MEDICAL DEVICE SECURITY A Focus on Patient Safety February, 2018
WHO I AM Adam Brand I Am The Cavalry Director Privacy and Security, Protiviti Focus on Medical Device Healthcare Security Custom EEG Manufacturing, Volunteer with I am The Cavalry @adamrbrand 2
AGENDA 01 Why Cybersecurity of Medical Devices Matters 02 Past and Present Vulnerabilities 03 The Shift from Privacy to Safety 04 What Are Providers Doing Today? 3
WHY CYBERSECURITY OF MEDICAL DEVICES MATTERS
MEDICAL DEVICE DEFINITION (FOR THIS DISCUSSION) A subset of the typical FDA medical device definition that is software-driven and continually (e.g., networked) or periodically (e.g., for maintenance) connected to by other systems or devices. Inclusive of the medical device solution, not just the device itself (e.g., an MRI operator console). 5
CAN SECURITY KEEP PACE WITH INNOVATION? Exposed, vulnerable systems All software has flaws. Connectivity increases potential interactions A software-driven, connected medical device is a vulnerable, exposed one Lack of patient safety alignment in medical device cyber security practices 6
ENHANCING AND ADVANCING CARE Real-time, remote monitoring. More accurate data direct to EMR. New, closed-loop treatment modalities. Medtronic MiniMed 760G 7
POLL: MEDICAL DEVICES AND YOU What is the closest you have been to a connected medical device in the past year? a) It provided treatment to me (e.g., infusion pump, insulin pump). b) It was used on me for diagnosis (e.g., MRI, CT scanner, bedside monitor). c) Someone close to me relied on a device. d) Neither me nor anyone I know needed a connected medical device. 8
CYBERSECURITY MATTERS FOR ALL OF US Many of us rely on these devices daily. When we are at our most vulnerable, we will depend on these devices for life. Even at times when we aren t personally affected, people we care about may be. 9
PAST AND PRESENT VULNERABILITIES
DEVICE-SPECIFIC VULNERABILITIES Weak default/hardcoded administrative credentials Access devices (some remotely) easily Cannot attribute action to individual Known vulnerable software platforms (e.g., Windows XP) Well-known and easily accessible exploits Less advanced cybersecurity features Wireless communication vulnerabilities Man-in-the-middle attacks Change device behavior 11
GE LOGIN CREDENTIALS WORD CLOUD Over 20 CVE s issued, with a dozen more pending. Researcher: Scott Erven 12
KNOWN VULNERABLE SOFTWARE 13
KNOWN VULNERABLE SOFTWARE 14
WIRELESS VULNERABILITIES Kevin Fu+, 2008 Jay Radcliffe, 2011 Barnaby Jack, 2012 Jay Radcliffe, 2016 15
WIRELESS VULNERABILITIES MedSec, 2017 16
DEVICE IMPLEMENTATION VULNERABILITIES Internet Exposure: Directly Connected or One Hop Away What can happen on the Internet? Default passwords make even more risky Insecure Wireless Networks Easier local access to trusted networks Weak and insecurely handled pre-shared keys make easier Lack of Effective Network Segmentation One email user click away from compromise Separate networks with all communication allowed don t count 17
DIRECT INTERNET EXPOSURE Researcher: Scott Erven, 2013 Shodan Search, October 2017 18
INTERNET EXPOSURE ONE HOP AWAY Researcher: Scott Erven, 2013 Shodan Search, October 2017 19
HONEYPOT RESEARCH Honeypots 10 HoneyCreds login 8 55,416 Successful logins (SSH/Web) Top 3 source countries Netherlands, China, Korea 24 Successful exploits (Majority is MS08-067) 299 Dropped malware samples If a vulnerable medical device is on the Internet, it will get compromised. Research: Protiviti; Scott Erven and Mark Callao 20
TEENAGERS BUILDING THEIR OWN DEVICES 21
AND TESTING ON NEIGHBORHOOD KIDS 22
USING DOS 5.0 23
THE SHIFT FROM PRIVACY TO SAFETY
THE IMAGE SEEN ROUND THE WORLD 25
PATIENTS AFFECTED 26
CRITICAL MEDICAL DEVICES OFFLINE 27
POLL: COMPROMISED MEDICAL DEVICES What has your experience been with compromised medical devices? a) I know of a device at our hospital that was hit with malware. b) I have heard from a colleague that they had an infected device. c) I have not heard of a device being compromised. 28
PROBLEM AWARENESS 01 02 03 04 HIPAA focuses on patient privacy, not patient safety. FDA does not validate cyber safety controls. Malicious intent is not a prerequisite for adverse patient outcomes. Medical Device Security is a Patient Safety Issue 29
FIRST CLINICAL ATTACK SIMULATION 30
MED DEVICE ATTACK WARGAMING Hospital Attack System Attack Nation State 31
HHS TASK FORCE REPORT 32
WHAT ARE PROVIDERS DOING TODAY?
POLL: YOUR MEDICAL DEVICE PROGRAM What is the status of the medical device program at your hospital? a) Management isn t yet aware of the extent of the risk. b) We have had a gap assessment performed and a strategy established. c) We have made significant progress in remediating our gaps. d) I don t know. 34
MEDICAL DEVICE SECURITY LIFECYCLE: ADDRESSING RISKS Risk assessment, vulnerability assessment and threat modeling Obtain Manufacturer Disclosure Statement for Medical Device Security (MDS2) Procurement & Contracting Phase Risk reduction prior to procurement Liability reduction for contracting Architecture and system design validation Post implementation security validation Maintenance Phase Vulnerability assessment and penetration testing Liaison with manufacturers, federal agencies and working groups PHI removal Wireless passwords Planning & Requirements Phase Implementation Phase Decommission Phase 35
TYPICAL STARTING POINTS Gap assessment to evaluate governance over the medical device lifecycle Most common starting point for organizations Governance Improvements Assigning formal responsibility for Medical Device Security Policies, procedures, standards, committees Ensuring newly added devices have appropriate security features Requiring third party penetration testing Overall Risk Assessment New Device Risk Assessments 36
SECOND PHASE PROJECTS Ensuring newly added devices have appropriate security features Requiring third party penetration testing Network Segmentation Separate VLANs with restrictive ACLs Internet access restrictions Scanning devices as part of preventative maintenance/passive vulnerability scans Pushing manufacturers to test patches Legacy Device Risk Assessments Vulnerability Management 37
MAYO CLINIC: DEVICE SECURITY ASSESSMENTS 38
OTHER RESOURCES 01 Following Researchers and Med Dev people on Twitter (e.g., @jradcliffe02, @mariegmoe, @scotterven, @XSSniper, @adamrbrand) 02 Industry Working Groups (e.g., NH-ISAC, MDISS) 03 Conferences (e.g., NH-ISAC, Archimedes, DEF CON) 04 I Am The Cavalry (website, email list) (https://iamthecavalry.org) 39
Q&A Adam Brand Twitter: @adamrbrand Email: adam.brand@protiviti.com 40