Securing Biomedical Devices. IT Challenges - A View from the Trenches

Transcription

1 Securing Biomedical Devices IT Challenges - A View from the Trenches

2 Background Lead newly formed medical device security (MDS) team Previously clinical/research/teaching activities Extensively collaborated with clinical and research teams Unique user/security perspective Steve Smith IT clinical applications background Institution Clinical/research/teaching missions IT security consists of these teams Cybersecurity Medical device security (MDS) Access/Identity Risk FISMA/PCI Testing

3 Medical Device Security (MDS) Team Challenges

4 MDS or Other Team Responsible for a Device? What is a biomedical device? FDA medical device definition provides some guidance A device is: "an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term "device" does not include software functions excluded pursuant to section 520(o). Definition includes obvious things like CT and MR scanners, infusion pumps, pacemakers, etc In practice, not always clear cut 4

5 MDS or Other Team Responsible for a Device? The Capsule Neuron 2 is a bedside mobile clinical computer that enables the automatic collection of vital signs data. Is it a biomedical device? Neuron 2 Infusion Pump Smart Bed Ventilator 5

6 MDS or Other Team Responsible for a Device? How about a network connected battery monitoring system for a mobile electronic health record (EHR) computer? Our approach to defining: ANY device, research or clinical, that Connects directly or through another device to our network Does not meet the requirements of our Windows 10 security standard which includes: Host based firewall, anti-malware, timely patching, encryption, device control, meets password standard, etc If it does, then cybersecurity team manages it Notice that this definition captures lots of IoT devices Networked connected cameras, DVRs, printers, HVAC, etc All devices on the network must be the responsibility of some team Devices 'clearly' not a biomedical device are then assigned to the cybersecurity team 6

7 Creating an Inventory of Current Devices We can't defend what we don't know about! Generating the inventory requires identifying and working with the various asset owners/managers In our case, groups such as: The clinical equipment department Academic resources for research assets Research administration for clinical trials Specialized service groups such as for imaging and cardiology equipment Network scanning to locate and profile devices From the MAC address (first three bytes) From its network behavior (who it communicates with) Tools such a nmap could be used to profile a device through active port scanning May cause device to drop off the network and need to be restarted 7

8 Creating an Inventory of Current Devices We also need owners/managers to provide data that will allow us to assess and manage the risk of the device such as: Does it connect wired or wirelessly to the network? If wireless, what protocol does it support (dot1x, etc)? It s IP and MAC address? Does it use a default password? Does the vendor have remote access to the device (tool used)? Is it Active Directory joined? What OS does it use? Does it store/transmit PHI? Does it have a local firewall? Does it have anti-virus? Is it subject to regular patching? Not routinely tracked 8

9 Implementing Mitigating Controls What can we do to reduce risk of the device? Consider also risk to patient/subject if hacked Common issues: Out of date OS or no patching Default passwords and poor password management Only supports wireless protocols with weak or no security No firewall or anti-virus These issues need to be addressed on a device by device basis One solution does not fit all Need to understand who it needs to communicate with and over which ports Approaches we are exploring Device specific VLANS and wireless networks CISCO ISE for dynamic VLAN and access control list assignment 9

10 Evaluating Device Risk BEFORE Purchase or Network Addition We are identifying all the paths that a device might take to get into the Medical Center such as: Faculty transferring from other institutions Clinical capital and operational expenditures Research capital and operational expenditures Research grants Proof of concept demos Clinical trials Hospital mergers Inserting the MDS team into each path For example, we are now reviewers on all research proposals Timely notice of some proposed purchases is an issue Vendor month or year end sales Capital equipment requests all coming in at one time 10

11 Questions? Don Gage