• Thursday, September 26, 2019
      8:30 AM  -  9:00 AM
      Registration and Breakfast
      9:00 AM  -  9:05 AM
      9:05 AM  -  9:10 AM
      Opening Remarks
      9:10 AM  -  10:00 AM
      Why Is the Legacy Issue So Challenging?
      • How security risk management is different for legacy devices
        • Is the bar different?
      • Why is legacy device management so difficult?
        • Old operating systems
        • Upgrade incompatibility
        • Deprecated software packages
        • When legacy products are "usalvageable"
        • Difference between maintaining and software updating
      10:00 AM  -  10:45 AM
      Understanding FDA Postmarket Requirements for Legacy Devices
      • More than just controlled and uncontrolled
      • Understanding that FDA jurisdiction is not enough
      10:45 AM  -  11:00 AM
      11:00 AM  -  12:00 PM
      Addressing the Legacy Issue Today
      • The big picture
        • Assessing what you have, inventory and risk assessment
      • The real costs of lax security management
        • Statistics
      • Responsibility and liability
        • Product liability considerations
      • Security management is a subset of change management
      12:00 PM  -  1:00 PM
      12:45 PM  -  1:45 PM
      Cross-comparison of Different Approaches to Legacy Devices

      1:45 PM  -  2:45 PM
      Software Bill of Materials (SBOM)
      • Vulnerabilities in multiple sourced assembled software
      • What should go into an SBOM?
      2:45 PM  -  3:00 PM
      PM Break
      3:00 PM  -  4:00 PM
      Testing and Cybersecurity Remediation of Legacy Devices
      • How does it differ from testing of premarket devices?
      • How often should you retest?
      • What types of things should you test?
      • Balancing remediation with the level of effort to fix
      4:00 PM  -  5:00 PM
      Designing Medical Devices for Better Future Legacy Management
      • Managing legacy device security is easier when planned in advance
      • Designing Controls that facilitate patching and updates 
      • AAMI TIR 97 recommendations for designing-in better postmarket medical device security
      • OWASP secure medical device deployment standard
      5:00 PM  -  6:00 PM
    • Friday, September 27, 2019
      8:00 AM  -  8:30 AM
      8:30 AM  -  9:30 AM
      Medical Device PnP Interoperability Lab Tour
      • Dr. Julian Golman will give a short presentation and lead a tour through the Medical Device Plug-and-Play Interoperability Lab at Massachusetts General Hospital, a collaborative space to support projects, testing and prototyping
      9:30 AM  -  10:30 AM
      Ongoing Initiatives to Support Legacy Medical Device Efforts
      • Discussion of ongoing efforts across the sector, including Healthcare and Public Health Sector Coordinating Council (HPH SCC), CVSS Rubric, etc.
      • Current initiatives
      • How people can get involved
      • Interplay with other agencies and initiatives
      10:30 AM  -  10:45 AM
      Refreshment Break
      10:45 AM  -  11:30 AM
      Device Certification - How Can It Help?
      • Certification as a tool to build trust with n on-domain-experts.
      • Using the technical certification requirements of UL 2900-2-1 as a means to facilitate secure systems integration.
      • Tracking software components (SBOM) as a function of device testing and certification.
      • Using certification processes to manage "End of Support" and "planned obsolescence."
      11:30 AM  -  12:30 PM
      Legacy Systems in Healthcare & their Impact on Cybersecurity Risks
      • Microsoft ends security patches and support for Windows 7 on January 14, 2020
      • How prevalent is the use of legacy operating systems in the healthcare industry?
      • How vulnerable are healthcare organizations?
      • What have we learned from the past?
      • Preparing for and mitigating inevitable legacy risk
      12:30 PM  -  1:45 PM
      Lunch and Breakout Discussion Sessions
      Opportunity for small group discussions with speakers to delve more deeply into specific topics and challenges - Not Available to VIRTUAL PARTICIPANTS.
      1:45 PM  -  2:45 PM
      A Shared Responsibility: Collaborating between Stakeholders - Hospital Perspective
      • What do hospitals need from manufacturers
        • Update ability of devices
        • Software Bill of Materials (SBOM)
        • Integrated security controls (Whitelisting, AV)
        • Recommendations on how to prolong the life of a legacy system (shutting off ports, mini-firewalls, etc.)
        • End of life information up front, for budget depreciation
        • Quicker vulnerability communication
        • Devices that can handle industry standard vulnerability scans
      2:45 PM  -  3:45 PM
      A Shared Responsibility: Collaborating between Stakeholders - Manufacturer Perspective
      • What do manufacturers need from hospitals
        • Unified requirements
        • Unified questionnaire
        • Removal of old devices
          • Mayo - 1.5 billion program to remove old devices
        • Support for a minimum bar of security expectations (e.g. WEP instead of WPA2)
      3:45 PM