Assessing Medical Device. Cyber Risks in a Healthcare. Environment

Transcription

1 Assessing Medical Device Medical Devices Security Cyber Risks in a Healthcare Phil Englert Director Technology Operations Environment Catholic Health Ini<a<ves Approach Cindy Wallace Manager IT Security Risk 78

2 Objec<ves Recognize security threats to integrated medical devices Describe the regulatory changes driving the need to assess medical device IT security List control categories relevant to a medical device IT security assessment Explain the need for medical device security assessment within your facility 79

3 Agenda Program Drivers CHI Environment Problem Statement Approach & Outcomes Future State Q&A Appendix - Resources 80

4 Who is CHI? Strong and Diverse Na<onwide Presence Market-Based Organization Total Operating Revenue Less than $40 million $40 to $100 million $100 to $350 million $350 million to $1 billion Greater than $1 billion 81

5 Informa<on Security Business Resilience & Physical Security Security Strategy & Risk Management Security Compliance, Awareness & IAM Governance Informa<on Security Security Services/ Opera<ons Iden<ty & Access Management Engineering Threat Management, Incident Response, and Forensics 82

6 Clinical Engineering Clinical Engineering Consul7ng Services Technology Opera7ons CHI Physical Asset Services Planning, Design & Construc7on Real Estate Management Facili7es Management 83

7 Coming Together Clinical Engineering, Informa<on Security, & Corporate Compliance Regular structured workgroup Normalize the dialogue Blend areas of exper<se Embrace the unknowns Recognize cultural challenges Availability vs. Confiden<ality Data is an asset 84

8 Problem Statement Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addi:on, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates. Source: FDA Safety Communica<on: Cybersecurity for Medical Devices and Hospital Networks (06/13/2013) 85

9 Program Objec<ves Assess and reduce Medical Device security risk across the enterprise Key Parameters: Granular (control and device level) Sustainable (leveraging exis<ng control framework) Ac<onable (indicate path to risk reduc<on) 86

10 Program Drivers Regulatory Compliance HIPAA / HITECH FDA Involvement Threats Malware Targeted cyber a]acks Thieves User errors Known security issues Specific Risks - CIA Pa<ent data Confiden<ality System and data Integrity Device Availability Pa<ent Safety 87

11 Ini<al Outcomes Leadership Support Cohesive Life Cycle Management Applicable Security Policies & Standards Customized Security Training Security Risk Assessment Methodology 88

12 Risk Management Process Information Security Management System 89

13 Med. Dev. Security Risk Management Requirements HIPAA Security: Administra<ve, Technical, Physical FDA Security Controls Assessment Applicable NIST Security Controls MDS2 Form Flexible per device / loca<on Findings Validated complexity Heat Map (risk areas) 90

14 Security Risk Assessment Process Likelihood x Impact - Controls = Residual Risk Device Profile and Environment Implemented Selected Controls NIST Medical Device Residual Risk 91

15 Control Categories AC - Access Control AU - Audit and Accountability CM - Configura<on Management PE - Physical Security SC - Communica<on Protec<on SI - Informa<on Integrity 92

16 Implemen<ng Security Measures Medical Device Procurement (triage) Mul<disciplinary review Standards for new & device revisions Compliance capability of device Medical Device Assessment Sample exis<ng install base Ongoing review Understanding of the environment Configura7on Management Standard Configura<on template Ve]ed compensa<ng controls Back- check exis<ng install base 93

17 Tools Developed Medical Device IT Security Assessment Enterprise Security Risk & Compliance integra<on Medical Device Pre- purchase (Triage) Process Efficient work- stream review Standard IT Configura<on template Consistent implementa<on RACI approach Support Integra<on matrix 94

18 Priori<za<on 95

19 Future State Greater awareness Higher confidence in a safe medical device risk environment & pa<ent safety Reduced exposure to breach and service interrup<on Improved efficiency in mee<ng business needs Increased consistency in security measures 96

20 Objec<ves Recognize security threats to integrated medical devices Describe the regulatory changes driving the need to assess medical device IT security List four control categories to include in a medical device IT security assessment Explain the need for medical device security assessment within your facility 97

21 Resources FDA Cybersecurity in Medical Devices h]p:// guidancedocuments/ucm htm NIST Improving Cri<cal Infrastructure Cybersecurity Execu<ve Order h]p:// cybersecurity- framework.pdf Mobile Medical Applica<ons part of challenge h]p:// ConnectedHealth/MobileMedicalApplica<ons/ucm htm CMS Security Standards Technical Safeguards h]p:// techsafeguards.pdf NEMA - Manufacturer Disclosure Statement for Medical Device Security h]ps:// Disclosure- Statement- for- Medical- Device- Security.aspx 98

22 Resources Security and Privacy Controls for Federal Informa<on Systems and Organiza<ons (NIST Special Publica<on r4) h]p://nvlpubs.nist.gov/nistpubs/specialpublica<ons/nist.sp r4.pdf 99