2 BDO KNOWS LIFE SCIENCES Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover.” Such a program should include: u Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk; u  Understanding, assessing and detecting presence and impact of a vulnerability; u  Establishing and communicating processes for vulnerability intake and handling; u  Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk; u Adopting a coordinated vulnerability disclosure policy and practice; and u  Deploying mitigations that address cybersecurity risk early and prior to exploitation. When evaluating potential cyber risks, manufacturers should focus on assessing the risk to the device’s “essential clinical performance” and consider the following: 1)  exploitability of the cybersecurity The vulnerability. 2)  he severity of the health impact T to patients should the vulnerability be exploited. In instances where the “essential clinical performance” of a device could be compromised, the manufacturer is required to notify the agency. Reporting requirements are not enforced if the following circumstances are met: 1)  known serious adverse effects or No deaths associated with the vulnerability. 2)  he manufacturer sufficiently remediates T the issue within 30 days of learning of the vulnerability. 3)  he manufacturer is a participant of T an ISAO. A device with an unacceptable level of risk to its essential clinical performance may be considered in violation of the Federal Food, Drug & Cosmetics Act and subject to enforcement actions. BDO INSIGHTS The FDA refers to medical device cybersecurity as a “shared responsibility.” We often talk of “multi-factor authentication” and “layered defense” as core cybersecurity strategies, and the same lens should be applied to the entire healthcare ecosystem. While manufacturers are ultimately responsible for identifying and remediating potential cyber vulnerabilities associated with their medical devices, hospitals and healthcare systems must safeguard their networks from potential breaches of security via medical devices. Medical device manufacturers are only the first line of defense. The domino effect of a healthcare data breach sheds light on the importance of information sharing, a growing area of focus in cyber strategy and policy. The Cybersecurity Information Sharing Act (CISA), also part of the omnibus spending bill, offers prescriptive advice on furthering collaboration between the government and private sector, as well as industry collaboration within the private sector. While we will likely see an uptick in threat intelligence sharing across all industries, concerns about protecting competitive information and privacy risk have yet to be addressed.

The level of sharing remains to be seen, and will dictate the effectiveness of ISAOs and other information sharing systems in mitigating cyber risk. Participation in ISAOs or Information Sharing and Analysis Centers (ISACs) will likely remain voluntary in the near-term; however, as exemplified by the FDA, regulatory entities will increasingly consider participation when assessing cyber preparedness. Healthcare organizations and medical device manufacturers are well-advised to seek assistance from consultants and technology specialists experienced in developing risk management frameworks and strategies to navigate complex security and compliance issues. BDO has deep experience in the medical device and healthcare industries and assists companies in conducting security risk assessments, testing controls, conducting security monitoring and developing and executing on incident response plans, in addition to implementing cybersecurity risk management programs, strategy and governance. BDO TECHNOLOGY & LIFE SCIENCES PRACTICE BDO is a national professional services firm providing assurance, tax, financial advisory and consulting services to a wide range of publicly traded and privately held companies. Guided by core values including competence, honesty and integrity, professionalism, dedication, responsibility and accountability for 100 years, we have provided quality service and leadership through the active involvement of our most experienced and committed professionals. BDO works with a wide variety of technology clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues. BDO is the brand name for BDO USA, LLP, a U.S.

professional services firm providing assurance, tax, advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through 63 offices and more than 450 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 1,408 offices in 154 countries.  BDO USA, LLP, a Delaware limited liability partnership, is the U.S.

member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com.  Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your firm’s individual needs. © 2016 BDO USA, LLP.

All rights reserved. .