Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry

Similar documents
The Next Frontier in Medical Device Security

Diabetes Technology Society

Clinical and ICT Cybersecurity Overview and Cases A242-3

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

DOD Medical Device Cybersecurity Considerations

Introduction to Device Trust Architecture

MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

FDA & Medical Device Cybersecurity

Protection Profile for Connected Diabetes Devices (CDD PP) Extended Package: Moderate

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Navigating Regulatory Issues for Medical Device Software

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Addressing Cybersecurity in Infusion Devices

Connected Medical Devices

Seagate Supply Chain Standards and Operational Systems

Defining IT Security Requirements for Federal Systems and Networks

Medical Device Cybersecurity: FDA Perspective

Cyber Risk and Networked Medical Devices

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Designing Secure Medical Devices

FeliCa Approval for Security and Trust (FAST) Overview. Copyright 2018 FeliCa Networks, Inc.

Bringing Android to Secure SDRs

2015 HFMA What Healthcare Can Learn from the Banking Industry

European Union Agency for Network and Information Security

Mobile Health Apps: A Primer

Internet of Things Toolkit for Small and Medium Businesses

CSI: VIDEO SURVEILLANCE CONVERTING THE JUGGERNAUT

JUST WHAT THE DOCTOR ORDERED: A SOLUTION FOR SMARTER THERAPEUTIC DEVICES PLACEHOLDER IMAGE INNOVATORS START HERE.

INTERNET OF THINGS. Presented By Erin Bosman & Julie Park, Morrison & Foerster LLP ACC 14th ANNUAL GC ROUNDTABLE AND ALL DAY MCLE

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

AUSTRALIA Building Digital Trust with Australian Healthcare Consumers

Cybersecurity and Hospitals: A Board Perspective

Re: DTS Standard and Protection Profile for Connected Diabetes Device Security (DTSec)

Strong Security Elements for IoT Manufacturing

I. The Medical Technology Industry s Cybersecurity Efforts and Requirements

Lecture 3 MOBILE PLATFORM SECURITY

Symantec Endpoint Protection Family Feature Comparison

The NIS Directive and Cybersecurity in

Securing Today s Mobile Workforce

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Securing the future of mobility

CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

Legal Issues Surrounding the Internet of Things and Other Emerging Technology

Trusted Computing Group

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

ehealth action in the EU

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

PULSE TAKING THE PHYSICIAN S

12. Mobile Devices and the Internet of Things. Blase Ur, May 3 rd, 2017 CMSC / 33210

How Secure is your Server?

Medical Device Safety in a Connected World

Smart TV Security Solution V2.0 for Samsung Knox. Certification Report

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Securing Medical Devices Using Adaptive Testing Methodologies

Mobile Platform Security Architectures A perspective on their evolution

Who are we? Jonas Zaddach. Andrei Costin. Davide Balzarotti. Aurélien Francillon 2/91

Effective Strategies for Managing Cybersecurity Risks

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

Duane Bender, Professor, Mohawk College MOBILE HEALTH: THE PROMISE AND THE PROGRESS

Doug Couto Texas A&M Transportation Technology Conference 2017 College Station, Texas May 4, 2017

Intrinsically Secure, Open, and Safe Cyber physically Enabled, Life critical Essential Services (ISOSCELES) Adventium Labs

Protecting Health Information

Cyber Security in Smart Commercial Buildings 2017 to 2021

Classification and regulation of software

Smart Cities and Security. Security - 1

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Towards Effective Cybersecurity for Modular, Open Architecture Satellite Systems

Gujarat Forensic Sciences University

ehaction Joint Action to Support the ehealth Network

Vocera Secure Texting 2.1 FAQ

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Supply Chain (In)Security

Mobile Derived Credentials Purebred Information Brief

Nuts-n-Bolts of Product Testing and Certification Session #112, March 7, 2018 Steven Posnack MS MHS, Dir. Office of Standards and Technology, ONC, US

Advanced Security Tester Course Outline

Copyright 2018 by Boston Scientific, Inc.. Permission granted to INCOSE to publish and use. #hwgsec

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Most Common Security Threats (cont.)

SAMPLE POLICY. Current State Assessment Criteria. 1. That EPHI that is transmitted electronically is not vulnerable to interception; and

Healthcare Hacked. Mayra Rosario Fuentes/Numaan Huq Forward Looking Threat Research (FTR) Sr. Threat Researcher

Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor

Topics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth

Internet of Medical Things (IoMT)

ONBOARDING APPLICATION

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

WELCOME. October 19, 2017 The Mandarin Oriental Washington, DC

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Android Healthcare Application Development

IT Security Evaluation : Common Criteria

Security System and COntrol 1

Managing Medical Device Cybersecurity Vulnerabilities

Smart TV Security Solution V3.0 for Samsung Knox. Certification Report

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

State of US Telemedicine Industry

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Transcription:

Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry dave.kleidermacher@gmail.com

Mobile Devices in Medical Cardiology Pacemakers Defibrillators Oncology Drug delivery Neurology Deep brain stimulation Infertility Drug delivery Radiology Mobile ultrasound Endocrinology EMR Diabetes management Bariatric therapy Secure drug prescription Telemedicine 2 2016 BlackBerry. All Rights Reserved. 2

Assurance Lack of assurance is the most significant problem in cybersecurity today 3 2016 BlackBerry. All Rights Reserved. 3

Safety Assurance vs. Security Assurance Using an insulin pump a billion times on millions of people provides high assurance the pump will be clinically safe for the next user Using an insulin pump a billion times on millions of people provides NO assurance the pump can protect the millions of people against hackers It is dangerous to think we can understand our obligations by applying policies, laws, and arguments concerning older technologies and issues - Deborah Johnson 4 2016 BlackBerry. All Rights Reserved. 4

Internet of [Insecure] Medical Things 5 2016 BlackBerry. All Rights Reserved. 5

Muddy Waters May Aug Sep Oct Jan 6 2016 BlackBerry. All Rights Reserved. 6

The Hidden Disease of Security Vulnerability 7 2016 BlackBerry. All Rights Reserved. 7

Assurance Programs: Role of Government FDA do not establish any legally enforceable responsibilities NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs 8 2016 BlackBerry. All Rights Reserved. 8

Other Industries? 9 2016 BlackBerry. All Rights Reserved. 9

Other Industries? EMVco Eurosmart Common Criteria Works! (How the smart card industry uses the CC) https://www.commoncriteriaportal.org/iccc/9iccc/pdf/b2501.pdf AVA_VAN.5! 10 2016 BlackBerry. All Rights Reserved. 10

Ideal Assurance Program Risk-based approach to security functional requirements definition Scientific approach to security evaluation Efficient (cost and time) Continuous improvement Open and inclusive (international, all stakeholders) 11 2016 BlackBerry. All Rights Reserved. 11

DTSec: https://diabetestechnology.org/dtsec.html Connected healthcare devices Efficiency: reuse ISO/IEC 15408/62304/14971 + focus on vuln assessment Protection Profiles for device families (first: diabetes) Accredited evaluation labs UL, BrightSight, Booz Allen Assurance maintenance 12 2016 BlackBerry. All Rights Reserved. 12

Diabetes: A Global Emergency 13 2016 BlackBerry. All Rights Reserved. 13

Trajectory to a Promising Future Banting Research Foundation acs.org Future possibilities 14 www.diabetes.org www.medtronicdiabetes.com First insulin pump: www.medscape.com Biostator: openi.nlm.nih.gov 2016 BlackBerry. All Rights Reserved. 14

Medical Apps Domain Consumer App Store Apps Consume r app Consume r app Consume r app Consume r app Encryption Managed Medical Domain (TEE) Medical app Authentication Medical app Mobile Device 15 2016 BlackBerry. All Rights Reserved. 15

Connected Medical Device vs. Mobile Medical Device Security Capability Hospital Infusion Pump Secure Android Smartphone Firmware authenticity CRC HW-backed verified boot Independent security certification None CTS, NIAP, DTSec (planned) On-device anti-malware None Yes, VerifyApps and 3 rd party ML-based threat detection None Yes, SafetyNet and 3 rd party Remote security attestation None Yes, SafetyNet and 3 rd party Rapid vuln patching None Yes Security contextual APIs None Yes Data-at-rest protection None Yes Protected network channels No Yes HW-backed crypto key storage No Yes Hardened Linux kernel Custom with unknown options, config, content; no memory protection Permroot difficulty Trivial Not rooted Fully vetted, 16 hardened kernel (chip manufacturer, OEM, Google) 2016 BlackBerry. All Rights Reserved. 16

Call to Action Get behind DTSec (and similar) and get involved Bring me your secure mobile medical app needs industry scollaboration is needed We must have a balanced, risk-based discussion about security tradeoffs in medical Do not unnecessarily frighten consumers and patients But we need to do MUCH better in gaining their confidence 17 2016 BlackBerry. All Rights Reserved. 17

No One Has Been Killed Yet 18 2016 BlackBerry. All Rights Reserved. 18

Thank You! MEDSEC: Security and Privacy for the Internet of Medical Things May 23-24, 2017 San Jose, CA medsecmeeting.org dave.kleidermacher@gmail.com 19 2016 BlackBerry. All Rights Reserved. 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback