August 13th 2020 Member Meeting

Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy

<<LSHC Webinar Replay>>

LSHC Centric Common Control Approach-short version

EnterpriseGRC

Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy

As the Pandemic moves to its sixth month, we see a shift not only in our prioritization of health issues but how we do medicine and the implications of cybersecurity across the proliferation of attack services ranging from devices to home computing.

  • Life Science and Health Care (LSHC) – Market, Players, Opportunities
  • Two key documents for learning – BSI Cybersecurity of Medical Devices; MDIC Medical Device Cybersecurity Report
  • Cyber Related Standards
  • Frameworks, Standards & Tools, How CISO’s Address MDM Cybersecurity
  • List of resources and Laws
  • IoT and CCPA
  • Mapping and Tagging – Unification within GRC and Cybersecurity Risk Management
  • Integration Progress – Facilitated Compliance Management
  • Investment in Licenses and Partners

Robin BashamRobin Basham is the owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Having served as Cisco, Unified Compliance, and ISMS Program Manager for a multi-year GRC project, Robin currently leads EnterpriseGRCSolutions LSHC initiative in support of three MDM clients. Robin may also be recognized for donating substantial time to supporting social platform security to further social democracy. Robin is also a past board member for the ISACA SV chapter.

Standard, Law or Framework Web Link to Source
California Consumer Privacy Act of 2018 California Consumer Privacy Act (CCPA)
Eudralex Volume 4 Annex 11 – Computerized Systems Eudralex Volume 4 Annex 11 –Computerized Systems
GAMP® 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems GAMP®5
HIPAA – HITECH Title 45 C.F.R. § 164 HIPAA – HITECH Title 45 C.F.R. § 164
ISO/IEC 27001:2013 € Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27001:2013 €
ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002 ISO 27799:2016
ISO/IEC 27002:2013 € Information technology — Security techniques — Code of practice for information security controls ISO/IEC 27002:2013 €
ISO/IEC 27017:2015 € 27002 for cloud services ISO/IEC 27017:2015 € 27002 for cloud services
ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES
ISO/IEC 30111:2019 Information technology — Security techniques — Vulnerability handling processes ISO/IEC 30111:2019
ISO 14971:2019 Medical devices — Application of risk management to medical devices ISO 14971:2019 Medical devices — Application of risk management to medical devices
HITRUST CSF v9.3 HITRUST ALLIANCE
Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (MITRE) Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Premarket Management of Cybersecurity in Medical Devices Premarket Management of Cybersecurity in Medical Devices
Postmarket Management of Cybersecurity in Medical Devices Postmarket Management of Cybersecurity in Medical Devices
Title 21 CFR Part 11 CFR – Code of Federal Regulations Title 21 CHAPTER I–FOOD AND DRUG ADMINISTRATION PART 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
Title 21 CFR Part 820 QMS Requirements 21 CFR Part 820 QMS Requirements
*An overview of the medical device industry – MedPAC An overview of the medical device industry – MedPAC
*Cybersecurity of medical devices – Addressing patient safety and the security of patient health information Cybersecurity of medical devices

IoT and California Consumer Privacy Act, CCPA

TITLE 1.81.26. Security of Connected Devices, a new law, was designed to protect the security of IoT devices and the information those devices hold.

  • The law can be enforced only by the attorney general, a city attorney, a county counsel, or a district attorney, and does not provide for any right of private action.
  • The law does not apply to connected devices already subject to federal security standards.

The CCPA became effective on January 1, 2020

  • Officially called AB-375, CCPA is a bill that enhances privacy rights and consumer protection for residents of California. Signed into Law June 28, 2018, CCPA amends Part 4 of Division 3 of the California Civil Code.