Session 77X Patient Safety Partnership: Predicting and Preventing Threats

Transcription

1 Prepared for the Foundation of the American College of Healthcare Executives Session 77X Patient Safety Partnership: Predicting and Preventing Threats Presented by: Debra Bruemmer Athar Mirza

2

3 Patient Safety Partnership: Predicting and Preventing Threats Disclosure of Relevant Financial Relationships The following faculty of this continuing education activity has no relevant financial relationships with commercial interests to disclose: Debra Bruemmer The following faculty of this continuing education activity has financial relationships with commercial interests to disclose: Athar Mirza Baxter Healthcare Salary Employee 2 1

4 Presenters Athar Mirza, Baxter Healthcare Corporation Debra Bruemmer, Mayo Clinic 3 Learning Objectives Illustrate the importance of making patient safety a priority in the new technology-dependent healthcare environment. Establish standard security testing processes that engage stakeholders with a focus on highpriority devices, which have the greatest potential to disrupt processes when security is breached. 4 2

5 Agenda Set the stage Cyber security and healthcare industry Securing Medical Devices Highlight the Mayo Clinic journey Share lessons learned Adjusting the course to drive change 5 Set the stage. 6 3

6 Healthcare is Targeted Cyberattack at Appalachian Regional Healthcare keeping EHR down after six days FBI Investigating: Hollywood hospital pays $17,000 in bitcoin to hackers FDA Safety Communication: Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System the product with the most vulnerabilities in the May-July period was healthcare software Philips Xper Connect, with 272 reported vulnerabilities. Healthcare is being targeted Computer Viruses Are "Rampant" on Medical Devices in Hospitals More than 40 viruses hit devices including X ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG. 7 Today s Hostile Environment Threat actors have multiple levels of skills Insiders (Current & Ex) Script Kiddies Hacktivists Organized Crime Nation State Active adversary must be assumed Unlimited time and resources Skill level to cause harm is going down Tools to compromise and harm systems are readily available and cheap (free) Harm or disruption could be deliberate or collateral We are way past strictly relying upon a firewall 8 4

7 Healthcare Environment Hospital Demographics ~ 5,800 hospitals in the US Average US hospital 160 beds Ripe for the picking $$ s are tight & resources are short $10.7 million profit Medical Devices Have publically known vulnerabilities Impacted by malware Warnings from FDA & ICS-CERT on vulnerable devices (wake up call) FBI issued public service announcement: isolate, patch/update, purchase from security conscious vendors Cybersecurity Preparations - Low Healthcare industry spends 4% to 6% of IT budget spent on security, Financial industry is 12% to 15% 94% of medical institutions say they have been victims of a cyber attack Security expert shared, cybercrime is now more lucrative than the illicit drug trade (CBS News, Sept. 2016) 9 Medical Devices Essential to Care Delivery Care is highly dependent upon technology Demand for connectivity continues to grow HITECH Act and increasing use of EHRs are driving device connectivity 1 in 4 medical devices are network connected Medical technology is used to: Improve patient outcomes Offset rising costs & decrease resource needs Decrease medical errors Improve access to care Deliver specialized knowledge at the bedside Healthcare is no longer possible without technology 10 5

8 Internet of Medical Devices United States healthcare is technology rich and diverse $110 billion spent each year on medical devices 7,000 device manufacturers Between 1995 and 2010 there has been a 62% increase in the number of devices per bed Mean number of devices per bed is Status Quo Continues. Despite cyber threat data and growing awareness, healthcare remains unprepared 72% of healthcare providers have less than 200 beds 80% of device vendors have less than 50 employees Industry continues to be an easy target for cyber attack Medical devices still sold with Windows XP - unsupported since 2014 Healthcare providers cannot manage medical devices like other technology Risks are managed through guidance and collaboration 12 6

9 Mayo s journey to understand and improve medical device security.. 13 Mayo Clinic Overview Made a strategic decision to dramatically increase it s security posture Over 1 million patients per year Paperless patient care ~230,000 active IP addresses High profile patients, significant intellectual property, and classified research Formed the Office of Information Security Reviewed surface area of environment ~10,000 Windows servers ~2,000 Linux servers ~80,000 workstations ~20, networked medical devices Found a significant number of networked devices not IT managed Formed team focused on medical device security Clinical Information Security 14 7

10 Clinical Information Security Team Director of CIS Senior Manager Deep technical skills Security Engineers 2 Principal Engineers 1 Senior Engineer 1 Engineer Security Analysts 3 Principal Analysts 2 Senior Analysts 2 Analysts Mix of org, PM & technical skills Focus on medical devices, facility systems, and clinical support systems Goals Serve as a trusted partner to the practice Identify vulnerabilities Recommend actions to remediate/mitigate vulnerabilities 15 Mayo Clinic s Journey Initial efforts Performed lite assessment on 40+ devices ~ preserved patient safety No direct vendor engagement ~ Mayo resources Found vulnerabilities in all devices ~ none passed Added resources to Clinical Information Security team ~ expand efforts Documented testing methodology and created templates Re-assessed 5 medical devices with greatest patient safety impact Performed in-depth assessment ~ preserved patient safety No direct vendor engagement ~ Mayo resources Discovered additional vulnerabilities Documented findings ~ details enabled recreating the vulnerability Communicated findings to the medical device vendors Provided detailed report Engaged to identify and apply actions to remediate/mitigate vulnerabilities Operationalized the assessment process 16 8

11 Mayo Clinic Philosophy Incorporate security into the procurement process RFP questions and standard security contract language Practice drives purchase decision, security enables secure execution Test medical devices, not waiting for vendors to identify and address issues new strategy is to move this testing to the vendors Document/Share test findings with the vendor Outline actions and timeline to address findings Prefer collaboration vs. public disclosure Goal: Partner with our vendors to have a safe outcome for our patients; this includes assisting vendors in providing us with a secure product Benefit society by using Mayo Clinic s influence Require changes are made to standard product Drive changes for long term vendor process improvements 17 Sharing lessons learned 18 9

12 Security Testing - Landscape Legacy devices and systems Upgrades and new versions Pre-purchases Remediated devices Medical Devices, Facility Systems, AND Clinical Support Systems Infant Protection System Nurse Call Temperature Monitoring Etc. Key: Push your security activities to the beginning of the purchase process 19 Security Testing System Thinking No device lives in isolation Need to asses the ecosystem a device lives in Many devices have control software that is vulnerable External access methods and processes require testing Map communication patterns to determine all possible threat vectors, test the whole communication chain End user processes can thwart security measures Include everything needed to support the device and provide patient care: Device Software Hardware Device Family Concept is Communication Important component 20 10

13 Security Testing Defined Process Focus on high priority devices Greatest potential to cause patient harm Greatest potential to widely disrupt patient care processes Impact to Mayo s over-arching network Engage all stakeholders Mayo (Clinical Users, HTM, IT, Facilities) Vendor Assess the whole device family Follow the data flow to include points of testing Workstations, servers, & endpoint Document demographic information, establish rules of engagement The Joint Commission Equipment Management Variables Clinical Application & Equipment Function 5,10 4,10 3,10 2,10 1,10 5,9 4,9 3,9 2,9 1,9 5,8 4,8 3,8 2,8 1,8 5,7 4,7 3,7 2,7 1,7 5,6 4,6 3,6 2,6 1,6 5,5 4,5 3,5 2,5 1,5 5,4 4,4 3,4 2,4 1,4 5,3 4,3 3,3 2,3 1,3 5,2 4,2 3,2 2,2 1,2 5,1 4,1 3,1 2,1 1,1 Equipment Function Clinical Application 21 Security Testing - Defined Process Testing includes Operational security review Vulnerability scanning using commercial and public scanners Fuzz testing Penetration testing - simulating multiple attack scenarios Assessing a subset of application code Testing Outcome Generate detailed vulnerability assessment report Review report with internal proponents Review report with vendor Outline and document actions and owner (vendor and Mayo) Track actions for closure Timeline = 3 x 3 x 3 Initial week of testing good to have a vendor rep on-site Remediation and mitigation efforts Network Endpoint & system ~ generally requires customization ~ Workflow Requires partnering with the vendor and internal staff 22 11

14 Security Testing Vulnerability Assessment Methodology Network vulnerability assessment Web application assessment Native software review Host configuration review Physical and hardware review Technical staff interviews 23 Security Testing Output Comprehensive test report Complete details enable vendor to reproduce the vulnerability Include screen prints, video, scripts, etc. Rate vulnerabilities as high / medium / low severity using CVSS Testing Axiom Visibility, Transparency, Moral High Ground NVC Common Vulnerability Scoring System Support v2 CVSS v

15 Security Testing - Common Medical Device Findings Operational security gaps Application vulnerabilities Configuration vulnerabilities Unpatched OS, middleware and commercial applications Lack of encryption 25 Security Testing - Statistics Performed in-depth Vulnerability Assessment > 50 Device / System Families 33 vendors engaged in an in-depth VA & remediation of findings Infusion pumps and formulary systems (multiple brands) CT MRI Infant Abduction Protection Building Automation Etc. Performed Security Design Analysis prior to purchase 124 completed in unique vendors engaged Issues Found Responsible 94% Vendor 6% Mayo 26 13

16 Collaboration Key to Ensure Patient Safety Requires collaboration beyond what is traditionally seen Vendors share product information not typically disclosed Providers rely on vendor partners to address security issues once identified Mutual transparency beyond rhetoric to achieve a shared focus on patient safety Exposes medical device to rigorous testing Beyond typical FDA requirements Typically uncovers previously unknown vulnerabilities Apply unique expertise from each organization Healthcare providers have clinical knowledge Vendors have product and technical knowledge ~ Seek vendors willing to collaborate on cyber security ~ 27 Adjusting the course to drive change 28 14

17 New Strategy for 2017 Medical Device Security Supported by executive leadership and practice Key aspects Perform a pre-purchase security assessment on all medical devices (scope is enterprise wide, estimate ~1,600 unique devices) Include security requirements in purchase contracts Challenges Mayo resources cannot scale to cover all devices Maintain appropriate level of rigor and consistency across devices Execution requires New internal processes Expanding procurement efforts Communicating to Mayo practice, other providers, and device vendors 29 New Strategy for 2017 Execution Establish new internal processes Document medical device standards (IEC / ISO 80001) Create new prioritization algorithm Do we care & How much do we care Develop minimum requirement 6 Nevers Create a scalable workflow Expand procurement efforts Engage early in the process - RFP questions Develop new Information Security Schedule - include in purchase contracts Communicate expectations to vendors Document Mayo testing methodology and templates Vendor Packet Require vendor to perform vulnerability assessment Require inclusion of Information Security Schedule 30 15

18 2017 Strategy - New Internal Processes Medical Device Standard Based on existing standards / capabilities ISO / IEC capabilities MDS 2 Form is tied to ISO capabilities Repackaging, not creating new 77 requirement criteria across the 19 capabilities 31 IEC / ISO Capabilities 1. Automatic logoff (ALOF) 2. Audit controls (AUDT) 3. Authorization (AUTH) 4. Configuration of security features (CNFS) 5. Cyber security product upgrades (CSUP) 6. Health data de-identification (DIDT) 7. Data backup and disaster recover (DTBK) 8. Emergency access (EMRG) 9. Health data integrity and authenticity (IGAU) 10. Malware detection/protection (MLDP) 11. Node authentication (NAUT) 12. Person authentication (PAUT) 13. Physical locks on device (PLOK) 14. Third-party components in product lifecycle roadmaps (RDMP) 15. System and application hardening (SAHD) 16. Security guides (SGUD) 17. Health data storage confidentiality (STCF) 18. Transmission confidentiality (TXCF) 19. Transmission Integrity (TXIG) 32 16

19 Standard based on ISO Capabilities Strategy - New Internal Processes Revised Prioritization Algorithm Information sources Vendor response to Medical Device Standard Workbook Mayo determination of patient care impact Emphasize patient safety 1 st and foremost Three components to the algorithm Compliance with Mayo policies 6 Nevers Impact to patient care safety and workflows Compliance with new standards (based ISO 80001) network impact Algorithm will determine path through new workflow Do we care How much do we care 34 17

20 2017 Strategy - New Internal Processes Minimum Requirement 6 Nevers 6 minimum requirements bar of goodness Runs supported OS Receives routine OS patches Has AV applied and updated Receives routine 3rd - party software patches Contains no default hardcoded passwords Complies with Mayo work Account standards Below the bar - work with vendor & practice 1st - Mitigate or remediate prior to purchase 2 nd - Commitment from vendor to address with set timeline 3 rd Exception from Mayo Clinic Security Committee (centralized risk acceptance) Strategy - New Internal Processes Scalable Workflow Mayo reviews for do we care, Vendor completes packet Review packet, Engage committee Apply algorithm, Audit vendor packet Proceed (mitigate or test) Mayo test 36 18

21 2017 Strategy - Expand Procurement Efforts RFP Process Incorporate security into the the process early, don t wait for the contract to be signed Provides vendor advance notice Educates buyer on security needs Cover security capabilities defined by the IEC / ISO RFP security questions Strategy - Expand Procurement Efforts Contract Language Refined existing security language Evolve as threat environment and security needs evolve Identify Mayo minimum requirements with respect to controls, practices and procedures Applies to all technology purchases, not just medical devices Two components Internal Written Security Program Product security requirements 38 19

22 2017 Strategy - Expand Procurement Efforts Written Security Program Roles and responsibilities of workforce who have direct or incidental access to Mayo Data or the Products Enacted, implemented, and adhered Access Who, controls (physical, electronic, passwords), Intrusion Detection and Prevention systems, Monitoring and logging, etc. Data Use, rest, and transition Disposal of Mayo data Files, media, or products Security Breach Notification and Procedures Etc. ~ SOC 2 Type II certification can replace WSP ~ Strategy - Expand Procurement Efforts Product Security Requirements FDA guidelines (i.e. fail safe features) Testing and scanning requirements Include SANS CWE Top 25 and/or OWASP Top 10 Perform at Mayo request, by tester mutually agreed to, or Mayo staff Meet Mayo testing methodology Installation standards (i.e. document needed ports/service, remove unneeded ports/services) Development standards Users and passwords (i.e. unique, no hardcoded, no persistent admin privilege) Security issues and response (i.e. communicate Known Vulnerability or Exploit (KVE) within 20-days, identify timeline and plan to remediate/mitigate, warrant all open source software is actively maintained) Penalty for failure to fix KVE Indemnification for cyber-security incidents caused by device 40 20

23 2017 Strategy - Communicate Expectations Vendor Education Session Invited targeted vendors to an education session in October 2016 Communicated Mayo s new strategy and expectations Require vendor to perform vulnerability assessment Require inclusion of Information Security Schedule Communicated new process Walked through the new process Reviewed Vendor Packet received during the RFP / pre-purchase process Deliverables MUST match the EXACT system version being purchased for Mayo Clinic Strategy - Communicate Expectations High Level Steps in New Process 1. Mayo Proponent sends vendor contact the Vendor Packet for Pre-Purchase Assessment. 2. Vendor contact completes the Vendor Packet for Pre-Purchase Assessment and returns the completed Vendor Packet for Pre-Purchase Assessment to Mayo Proponent. 3. Mayo Proponent submits the Vendor Packet for Pre-Purchase Assessment to Clinical Information Security (CIS). 4. CIS reviews the Vendor Packet for Pre-Purchase Assessment. 5. An Executive Summary is sent to the Proponent and funding committee for review prior to purchase

24 2017 Strategy - Communicate Expectations Vendor Packet Received during the RFP / pre-purchase process Included in the packet: Process instructions Medical device standard Information Security Schedule Testing methodology Approved testing vendors Templates Industry and security references Mayo contacts Strategy - Communicate Expectations Vendor Packet 44 22

25 2017 Strategy - Communicate Expectations Vendor Packet Strategy - Communicate Expectations Process Timeline Dependencies Timeliness of vendor to complete a vulnerability assessment of the system as well as all materials requested in the Vendor Packet for Pre-Purchase Assessment. Completeness of the provided Vendor Packet for Pre-Purchase Assessment allows the CIS team member to accurately and without delays review the materials. Any missing items or need for follow-up meetings could extend the timeline of the Pre- Purchase Assessment. Responsiveness of the vendor and Mayo Proponent to follow this provided procedure. Remember, all pre-purchase requests will be assessed for patient safety, device security, and network harm

26 Final Thoughts The technology and knowledge exist to fix the problem, but it s not always a technology problem While vendors have a responsibility to fix equipment, we both have a responsibility to protect patients This is a journey immediate attention is needed now with on-going, steady progress Collaboration & Transparency Feasible and the quickest and most effective way to protect patients 47 Presenter Biography & Contact Info Athar Mirza is the Director of Marketing at Baxter Healthcare. He leads the Infusion Systems business at Baxter that includes the Sigma Spectrum Infusion system and the Access business. Athar received his Bachelor of Science in Biological Sciences from University of Illinois at Chicago and an MBA from Loyola University, Chicago. Contact: Athar_Mirza@Baxter.com 48 24

27 Presenter Biography & Contact Info Debra Bruemmer is the Senior Manager of the Clinical Information Security team at Mayo Clinic in Rochester, Minnesota. She is part of the Office of Information Security. Debra received her Bachelor of Science in Finance from Winona State University, a Masters in Business Administration from Cardinal Stritch University, and is CISSP certified. She is accountable for leading a team to assess and improve the security of medical devices, facility systems and clinical support systems used within the Mayo Clinic environment. Her responsibilities include, understanding medical devices in the Mayo Clinic environment, assessing the vulnerability of medical devices, and partnering with vendors and internal staff to improve security. During her eighteen-year career at Mayo Clinic, Debra has worked in Finance, Information Technology, and the Office of Information Security. Bruemmer.debra@mayo.edu 49 Bibliography/References NVC Common Vulnerability Scoring System Support v2 CVSS v2 FDA Postmarket Management of Cybersecurity in Medical Devices, FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, pdf ISO/IEC/TR :2012, Application of risk management for IT-networks incorporating medical devices -- Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples, Manufacturer Disclosure Statement for Medical Device Security (MDS2), Security.aspx#download CWE/SANS TOP 25 Most Dangerous Software Errors, Open Web Application Security Project (OWASP), _2013.pdf 50 25