President's Message: FDA Applying Systems of Systems Approach to Deal with Cybersecurity for Medical Devices and Healthcare

I recently attended a webcast hosted by the Food and Drug Administration (FDA) to address cybersecurity for medical devices and healthcare.  It was a call to action to engage medical device manufacturers, healthcare organizations, the FDA and other government agencies, such as the Department of Homeland Security (DHS) to address the advanced and persistent cyber threats to systems.  Cybersecurity is fundamentally a people problem which is enabled by technology, people are responsible for initiating attacks and the internet of everything is exploited to facilitate these attacks.

The FDA regulates medical devices but there are over 100,000 medical devices, so there is expectation that manufacturers are assessing risk and taking control measures.  The FDA does not regulate the healthcare providers which represents a vast spectrum from national institutions like the Veteran's Administration Hospital to individual doctors.  This is one of the pain points identified for systems of systems, no central authority.  The FDA strategy is to foster collaboration in order to address the vulnerability posed by cybersecurity. This affects medical devices as well as healthcare providers and any breach to these systems could lead to an attack on other systems which is why DHS is engaged.

The systems of systems’ need for inter-operability drives requirements for inter-connectivity which exposes cybersecurity vulnerabilities.  Inter-operability improves efficiency to provide healthcare which improves patient care but also boils down to economics.  This is a tradeoff between information access and security.

The National Institute of Standards and Technology (NIST) defined a framework for improving cybersecurity.  A core element of the framework is the identification of the risk.  The risk assessment considers the interfaces of the constituent systems in the risk environment.  This is challenging because as previously stated healthcare providers represent a vast spectrum which inter-connect systems in variety of ways.  Also, some medical devices are classified as legacy devices because they have a long service life and may lack security features. When these legacy devices are interfaced with other systems they present a vulnerability to the systems of systems.  Another core element of the framework is detection of an attack.  Detection is always after the fact so focus is on remediation.  The reporting of attack is an interface that needs to develop in order to share the information and reduce the risk to other systems.  A common model to bridge organizational barriers, sectors and address concerns about reputation, liability and intellectual property needs to be defined.

An element of the discussion that I found particularly interesting is the human aspect.  While there is the obvious human aspect of the hackers who initiate the attack, the healthcare providers are hackers in their own right.  The healthcare providers' priority is to patient care and they are resilient at devising workarounds to use the systems at their disposal.  Additionally, availability of systems to provide care trumps security, so even if vulnerability is detected but the system can continue to satisfy its intended use, it will be used.

Throughout the two day webcast attended by a large diverse community the theme of systems of systems was repeated.  Cybersecurity is a multi-faceted wicked problem covering economics, technology, human factors, political, physics and math.  Numerous constituent systems are involved.  It requires systems thinking.  The FDA is facilitating a collaborative environment to provide leadership in solving these issues.  The mission of the FDA is to ensure that medical devices are safe and effective and to ensure security going forward.

By Rollie Olson

INCOSE SFBAC President 

Rollie Olson's Bio

The Internet of Everything: A Stanford Engineering Symposium

Stanford Engineering is holding a symposium on The Internet of Everything. Any member of the community can view the live event free by registering and signing up through Stanford Center for Professional Development (SCPD) by 4pm on December 4, 2014 here: http://scpd.stanford.edu/search/publicCourseSearchDetails.do?method=load&courseId=27224811. The symposium will take place Thursday, December 4, 2014 from 7:00 - 8:15 pm.

About the symposium:

A quiet technology revolution has made it possible for many objects to communicate electronically. Already more objects than humans are connected to the Internet, a trend that will only increase as more TVs, eyeglasses, watches, thermostats, cars and sensors link to the Internet and each other. Stanford Engineers and others are creating something new, a network of humans and things. It is the Internet of Everything.

Attend our next EngX symposium to hear from three Stanford Engineering faculty members working to create the Internet of Everything and learn more about the engineering challenges that surround it. EngX is a fast-paced event with three 20-minute talks and questions afterward.
 
Speakers

• Thomas Lee, a professor of Electrical Engineering, will provide an overview of the Internet of Everything and what it could enable. He has been researching wireless technology at Stanford University since 1994 and is a past Director of DARPA's Microsystems Technology Office. 
• Mark Horowitz is the Yahoo! Founders Professor at Stanford University and was chair of the Electrical Engineering Department from 2008 to 2012. He will talk about how Stanford engineers are investigating ways to build a secure Internet of Everything. Horowitz is a member of the National Academy of Engineering and the American Academy of Arts and Sciences.

• Armin Arbabian, an assistant professor of Electrical Engineering, will discuss the ant-sized radio he created, an inexpensive, self-powered radio controller that provides the web of connectivity and control between the global Internet and smart household devices - an essential requirement for the Internet of Everything.

Please note this event is not hosted or connected to the INCOSE SFBAC Chapter.

INCOSE SFBAC Election & Survey

The SFBAC is accepting votes in the election of our 2015 chapter officers and feedback for the end of the year poll until Friday, December 19, 2014. 

Voting members, we have one update for this year's election. Members are limited to 6 votes in the BallotBin field that allows votes for candidates (this should have been 7). We apologize for any inconvenience or confusion this has caused. 

If you believe you have paid your member dues for 2014 but have not received a ballot, contact Dorothy McKinney at dorothy.mckinney at INCOSE.org.

Systems Engineering in Transformation

The Systems Engineering Transformation Caucus is working toward the development of a systems engineering practice that:

• Brings in new practices and new methodologies dynamically,
• Adapts and responds to circumstances, and
• Constantly evolves as new insights and practices emerge. 

 This year the caucus established a public website at:

http://transformationcaucus.wikispaces.com/Shared+Transformational+Systems+Engineering+Resources

The resources at the public website include a review of presentations at this year's INCOSE International Symposium.  (See URL, above, for a summary of the presentations.)

The caucus is currently working on a variety of fundamental issues in TSE practice.  We are committed to presenting a snapshot of this work in papers published in the Autumn 2015 issue of INCOSE INSIGHT.  We are also planning to meet at the INCOSE International Workshop in January of 2015 to review drafts of these papers.

Issues addressed in the INSIGHT papers will include:

• TSE Vision - What is our vision of Transformational SE and what are the integrating concepts for TSE?  Lead:  Scott Workinger
• Situation Awareness - What are the relevant factors to consider when choosing TSE practices and what factors should be monitored to keep a TSE project on track?  Leads:  Dean White, Dorothy McKinney
•  TSE Integration Framework - When establishing a TSE framework of practice, what is needed to establish plug and play interfaces for individual TSE Practice Components?  Lead:  George Sawyer
•  Business Models and Organizational Factors - How does an organization's business model influence the choice of TSE practices?  What are the organizational factors needed to support various TSE practices?  Lead:  Lee Amon
•  Group Flow - Both Design Thinking and Agile Development harness the creative power and productivity of group flow.  How can TSE practices initiate and sustain group flow?  Lead:  Laurie Buss
•  Agile Development - What are the available ways to bring Agility into a Project?  How do we measure Agility?  Lead:  Clark Ince
• Agile Development - How do we scale up agile methods to large projects?  Lead:  Phyllis Marbach
• Design Thinking - What is Design Thinking and how does it differ from Classical Systems Engineering?  Lead:  Jean Souza
• Design Thinking - How does design practice differ in successful design organizations?  (Three major Silicon Valley companies will be studied including some that employ very large development projects.)  Leads:  Uli Barnhoefer, Scott Workinger
•  System of Systems Engineering - What are some key examples of successful architectural patterns in System of Systems Engineering practice?  Lead:  Ray Deiotte 
• Validation in Transformational Test Engineering - In an environment where many systems cannot be tested using classical techniques, how can complex systems be tested and evaluated effectively?  Leads:  Andy Anderson, Scott Workinger

Jean Souza has graciously accepted the role of TSE Co-Leader.  Since stepping up to the Co-Lead position, she has played a key role in moving the publishing effort forward.

The caucus has been making regular presentations at chapter meetings for INCOSE SFBAC (serving Silicon Valley).  For instance:

• The October Meeting featured Lee Amon discussing how Silicon Valley Business Models will, in many situations, lead to the application of differing systems engineering practices.
• The November Meeting featured Dean White and Dorothy McKinney discussing the relevant factors in establishing Situation Awareness for applying practices and monitoring the evolution of TSE projects.

The caucus welcomes the participation of interested individuals.  For further information, please contact:

• Jean Souza:  jmsouza at fastmail.fm
• Scott Workinger:  scottworkinger at gmail.com

 

By Scott Workinger, Ph.D.

INCOSE SFBAC Past-President

Scott Workinger’s Bio

December Membership Meeting Cancelled

The INCOSE SFBAC will not be holding a meeting December 2014. Information on future meetings will be posted on our chapter's Schedule of Events page: http://www.incose.org/sfbac/schedule.html