Join AdvaMed for the 2024 Cybersecurity Summit as experts from across the medical device and health care cybersecurity industry help you navigate the complex threat environment and the evolving FDA requirements.
Medical device cybersecurity has never been more important than it is now and as device capabilities advance and become more connected the threat landscape continues to grow. Join medical device product security experts to receive in-depth and timely updates on the state of medical device cybersecurity, including issues related to FDA requirements and cybersecurity management practices. Our 2024 Cybersecurity Summit will address the future of medical device cybersecurity as well as recent changes in the industry landscape to ensure you’re well equipped to protect your organization.
Make sure to join us for the pre-event Welcome Reception at the AdvaMed office on Tuesday, November 12 at 5:30 PM. This is an excellent opportunity to network with fellow attendees and speakers, setting the stage for the critical discussions and in-depth updates that will follow at the 2024 Cybersecurity Summit.
View the 2024 Agenda below or download a copy of it here.
Join us the day before the Summit on Tuesday, November 12 at 5:30 pm for the opportunity to meet fellow attendees, get to know our accomplished speakers and build valuable connections at our Welcome Reception in the AdvaMed Office.
Time | Session Details |
---|---|
8:15 – 9:00 am | Continental Breakfast and Registration Open |
9:00 – 9:05 am | Welcome Remarks Anita Nosratieh, VP Technology & Regulatory, AdvaMed |
9:05 – 9:55 am | FDA Regulatory Update – FY25 priorities – Implementation health check – Other timely topics Speakers: Justin Post, Policy Analyst, Cybersecurity, FDA Nastassia Tamari, Division Director, Medical Device Cybersecurity, FDA |
9:55 – 10:45 am | Navigating the FDA Cybersecurity Review Process Submitting a connected device to the FDA has become significantly harder between eSTAR requirements, more deficiencies, and reviewers evaluating how manufacturers are securing devices. This session will cover the timeline for the evolution of the review process over the past several years, what manufacturers have experienced during this timeline, and common areas where manufacturers are continuing to face challenges in the review process that can result in costly review delays or negative decisions. Speakers: Matthew Hazelett, Chief Regulatory Officer, MedSec LLC Kristen Killheffer, Cybersecurity Regulatory Policy, Siemens Healthineers |
10:45 – 11:35 am | Now, Who’s Being Unreasonable Here? Sorting Out Best Practices and Decision Criteria for a Reasonably Justified Regular Schedule We’ve all read it a million times since it came out: “Design, develop, and maintain processes and procedures to provide a reasonable assurance the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address – a) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and b) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.” So, what criteria should we use to figure out the periodicity of a reasonably justified regular cycle? And what should differentiate acceptable and unacceptable vulnerabilities? The high-level answer is that the criteria should reflect the needs of: – Regulators – Our own businesses – What we would want for medical devices used by our own families In this session, we’ll discuss emerging approaches to answering these questions, as well as similar efforts in other industries. This session format will engage both panelists and audience members in an insight-rich discussion that captures the best thinking of everyone in attendance. Moderator: Randy Horton, Chief Solutions Officer, Orthogonal Speaker: Oleg Yusim, Chief Product Security Officer, Illumina Mike Nelson, VP of Digital Trust, DigitCert Jessica Wilkerson, Senior Cyber Policy Advisor, FDA |
11:35- 12:25 pm | Leveraging Threat Model & Security Architecture Views for Effective Product Lifecycle Security Risk Controls Threat Modeling is both an art and a science and when mapped with accurate systemic Security Architecture representative views, the resulting symbiotic relationship can yield effective design input requirements as well as security risk control measures across the entire product lifecycle including supply chain and connected eco system. The presentation will cover how a well thought of continuous Threat Model approach can be a catalyst for any organization to derive effective risk control measures across a Secure Product Development Framework. Speaker: Sivaram Rajagopalan, Senior Cybersecurity Architect, Associate Director, Baxter Product Security |
12:25 – 1:35 pm | Networking Lunch |
1:35 – 2:25 pm | Securing Med Devices and the Impact of Ransomware on IoMT Growing Threat of Ransomware – Impact of ransomware attacks on med devices/networks – How to address challenges of securing connected med devices to prevent ransomware attacks – Practical examples of how Med Device manufacturers can respond to ransomware attacks involving their products Speaker: Chris Reed, Sr. Director of Cybersecurity Policy | Global Regulatory Affairs, Medtronic |
2:25 – 3:15 pm | Product Security Incident Response Team (PSIRT) – Case Study How to effectively implement PSIRT process to support cybersecurity postmarket surveillance and how to leverage other existing quality processes such as Health Hazard Assessment and Field Corrective Action (FCA). Speaker: Manan Hathi, Sr. Manager, Digital Health Regulatory Policy and Intelligence, Stryker |
3:15 – 4:05 pm | Understanding IEC 81001-5-1: The New Global Standard Driving Regulatory Expectations There has been a lack of well-utilized global cybersecurity standards for medical devices for years. This led to a lack of clear alignment amongst regulators regarding what a good cybersecurity lifecycle process looks like. This has changed with the recent global embrace of IEC 81001-5-1 by many regulators across the globe. The US recognized this standard and recommends it as an accepted framework for an SPDF. The European Union has placed it on the harmonized standards list and major notified bodies are considering it mandatory. Perhaps most impactfully, Japan now requires conformance to this standard for all products sold in the country, not just for submitted products. This session will provide a foundation understanding of the standard, including notable challenge points for conformance. We will also provide clarification in certain areas of the standard that prove challenging to many users. Speaker: Michelle Jump, CEO, MedSec LLC |
4:05 – 4:55 pm | Post-Quantum Cryptography: A Strategy for Medical Device Engineering Cryptanalytically relevant quantum computers (quantum computers that can break today’s asymmetric cryptography within the time the secret it guards is of value) are not a matter of if, but when. A transition to quantum-safe algorithms is a paradigm shift in the way the industry maintains the security of its operations and the safety of its patients. This transition will lead to deep engineering changes that will impact every technology stack that is used by medical devices. Compounding the problem is the overall lack of faith in these newly minted cryptographic algorithms. Contrast this with the solidity of RSA/ECC which are mature, well-studied algorithms that have withstood the test of time and countless cryptanalysts, and one begins to understand the technological risks of premature adoption of novel quantum-safe algorithms. A hybrid approach, of using both conventional as well as post-quantum crypto, provides a solid mitigator of this technical risk. Of course, that too comes with its own challenges—of supporting multiple cryptographic algorithms in the protocol suite. However, the bigger risk remains of doing nothing, of waiting till cryptanalytically relevant quantum computers become a real possibility. Speaker: Arnab Ray, Director, Product Cybersecurity, Abbott |
4:55 – 5:00 pm | Closing Remarks Anita Nosratieh, VP Technology & Regulatory, AdvaMed |
Join medical device product security experts to receive in-depth and timely updates on the state of medical device cybersecurity, including issues related to FDA requirements and cybersecurity management practice. Take a look at the 2024 Summit speaker lineup!
Manan Hathi, Senior Manager, Digital Health Regulatory Policy and Intelligence, Stryker
He is responsible for software and digital health regulatory policy across Stryker and has over 20 years of experience in the Medical Device space in various roles including Research, Product Development and Regulatory Affairs, with a heavy focus on software based medical devices. Mr. Hathi also serves as the software regulatory lead on the corporate product security core team, and plays an important role in the establishment, maintenance and governance of product security policies and procedures for all of Stryker Corporation.
In his role with Stryker, Mr. Hathi has been an invited speaker in several conferences and webinars with national and international forums on regulatory aspects of digital health and product security. He holds a Master of Science degree in Biomedical Engineering and is Regulatory Affairs Certified (RAC-US) by the Regulatory Affairs Professional Society (RAPS).
Matt Hazelett, Chief Regulatory Officer, MedSec LLC
Matt Hazelett is Chief Regulatory Officer at MedSec, responsible for guiding medical device manufacturers to meet and exceed regulatory requirements. His role is multifunctional and includes the direction of MedSec’s Training initiatives designed to enhance the knowledge base across the industry and set manufacturers up for success in developing and maintaining more secure medical devices.
Prior to MedSec, Matt worked at the Food and Drug Administration (FDA) for over 8 years. He most recently served as the Senior Cybersecurity Policy Analyst in the Office of Product Evaluation and Quality (OPEQ). His role focused on premarket and postmarket cybersecurity policy development and implementation across the clinical review offices including the recent requirements under Section 524B of the Food, Drug, and Cosmetic Act and the 2023 final premarket guidance. He also served as a Digital Health Center of Excellence Program Director for the OPEQ Cybersecurity Focal Point Program.
Randy Horton, Chief Solutions Officer, Orthogonal
Randy Horton is Chief Solutions Officer at Orthogonal, a software developer for Software as a Medical Device (SaMD), digital therapeutics (DTx) and connected medical device systems. Randy (and Orthogonal’s) mission is to improve patient outcomes faster by accelerating the development of of SaMD by fusing the best of modern product development and software engineering practices with deep MedTech expertise in device compliance, safety and effectiveness.
Much of Randy’s career has been centered on working with healthcare and life sciences organizations from a digital transformation angle to tackle the problems summarized in The Quadruple Aim: Improving the individual experience of care, improving the health of populations, reducing the per capita costs of care, and improving the work life of those who deliver care.
Michelle Jump, MS, RAC, CEO, MedSec LLC
Michelle Jump is the CEO at MedSec, where she is responsible for providing strategic leadership, training and advisory services to the medical device industry in the area of cybersecurity compliance, global regulations, standards, product security program development, and security risk management. Ms. Jump has a passion for bringing technology-based solutions to healthcare, actively participating in a variety of domestic and international standards, as well as relevant industry and governmental initiatives to support security within the healthcare industry. Ms. Jump holds a Master of Science in Regulatory Science from the University of Southern California and a Master of Science in Biotechnology from California State University. She is also RAC certified and a Certified HIPAA Administrator.
Kristen Killheffer, Cybersecurity Regulatory Policy, Siemens Healthineers
Kristen Killheffer covers Cybersecurity Regulatory Policy in Siemens Healthineers’ Corporate Cybersecurity organization. In that role she tracks and monitors global cybersecurity laws and develops cybersecurity policy positions. She actively participates in numerous trade associations, health care initiatives, and in the legislative and regulatory process on behalf of Siemens Healthineers. As a part of the Governance organization within Cybersecurity, Kristen helps to drive regulatory compliance within the company’s products and has led efforts to improve cybersecurity regulatory submissions.
Before joining Corporate Cybersecurity, Kristen followed cybersecurity topics, in addition to others, as part of Siemens Healthineers’ North American Quality organization. She earned her B.A. in justice and communications studies from American University and her Juris Doctorate from Villanova University School of Law.
Mike Nelson, Global VP, Digital Trust, DigiCert
Anita Nosratieh, PhD, Vice President, Technology & Regulatory Affairs, AdvaMed
Justin Post, Policy Analyst, Cybersecurity, Office of Product Evaluation and Quality (OPEQ), Immediate Office – Digital Health, Center for Devices and Radiological Health (CDRH), FDA
Justin Post is currently a Policy Analyst (Cybersecurity) in the Immediate Office – Digital Health within CDRH’s OPEQ. The Immediate Office – Digital Health contributes to FDA’s digital health policy and to digital health related programs and activities. It also provides leadership and support to OPEQ staff with premarket and postmarket reviews in alignment with FDA guidance documents with digital health content. As part of the Immediate Office – Digital Health, Justin is primarily focused on premarket and postmarket cybersecurity policy development and implementation across OPEQ’s Office of Health Technology (OHT) 1 through 8.
Sivaram Rajagopalan, Senior Cybersecurity Architect, Associate Director, Baxter Product Security
Sivaram Rajagopalan has over 20 years’ experience in the field of Information Security & Risk Management with Big4 and Fortune 500 clients spanning multiple vertical industries including Healthcare, Medical Devices, Finance, Manufacturing, Public, Legal, Insurance, Telecommunications, IT and SMB sector. Strategic, Tactical and Operational domain expertise with wide and deep technical knowledge and experience coupled with leadership experience. Sivaram holds B.S and M.S in Electrical Engineering with several organizational accolades and security certifications.
Arnab Ray, Director, Product Cybersecurity, Abbott
Arnab Ray is the author of “Cybersecurity for Connected Medical Devices”, published by Elsevier, and is a Director of Product Cybersecurity and Manufacturing at Abbott. An author of 30 peer-reviewed journal and conference publications on software assurance and cybersecurity, he holds a PhD in Computer Science from Stony Brook.
Chris Reed, MA, CISSP, HCISPP, GCIA, Vice President, Product Security, Medtronic
An active leader supporting Medtronic’s product security programs and reports to Medtronic’s Chief Regulatory Officer. Advise product teams on cybersecurity regulatory strategy and working on key regulatory legislation/guidance/standards such as FD&C 524B. Also spent over 21 years with Eli Lilly and Company including building Lilly’s product security program supporting Digital Health including connected diabetes management products. Actively engaged as a leader in many medical device security and digital health industry initiatives such as the Healthcare Sector Coordinating Council’s Cybersecurity Working Group Executive Committee, AdvaMed Cybersecurity Working Group chair, MDIC Cybersecurity Working Group chair and various standards groups including the AAMI Device Security WG
Nastassia Tamari, Division Director, Medical Device Cybersecurity, FDA
Nastassia Tamari is the Division Director for Medical Device Cybersecurity within the Division of Medical Device Cybersecurity (DMDC), housed within the Office of Readiness and Response (ORR) in the Office of Strategic Partnerships and Technology Innovation (OST) in FDA CDRH. The Division of Medical Device Cybersecurity provides leadership and strategic direction for medical device cybersecurity policy. As part of DMDC, she leads a team which develops policy related to medical device cybersecurity to advance national preparedness and response to cybersecurity incidents involving medical devices. She spent more than a decade at a private medical device manufacture supporting the creation a product security program, leading the security operations team for enterprise, product, and manufacturing, and finally leading a global team in strategic regulatory alignment.
She earned a B.A. in Communication from San Diego State University and completed graduate work at Boston University earning an M.S. in Journalism.
Jessica Wilkerson, Senior Cyber Policy Advisor, FDA
Oleg Yusim, Chief Product Security Officer, Illumina
Check to see if your company is an AdvaMed member here.
- AdvaMed Member Companies: $971
- AdvaMed Accel Member Companies: $625
- Government/ Non-Profit: $635
- Non-Members: $1,360
Location
All 2024 Cybersecurity Summit activities will be held at the AdvaMed offices located at 1301 Pennsylvania Ave NW Suite #400, Washington, D.C. 20004.
Join us for:
- The pre-event Welcome Reception on Tuesday, November 12 from 5:30 PM – 6:00 PM
- The 2024 Cybersecurity Summit on Wednesday, November 13 from 8:15 AM – 6:00 PM
Hotel Information
JW Marriott | 1331 Pennsylvania Avenue NW, Washington, DC 20004
Our room block has officially closed!
Questions? Contact [email protected].
Hear From Us
Sign up to receive emails highlighting our upcoming events, early registration savings, and engagement opportunities for the medical technology community.