MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

Transcription

1 MEDICAL DEVICE SECURITY A Focus on Patient Safety February, 2018

2 WHO I AM Adam Brand I Am The Cavalry Director Privacy and Security, Protiviti Focus on Medical Device Healthcare Security Custom EEG Manufacturing, Volunteer with I am The 2

3 AGENDA 01 Why Cybersecurity of Medical Devices Matters 02 Past and Present Vulnerabilities 03 The Shift from Privacy to Safety 04 What Are Providers Doing Today? 3

4 WHY CYBERSECURITY OF MEDICAL DEVICES MATTERS

5 MEDICAL DEVICE DEFINITION (FOR THIS DISCUSSION) A subset of the typical FDA medical device definition that is software-driven and continually (e.g., networked) or periodically (e.g., for maintenance) connected to by other systems or devices. Inclusive of the medical device solution, not just the device itself (e.g., an MRI operator console). 5

6 CAN SECURITY KEEP PACE WITH INNOVATION? Exposed, vulnerable systems All software has flaws. Connectivity increases potential interactions A software-driven, connected medical device is a vulnerable, exposed one Lack of patient safety alignment in medical device cyber security practices 6

7 ENHANCING AND ADVANCING CARE Real-time, remote monitoring. More accurate data direct to EMR. New, closed-loop treatment modalities. Medtronic MiniMed 760G 7

8 POLL: MEDICAL DEVICES AND YOU What is the closest you have been to a connected medical device in the past year? a) It provided treatment to me (e.g., infusion pump, insulin pump). b) It was used on me for diagnosis (e.g., MRI, CT scanner, bedside monitor). c) Someone close to me relied on a device. d) Neither me nor anyone I know needed a connected medical device. 8

9 CYBERSECURITY MATTERS FOR ALL OF US Many of us rely on these devices daily. When we are at our most vulnerable, we will depend on these devices for life. Even at times when we aren t personally affected, people we care about may be. 9

10 PAST AND PRESENT VULNERABILITIES

11 DEVICE-SPECIFIC VULNERABILITIES Weak default/hardcoded administrative credentials Access devices (some remotely) easily Cannot attribute action to individual Known vulnerable software platforms (e.g., Windows XP) Well-known and easily accessible exploits Less advanced cybersecurity features Wireless communication vulnerabilities Man-in-the-middle attacks Change device behavior 11

12 GE LOGIN CREDENTIALS WORD CLOUD Over 20 CVE s issued, with a dozen more pending. Researcher: Scott Erven 12

13 KNOWN VULNERABLE SOFTWARE 13

14 KNOWN VULNERABLE SOFTWARE 14

15 WIRELESS VULNERABILITIES Kevin Fu+, 2008 Jay Radcliffe, 2011 Barnaby Jack, 2012 Jay Radcliffe,

16 WIRELESS VULNERABILITIES MedSec,

17 DEVICE IMPLEMENTATION VULNERABILITIES Internet Exposure: Directly Connected or One Hop Away What can happen on the Internet? Default passwords make even more risky Insecure Wireless Networks Easier local access to trusted networks Weak and insecurely handled pre-shared keys make easier Lack of Effective Network Segmentation One user click away from compromise Separate networks with all communication allowed don t count 17

18 DIRECT INTERNET EXPOSURE Researcher: Scott Erven, 2013 Shodan Search, October

19 INTERNET EXPOSURE ONE HOP AWAY Researcher: Scott Erven, 2013 Shodan Search, October

20 HONEYPOT RESEARCH Honeypots 10 HoneyCreds login 8 55,416 Successful logins (SSH/Web) Top 3 source countries Netherlands, China, Korea 24 Successful exploits (Majority is MS08-067) 299 Dropped malware samples If a vulnerable medical device is on the Internet, it will get compromised. Research: Protiviti; Scott Erven and Mark Callao 20

21 TEENAGERS BUILDING THEIR OWN DEVICES 21

22 AND TESTING ON NEIGHBORHOOD KIDS 22

23 USING DOS

24 THE SHIFT FROM PRIVACY TO SAFETY

25 THE IMAGE SEEN ROUND THE WORLD 25

26 PATIENTS AFFECTED 26

27 CRITICAL MEDICAL DEVICES OFFLINE 27

28 POLL: COMPROMISED MEDICAL DEVICES What has your experience been with compromised medical devices? a) I know of a device at our hospital that was hit with malware. b) I have heard from a colleague that they had an infected device. c) I have not heard of a device being compromised. 28

29 PROBLEM AWARENESS HIPAA focuses on patient privacy, not patient safety. FDA does not validate cyber safety controls. Malicious intent is not a prerequisite for adverse patient outcomes. Medical Device Security is a Patient Safety Issue 29

30 FIRST CLINICAL ATTACK SIMULATION 30

31 MED DEVICE ATTACK WARGAMING Hospital Attack System Attack Nation State 31

32 HHS TASK FORCE REPORT 32

33 WHAT ARE PROVIDERS DOING TODAY?

34 POLL: YOUR MEDICAL DEVICE PROGRAM What is the status of the medical device program at your hospital? a) Management isn t yet aware of the extent of the risk. b) We have had a gap assessment performed and a strategy established. c) We have made significant progress in remediating our gaps. d) I don t know. 34

35 MEDICAL DEVICE SECURITY LIFECYCLE: ADDRESSING RISKS Risk assessment, vulnerability assessment and threat modeling Obtain Manufacturer Disclosure Statement for Medical Device Security (MDS2) Procurement & Contracting Phase Risk reduction prior to procurement Liability reduction for contracting Architecture and system design validation Post implementation security validation Maintenance Phase Vulnerability assessment and penetration testing Liaison with manufacturers, federal agencies and working groups PHI removal Wireless passwords Planning & Requirements Phase Implementation Phase Decommission Phase 35

36 TYPICAL STARTING POINTS Gap assessment to evaluate governance over the medical device lifecycle Most common starting point for organizations Governance Improvements Assigning formal responsibility for Medical Device Security Policies, procedures, standards, committees Ensuring newly added devices have appropriate security features Requiring third party penetration testing Overall Risk Assessment New Device Risk Assessments 36

37 SECOND PHASE PROJECTS Ensuring newly added devices have appropriate security features Requiring third party penetration testing Network Segmentation Separate VLANs with restrictive ACLs Internet access restrictions Scanning devices as part of preventative maintenance/passive vulnerability scans Pushing manufacturers to test patches Legacy Device Risk Assessments Vulnerability Management 37

38 MAYO CLINIC: DEVICE SECURITY ASSESSMENTS 38

39 OTHER RESOURCES 01 Following Researchers and Med Dev people on @adamrbrand) 02 Industry Working Groups (e.g., NH-ISAC, MDISS) 03 Conferences (e.g., NH-ISAC, Archimedes, DEF CON) 04 I Am The Cavalry (website, list) ( 39

40 Q&A Adam Brand 40