit Speakers

Edison Alvarez Headshot

Edison Alvarez, Sr. Director, Regulatory Strategic Planning for Cybersecurity

Edison Alvarez is a Senior Director in Regulatory Affairs and is responsible for strategic cybersecurity regulatory leadership at BD, a global medical technology company that is advancing the world of health by improving medical discovery, diagnostics, and the delivery of care. 
Edison brings over 15 years of experience in product management, cybersecurity, risk management and team building. At BD, Edison has established several teams and enterprise capabilities including Portfolio and Product Management, Product Security Engineering, and Information Cybersecurity Governance. 
Since 2016 he has built and matured the BD cybersecurity risk organization into an industry-leading healthcare cyber risk management program, fostering the adoption of product security risk assessments, penetration testing and remediation planning for the company’s R&D and Quality organizations. Edison also participates and collaborates with industry working groups including the Medical Device Innovation Consortium, the Health Sector Coordinating Council and MITRE. 
Edison holds a B.S. in Business Administration from Centenary University and M.B.A. from Fairleigh Dickinson University. He was previously responsible for the strategy, development, and overall product health for select medical devices in the Siemens Healthcare product portfolio. 

Joe Bartos Headshot

Joe Bartos, CISSP, CISA, Senior Manager, Deloitte & Touche LLP

Joe Bartos is Senior Manager in Deloitte’s Risk & Financial Advisory practice with over 13 years of experience providing Information Security assessment and readiness services to global technology companies, healthcare organizations, and government contractors. 
Joe leads Deloitte’s Third-Party Assessment Organization (3PAO) program, which is responsible for maintaining the quality of our assessment and advisory services related to the Federal, State, and Texas Risk and Authorization Management Programs (FedRAMP, StateRAMP, and TX-RAMP), as well as the Department of Defense Cloud Security Requirements Guide (DoD Cloud SRG). He spends the majority of his time helping commercial clients achieve authorizations with the US Government and otherwise assisting with complex technical compliance issues. 

Matt Hazelett, Cybersecurity Policy Analyst, Clinical and Scientific Policy Staff; Digital Health Center of Excellence Program Director, OPEQ, CDRH, FDA

Matthew Hazelett started at the Food and Drug Administration as a biomedical engineer within the Implantable Electrophysiology Devices Branch (IEDB) at the Center for Devices and Radiological Health (CDRH). His review areas included pacemakers, defibrillators, leads, and supporting devices (programmers, home monitors, etc.). Since starting at FDA, he developed a review focus in cybersecurity, participates in cybersecurity guidance development, and supports cybersecurity vulnerability assessments and premarket reviews across CDRH. He started his position as the Cybersecurity Policy Analyst in the Office of Product Evaluation and Quality (OPEQ) in February 2020. His role is focused on premarket and postmarket cybersecurity policy development and implementation across the clinical review offices. He also serves as a Digital Health Center of Excellence Program Director for the OPEQ Cybersecurity Focal Point Program. 
Matthew earned a B.S. in biomedical engineering from the University of Rochester where he focused in electrical signals and systems. After graduation, he worked for a medical device research and development company in New Hampshire as a Test Engineer and then Test Manager overseeing device verification and validation testing.

Randy Horton Headshot

Randy Horton, Chief Solutions Officer, Orthogonal

Randy Horton is Chief Solutions Officer at Orthogonal, a software developer for Software as a Medical Device (SaMD), digital therapeutics (DTx) and connected medical device systems. Randy (and Orthogonal’s) mission is to improve patient outcomes faster by accelerating the development of of SaMD by fusing the best of modern product development and software engineering practices with deep MedTech expertise in device compliance, safety and effectiveness. 
Horton co-chairs for AAMI Software Management Working Group #10 and the associated Technical Information Report #115 committee working on guidance for the Appropriate Use of Public Cloud Computing in Support of Medical Device Functions. 
Much of Randy’s career has been centered on working with healthcare and life sciences organizations from a digital transformation angle to tackle the problems summarized in The Quadruple Aim: Improving the individual experience of care, improving the health of populations, reducing the per capita costs of care, and improving the work life of those who deliver care. 
Horton regularly speaks on SaMD and related topics at a variety of industry conferences and webinars including ones hosted by RAPS, AdvaMed, AAMI, KENx, HLTH/VIVE, the Healthcare Products Collaborative (f.k.a. Xavier Health) as well as numerous for-profit conferences. Horton has also guest lectured at Yale, Northwestern, the University of Michigan, University of Chicago and University of California – San Francisco/Berkeley.  An undergraduate of the University of Michigan who was then in the first graduating class from Michigan’s School of Information, Randy credits much of his passion for creative thinking and being a connector of people and ideas to his years as a Montessori preschool student.

Headshot of Jim Jacobson

Jim Jacobson, Chief Product and Solution Security Officer, Siemens Healthineers

Jim Jacobson is the Principal Cybersecurity Officer for Siemens Healthineers. Since 2012, he has been responsible for the global security program for the medical devices and associated IT systems, solutions and services that Siemens Healthineers develops, sells, maintains and supports. 
Jim also sits on the Siemens Product and Solution Security Council responsible for governance and guidance for the security of the company’s products, solutions and services in all sectors including industrial, power, energy, renewables and mobility, in addition to healthcare. He leads the board’s work team responsible for the curriculum and training program in this area for Siemens employees worldwide. Prior to these roles, Jim has led medical device-related software development teams in ultrasound, laboratory diagnostics and informatics since 1990 at Siemens and other companies. Jim has a degree in physics from Oberlin College.

Michelle Jump Headshot

Michelle Jump, MS, RAC, CEO, MedSec LLC

Michelle Jump is the CEO at MedSec, where she is responsible for providing strategic leadership, training and advisory services to the medical device industry in the area of cybersecurity compliance, global regulations, standards, product security program development, and security risk management. Ms. Jump has a passion for bringing technology-based solutions to healthcare, actively participating in a variety of domestic and international standards, as well as relevant industry and governmental initiatives to support security within the healthcare industry. Ms. Jump holds a Master of Science in Regulatory Science from the University of Southern California and a Master of Science in Biotechnology from California State University. She is also RAC certified and a Certified HIPAA Administrator.

Headshot of Colin Morgan

Colin Morgan, CISSP, CISM, GPEN, Managing Director, Apraciti, LLC

Colin Morgan, Managing Director at Apraciti and Founder/CEO of Product Security Hub, has been working in the medical device cybersecurity industry for over 10 years. He has helped medical device manufacturers of all sizes build secure devices, provided cybersecurity education and training to multiple regulatory authorities around the world and build product security programs at some of the largest medical device companies. He is extremely passionate about working to help ensure medical devices are safe and cybersecurity for patients. 
Colin authored the cybersecurity chapter of the Global Medical Device Regulatory Strategy (second edition) book published by the Regulatory Area Professionals Society and co-author of the Medical Device and Health IT Joint Security Plan, a voluntary framework for medical device cybersecurity released in 2019 by the US Healthcare and Public Health Sector Coordinating Council. Colin was also an expert trainer and facilitator for the US FDA driven Medical Device Innovation Consortium (MDIC) Medical Device & Diagnostic Threat Modeling Bootcamp training program. 
Colin is a former Network & Security Engineer at the Central Intelligence Agency and contractor for a National Oceanic and Atmospheric Administrations’ supercomputing program. 

Headshot of Anita Nosratieh

Anita Nosratieh, PhD, Vice President, Technology & Regulatory Affairs, AdvaMed

Headshot of Chris Reed

Chris Reed, MA, CISSP, HCISPP, GCIA, Vice President, Product Security, Medtronic

Chris Reed is Vice President of Product Security at Medtronic reporting to Medtronic’s Chief Quality Officer. Chris joined Medtronic in Jan 2021 as the Director of Regulatory Policy for Product Security where he led multiple industry initiatives including impactful engagement on the PATCH act as well as supporting successful resolution of cybersecurity deficiencies across multiple businesses. Chris assumed the role of VP, Product Security in May 2023 and is leading the continued maturity of Medtronic’s product security capabilities. Previously Chris spent over 21 years with Eli Lilly and Company including building a product security program for Lilly’s Digital Health initiative. Chris is very active and helping lead healthcare industry cybersecurity efforts across Health-ISAC, MDIC, HSCC, AdvaMed and more including assuming the chair of AdvaMed’s Cybersecurity Working Group in 2023. Chris is passionate about building capabilities and resources that effectively manage cybersecurity risk through stakeholder collaboration and ultimately support connected MedTech innovations in a secure and safe manner that benefits patient health outcomes. 

Headshot of Aftin Ross

Aftin Ross, PhD, Deputy Division Director (Acting), Division of All Hazards Response, Science and Strategic Partnerships (DARSS), CDRH, FDA

Dr. Aftin Ross is the deputy division director for the Division of All Hazards Response, Science and Strategic Partnerships (DARSS) in the Office of Strategic Partnerships and Technology Innovation (OST) at the FDA’s Center for Devices and Radiological Health (CDRH). In this role, she provides strategic leadership and coordination within the Center in the areas of emergency preparedness and response, patient science and engagement, standards, health equity, and medical device cybersecurity. 
Aftin has been a lead in CDRH’s medical device cybersecurity efforts developing national and international cybersecurity policy, spearheading the execution of three FDA public workshops, supporting numerous cross-stakeholder efforts (e.g., the 2017 healthcare cybersecurity task force), and developing public communications to raise awareness of medical device cybersecurity. 
Aftin earned a B.S. in mechanical engineering from the University of Maryland Baltimore County where she was a Meyerhoff Scholar. She completed her graduate work at the University of Michigan earning a master’s and PhD in biomedical engineering. After her graduate work, she completed a post-doctoral fellowship as a Whitaker International Fellow at the Karlsruhe Institute of Technology in Karlsruhe, Germany. In 2016, she completed the National Preparedness Leadership Initiative, an executive education program in the Harvard School of Public Health and Kennedy School of Government and in 2019 she became a certified Six Sigma Green Belt. Aftin has received numerous awards for her public health service, including recognition from the FDA commissioner for her work in medical device cybersecurity and incident response.

Headshot of Naomi Schwartz

Naomi Schwartz, MS, CQA, Senior Director of Cybersecurity Quality and Safety, MedCrypt

Naomi is the Vice President of Services at Medcrypt, a medical device cybersecurity firm. Naomi was a premarket reviewer and consumer safety officer in CDRH for 6.5 years focused on software, interoperability, cybersecurity and wireless coexistence for connected diabetes devices. 
Prior to that, Naomi was a defense contractor (for. 15 years) developing radar systems for the US DoD. 
While at FDA, Naomi reviewed a first-of-kind automated insulin dosing system; helped develop Class II Pathways for 3 separate connected diabetes devices (iCGM ACE pump and iAGC) to support innovation in diabetes device development with clear regulatory expectations; helped craft standards including IEEE P2621.1-.3: standards and recommended practice for wireless diabetes device security assurance evaluation, security requirements and use of mobile devices in control contexts; and managed postmarket triage for cybersecurity vulnerability disclosure in diabetes devices and IVDs. 

Kate Upton Headshot

Kate Upton, Senior Consultant, Deloitte & Touche LLP

Kate Upton is a Senior Consultant in Deloitte’s Risk & Financial Advisory practice who specializes in US Federald and State Govt. information security laws and regulations. Kate is a subject matter expert in NIST 800-53, NIST 800-171, StateRAMP, FedRAMP, and federal data designations, such as controlled unclassified information (CUI). She currently supports hyperscale cloud service and data visualization providers in highly regulated markets, including life sciences. 

Registration Pricing

Check to see if your company is an AdvaMed member here.

  • AdvaMed Member Companies: $925.00
  • AdvaMed Accel Member Companies: $595.00
  • Government/ Non-Profit: $605.00
  • Non-Members: $1295.00

Reception and Summit Location

The pre-event Cybersecurity Welcome Reception on Monday, December 4th, 5:00 PM to 6:00 PM will take place in the AdvaMed office located at 1301 Pennsylvania Ave NW Suite #400, Washington, D.C. 20004.

The 2023 Summit will take place in the Hogan Lovells office located at 555 13th St NW, Washington, DC 20004.

Hear From Us

Sign up to receive emails highlighting our upcoming events, early registration savings, and engagement opportunities for the medical technology community.