Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy
| <<LSHC Webinar Replay>> |
Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy
As the Pandemic moves to its sixth month, we see a shift not only in our prioritization of health issues but how we do medicine and the implications of cybersecurity across the proliferation of attack services ranging from devices to home computing.
- Life Science and Health Care (LSHC) – Market, Players, Opportunities
- Two key documents for learning – BSI Cybersecurity of Medical Devices; MDIC Medical Device Cybersecurity Report
- Cyber Related Standards
- Frameworks, Standards & Tools, How CISO’s Address MDM Cybersecurity
- List of resources and Laws
- IoT and CCPA
- Mapping and Tagging – Unification within GRC and Cybersecurity Risk Management
- Integration Progress – Facilitated Compliance Management
- Investment in Licenses and Partners
Robin Basham is the owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Having served as Cisco, Unified Compliance, and ISMS Program Manager for a multi-year GRC project, Robin currently leads EnterpriseGRC Solutions LSHC initiative in support of three MDM clients. Robin may also be recognized for donating substantial time to supporting social platform security to further social democracy. Robin is also a past board member for the ISACA SV chapter.
| Standard, Law or Framework | Web Link to Source |
| California Consumer Privacy Act of 2018 | California Consumer Privacy Act (CCPA) |
| Eudralex Volume 4 Annex 11 – Computerized Systems | Eudralex Volume 4 Annex 11 –Computerized Systems |
| GAMP® 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems | GAMP®5 |
| HIPAA – HITECH Title 45 C.F.R. § 164 | HIPAA – HITECH Title 45 C.F.R. § 164 |
| ISO/IEC 27001:2013 € Information technology — Security techniques — Information security management systems — Requirements | ISO/IEC 27001:2013 € |
| ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002 | ISO 27799:2016 |
| ISO/IEC 27002:2013 € Information technology — Security techniques — Code of practice for information security controls | ISO/IEC 27002:2013 € |
| ISO/IEC 27017:2015 € 27002 for cloud services | ISO/IEC 27017:2015 € 27002 for cloud services |
| ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES | ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES |
| ISO/IEC 30111:2019 Information technology — Security techniques — Vulnerability handling processes | ISO/IEC 30111:2019 |
| ISO 14971:2019 Medical devices — Application of risk management to medical devices | ISO 14971:2019 Medical devices — Application of risk management to medical devices“ |
| HITRUST CSF v9.3 | HITRUST ALLIANCE |
| Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (MITRE) | Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook |
| Premarket Management of Cybersecurity in Medical Devices | Premarket Management of Cybersecurity in Medical Devices |
| Postmarket Management of Cybersecurity in Medical Devices | Postmarket Management of Cybersecurity in Medical Devices |
| Title 21 CFR Part 11 | CFR – Code of Federal Regulations Title 21 CHAPTER I–FOOD AND DRUG ADMINISTRATION PART 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES |
| Title 21 CFR Part 820 QMS Requirements | 21 CFR Part 820 QMS Requirements |
| *An overview of the medical device industry – MedPAC | An overview of the medical device industry – MedPAC |
| *Cybersecurity of medical devices – Addressing patient safety and the security of patient health information | Cybersecurity of medical devices |
- CCPA SB-1121 California Consumer Privacy Act of 2018. (2017-2018) https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121
- SB-327 Information privacy: connected devices. TITLE 1.81.26. Security of Connected Devices https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
- SANS Top 20 Critical Security Controls V7.1 https://www.sans.org/critical-security-controls/
- NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.1 http://www.nist.gov/cyberframework/ https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- NIST 800-53 V5. Security and Privacy Controls for Federal Information Systems and Organizations Important new features include Keywords and Attributes used for tagging https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
- DISA Secure Technical Implementation Guides. https://public.cyber.mil/stigs/
IoT and California Consumer Privacy Act, CCPA
TITLE 1.81.26. Security of Connected Devices, a new law, was designed to protect the security of IoT devices and the information those devices hold.
- The law can be enforced only by the attorney general, a city attorney, a county counsel, or a district attorney, and does not provide for any right of private action.
- The law does not apply to connected devices already subject to federal security standards.
The CCPA became effective on January 1, 2020
- Officially called AB-375, CCPA is a bill that enhances privacy rights and consumer protection for residents of California. Signed into Law June 28, 2018, CCPA amends Part 4 of Division 3 of the California Civil Code.
