MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

Similar documents
3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Medical device security The transition from patient privacy to patient safety

The Next Frontier in Medical Device Security

Medical Device Cybersecurity: FDA Perspective

Cyber Risk and Networked Medical Devices

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Medical Device Vulnerability Management

DOD Medical Device Cybersecurity Considerations

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Addressing Cybersecurity in Infusion Devices

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

FDA & Medical Device Cybersecurity

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Securing Biomedical Devices. IT Challenges - A View from the Trenches

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Webcast title in Verdana Regular

IoT & SCADA Cyber Security Services

One Hospital s Cybersecurity Journey

Cybersecurity and Hospitals: A Board Perspective

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

THREAT REPORT Medical Devices

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Assessing Medical Device. Cyber Risks in a Healthcare. Environment

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

European Union Agency for Network and Information Security

Medical Device Cybersecurity A Marriage of Safety and Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Automating the Top 20 CIS Critical Security Controls

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Addressing the elephant in the operating room: a look at medical device security programs

Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

HEALTH CARE AND CYBER SECURITY:

2018 Guide to Building Your Security Strategy. January 23, pm 2 pm ET

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Navigating Regulatory Issues for Medical Device Software

Patient Information Security

What It Takes to be a CISO in 2017

PULSE TAKING THE PHYSICIAN S

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Designing Secure Medical Devices

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry

Cybersecurity and Communications Based Train Control

Healthcare HIPAA and Cybersecurity Update

Biomedical Device Security: New Challenges and Opportunities. Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Information Governance, the Next Evolution of Privacy and Security

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Medical Device Safety in a Connected World

Securing Medical Devices Using Adaptive Testing Methodologies

10 FOCUS AREAS FOR BREACH PREVENTION

Building Trust in the Internet of Things

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Medigate and Palo Alto Networks Integration

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Monthly Cyber Threat Briefing

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Procurement Language for Supply Chain Cyber Assurance

Mobile and Secure Healthcare: Encrypted Objects and Access Control Delegation

Cyber Surveillance and Threat Intelligence Sharing

Internet of Medical Things (IoMT)

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Connected Medical Devices

Cybersecurity The Evolving Landscape

Designated Cyber Security Protection Solution for Medical Devices

Executive Insights. Protecting data, securing systems

HIPAA Compliance is not a Cybersecurity Strategy

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Effectively Meeting the Cyber Security Challenge: Strategies, Tips and Tactics

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

ADDRESSING TODAY S VULNERABILITIES

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Cyber Security Issues

Adaptive & Unified Approach to Risk Management and Compliance via CCF

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

NIST Special Publication

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

AppSec in a DevOps World

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Security & Phishing

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Transcription:

MEDICAL DEVICE SECURITY A Focus on Patient Safety February, 2018

WHO I AM Adam Brand I Am The Cavalry Director Privacy and Security, Protiviti Focus on Medical Device Healthcare Security Custom EEG Manufacturing, Volunteer with I am The Cavalry @adamrbrand 2

AGENDA 01 Why Cybersecurity of Medical Devices Matters 02 Past and Present Vulnerabilities 03 The Shift from Privacy to Safety 04 What Are Providers Doing Today? 3

WHY CYBERSECURITY OF MEDICAL DEVICES MATTERS

MEDICAL DEVICE DEFINITION (FOR THIS DISCUSSION) A subset of the typical FDA medical device definition that is software-driven and continually (e.g., networked) or periodically (e.g., for maintenance) connected to by other systems or devices. Inclusive of the medical device solution, not just the device itself (e.g., an MRI operator console). 5

CAN SECURITY KEEP PACE WITH INNOVATION? Exposed, vulnerable systems All software has flaws. Connectivity increases potential interactions A software-driven, connected medical device is a vulnerable, exposed one Lack of patient safety alignment in medical device cyber security practices 6

ENHANCING AND ADVANCING CARE Real-time, remote monitoring. More accurate data direct to EMR. New, closed-loop treatment modalities. Medtronic MiniMed 760G 7

POLL: MEDICAL DEVICES AND YOU What is the closest you have been to a connected medical device in the past year? a) It provided treatment to me (e.g., infusion pump, insulin pump). b) It was used on me for diagnosis (e.g., MRI, CT scanner, bedside monitor). c) Someone close to me relied on a device. d) Neither me nor anyone I know needed a connected medical device. 8

CYBERSECURITY MATTERS FOR ALL OF US Many of us rely on these devices daily. When we are at our most vulnerable, we will depend on these devices for life. Even at times when we aren t personally affected, people we care about may be. 9

PAST AND PRESENT VULNERABILITIES

DEVICE-SPECIFIC VULNERABILITIES Weak default/hardcoded administrative credentials Access devices (some remotely) easily Cannot attribute action to individual Known vulnerable software platforms (e.g., Windows XP) Well-known and easily accessible exploits Less advanced cybersecurity features Wireless communication vulnerabilities Man-in-the-middle attacks Change device behavior 11

GE LOGIN CREDENTIALS WORD CLOUD Over 20 CVE s issued, with a dozen more pending. Researcher: Scott Erven 12

KNOWN VULNERABLE SOFTWARE 13

KNOWN VULNERABLE SOFTWARE 14

WIRELESS VULNERABILITIES Kevin Fu+, 2008 Jay Radcliffe, 2011 Barnaby Jack, 2012 Jay Radcliffe, 2016 15

WIRELESS VULNERABILITIES MedSec, 2017 16

DEVICE IMPLEMENTATION VULNERABILITIES Internet Exposure: Directly Connected or One Hop Away What can happen on the Internet? Default passwords make even more risky Insecure Wireless Networks Easier local access to trusted networks Weak and insecurely handled pre-shared keys make easier Lack of Effective Network Segmentation One email user click away from compromise Separate networks with all communication allowed don t count 17

DIRECT INTERNET EXPOSURE Researcher: Scott Erven, 2013 Shodan Search, October 2017 18

INTERNET EXPOSURE ONE HOP AWAY Researcher: Scott Erven, 2013 Shodan Search, October 2017 19

HONEYPOT RESEARCH Honeypots 10 HoneyCreds login 8 55,416 Successful logins (SSH/Web) Top 3 source countries Netherlands, China, Korea 24 Successful exploits (Majority is MS08-067) 299 Dropped malware samples If a vulnerable medical device is on the Internet, it will get compromised. Research: Protiviti; Scott Erven and Mark Callao 20

TEENAGERS BUILDING THEIR OWN DEVICES 21

AND TESTING ON NEIGHBORHOOD KIDS 22

USING DOS 5.0 23

THE SHIFT FROM PRIVACY TO SAFETY

THE IMAGE SEEN ROUND THE WORLD 25

PATIENTS AFFECTED 26

CRITICAL MEDICAL DEVICES OFFLINE 27

POLL: COMPROMISED MEDICAL DEVICES What has your experience been with compromised medical devices? a) I know of a device at our hospital that was hit with malware. b) I have heard from a colleague that they had an infected device. c) I have not heard of a device being compromised. 28

PROBLEM AWARENESS 01 02 03 04 HIPAA focuses on patient privacy, not patient safety. FDA does not validate cyber safety controls. Malicious intent is not a prerequisite for adverse patient outcomes. Medical Device Security is a Patient Safety Issue 29

FIRST CLINICAL ATTACK SIMULATION 30

MED DEVICE ATTACK WARGAMING Hospital Attack System Attack Nation State 31

HHS TASK FORCE REPORT 32

WHAT ARE PROVIDERS DOING TODAY?

POLL: YOUR MEDICAL DEVICE PROGRAM What is the status of the medical device program at your hospital? a) Management isn t yet aware of the extent of the risk. b) We have had a gap assessment performed and a strategy established. c) We have made significant progress in remediating our gaps. d) I don t know. 34

MEDICAL DEVICE SECURITY LIFECYCLE: ADDRESSING RISKS Risk assessment, vulnerability assessment and threat modeling Obtain Manufacturer Disclosure Statement for Medical Device Security (MDS2) Procurement & Contracting Phase Risk reduction prior to procurement Liability reduction for contracting Architecture and system design validation Post implementation security validation Maintenance Phase Vulnerability assessment and penetration testing Liaison with manufacturers, federal agencies and working groups PHI removal Wireless passwords Planning & Requirements Phase Implementation Phase Decommission Phase 35

TYPICAL STARTING POINTS Gap assessment to evaluate governance over the medical device lifecycle Most common starting point for organizations Governance Improvements Assigning formal responsibility for Medical Device Security Policies, procedures, standards, committees Ensuring newly added devices have appropriate security features Requiring third party penetration testing Overall Risk Assessment New Device Risk Assessments 36

SECOND PHASE PROJECTS Ensuring newly added devices have appropriate security features Requiring third party penetration testing Network Segmentation Separate VLANs with restrictive ACLs Internet access restrictions Scanning devices as part of preventative maintenance/passive vulnerability scans Pushing manufacturers to test patches Legacy Device Risk Assessments Vulnerability Management 37

MAYO CLINIC: DEVICE SECURITY ASSESSMENTS 38

OTHER RESOURCES 01 Following Researchers and Med Dev people on Twitter (e.g., @jradcliffe02, @mariegmoe, @scotterven, @XSSniper, @adamrbrand) 02 Industry Working Groups (e.g., NH-ISAC, MDISS) 03 Conferences (e.g., NH-ISAC, Archimedes, DEF CON) 04 I Am The Cavalry (website, email list) (https://iamthecavalry.org) 39

Q&A Adam Brand Twitter: @adamrbrand Email: adam.brand@protiviti.com 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback