Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry

Size: px

Start display at page:

Download "Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry"

Elmer Price
5 years ago
Views:

1 Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry

2 Mobile Devices in Medical Cardiology Pacemakers Defibrillators Oncology Drug delivery Neurology Deep brain stimulation Infertility Drug delivery Radiology Mobile ultrasound Endocrinology EMR Diabetes management Bariatric therapy Secure drug prescription Telemedicine BlackBerry. All Rights Reserved. 2

Assurance Lack of assurance is the most significant problem

clinically safe for the next user Using an insulin pump a billion times on millions of people provides NO assurance the pump can

4 Safety Assurance vs. Security Assurance Using an insulin pump a billion times on millions of people provides high assurance the pump will be clinically safe for the next user Using an insulin pump a billion times on millions of people provides NO assurance the pump can protect the millions of people against hackers It is dangerous to think we can understand our obligations by applying policies, laws, and arguments concerning older technologies and issues - Deborah Johnson BlackBerry. All Rights Reserved. 4

8 Assurance Programs: Role of Government FDA do not establish any legally enforceable responsibilities NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs BlackBerry. All Rights Reserved. 8

Other Industries? EMVco Eurosmart Common Criteria Works!

11 Ideal Assurance Program Risk-based approach to security functional requirements definition Scientific approach to security evaluation Efficient (cost and time) Continuous improvement Open and inclusive (international, all stakeholders) BlackBerry. All Rights Reserved. 11

DTSec: https://diabetestechnology.org/dtsec.

12 DTSec: Connected healthcare devices Efficiency: reuse ISO/IEC 15408/62304/ focus on vuln assessment Protection Profiles for device families (first: diabetes) Accredited evaluation labs UL, BrightSight, Booz Allen Assurance maintenance BlackBerry. All Rights Reserved. 12

Managed Medical Domain (TEE) Medical app Authentication

15 Medical Apps Domain Consumer App Store Apps Consume r app Consume r app Consume r app Consume r app Encryption Managed Medical Domain (TEE) Medical app Authentication Medical app Mobile Device BlackBerry. All Rights Reserved. 15

16 Connected Medical Device vs. Mobile Medical Device Security Capability Hospital Infusion Pump Secure Android Smartphone Firmware authenticity CRC HW-backed verified boot Independent security certification None CTS, NIAP, DTSec (planned) On-device anti-malware None Yes, VerifyApps and 3 rd party ML-based threat detection None Yes, SafetyNet and 3 rd party Remote security attestation None Yes, SafetyNet and 3 rd party Rapid vuln patching None Yes Security contextual APIs None Yes Data-at-rest protection None Yes Protected network channels No Yes HW-backed crypto key storage No Yes Hardened Linux kernel Custom with unknown options, config, content; no memory protection Permroot difficulty Trivial Not rooted Fully vetted, 16 hardened kernel (chip manufacturer, OEM, Google) 2016 BlackBerry. All Rights Reserved. 16

17 Call to Action Get behind DTSec (and similar) and get involved Bring me your secure mobile medical app needs industry scollaboration is needed We must have a balanced, risk-based discussion about security tradeoffs in medical Do not unnecessarily frighten consumers and patients But we need to do MUCH better in gaining their confidence BlackBerry. All Rights Reserved. 17

The Next Frontier in Medical Device Security

The Next Frontier in Medical Device Security Session #76, February 21, 2017 Denise Anderson, President, NH-ISAC Dr. Dale Nordenberg, Executive Director, MDISS 1 Speaker Introduction Denise Anderson, MBA