Comprehensive Cyber Security Risk Management: Know, Assess, Fix

Similar documents
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Medical Device Cybersecurity: FDA Perspective

Managing Medical Device Cybersecurity Vulnerabilities

FDA & Medical Device Cybersecurity

Cyber Risk and Networked Medical Devices

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Consideration of Cybersecurity vs Safety Risk Management

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Medical Device Vulnerability Management

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

Addressing the elephant in the operating room: a look at medical device security programs

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Navigating Regulatory Issues for Medical Device Software

The Next Frontier in Medical Device Security

HPH SCC CYBERSECURITY WORKING GROUP

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

Medical Device Cybersecurity A Marriage of Safety and Security

Cyber Security Program

Information Governance, the Next Evolution of Privacy and Security

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

ISAO SO Product Outline

The NIST Cybersecurity Framework

Cybersecurity and Hospitals: A Board Perspective

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

DOD Medical Device Cybersecurity Considerations

Cybersecurity for Health Care Providers

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

I. The Medical Technology Industry s Cybersecurity Efforts and Requirements

External Supplier Control Obligations. Cyber Security

CHIME and AEHIS Cybersecurity Survey. October 2016

IoT & SCADA Cyber Security Services

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Cyber Security Requirements for Supply Chain. June 17, 2015

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Why you should adopt the NIST Cybersecurity Framework

Apr. 10, Vulnerability disclosure and handling processes strengthen security programs

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Industrial Defender ASM. for Automation Systems Management

DHS Cybersecurity: Services for State and Local Officials. February 2017

SECURITY & PRIVACY DOCUMENTATION

Framework for Improving Critical Infrastructure Cybersecurity

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Cybersecurity, safety and resilience - Airline perspective

Continuous protection to reduce risk and maintain production availability

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Water Information Sharing and Analysis Center

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Keys to a more secure data environment

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Protect Your Organization from Cyber Attacks

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

National Policy and Guiding Principles

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Information Security Continuous Monitoring (ISCM) Program Evaluation

European Union Agency for Network and Information Security

Addressing Cybersecurity in Infusion Devices

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Updates to the NIST Cybersecurity Framework

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

RiskSense Attack Surface Validation for IoT Systems

Medical device security The transition from patient privacy to patient safety

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

CYBER SECURITY AIR TRANSPORT IT SUMMIT

locuz.com SOC Services

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

THE POWER OF TECH-SAVVY BOARDS:

2017 ANNUAL CONFERENCE RECAP

How To Build or Buy An Integrated Security Stack

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Cybersecurity in Higher Ed

Appendix A: Imperatives, Recommendations, and Action Items

Ensuring System Protection throughout the Operational Lifecycle

Webcast title in Verdana Regular

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

The University of Queensland

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Forensics and Active Protection

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

RiskSense Attack Surface Validation for Web Applications

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Security and Privacy Governance Program Guidelines

Heavy Vehicle Cyber Security Bulletin

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Pennsylvania s HIE Journey

Security Incident Management in Microsoft Dynamics 365

Transcription:

Comprehensive Cyber Security Risk Management: Know, Assess, Fix Seth D. Carmody, Ph.D. Center for Devices and Radiological Health, FDA 13 th Medical Device Quality Congress March 16, 2016

New Draft Guidance Comment period closes Thursday, April 21, 2016 New Policy: An framework for assessing security and clinical risk of marketed devices using current regulation Continued policy: For cybersecurity routine updates and patches, the FDA will, typically, not need to conduct premarket review to clear or approve the medical device software changes 2

Draft Guidance: Postmarket Management of Cybersecurity in Medical Devices Key Principles Align with Presidential EOs and NIST Framework Risk-based framework to assuring risks to public health are addressed in a timely fashion Articulate manufacturer responsibilities by leveraging existing Quality System Regulation and postmarket authorities Collaborative approach to information sharing and risk assessment Incentivize the right behavior Slide 3

A Blending of Worlds How do we address clinical risk posed by security vectors? Security Risk ECP Clinical Risk We know how to mitigate these 4

When do I Assess? Always A cybersecurity signal is any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device.

Essential Clinical Performance Defined Essential clinical performance (ECP) means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm. A new concept, derived from IEC 60601 IEC 60601-1:2005, Medical Electrical Equipment Part 1: General Requirements for Basic Safety and Essential Performance, Section 3.27 6

Cybersecurity Risk using ISO 14971 Vulnerability Exploit Compromised ECP Controlled or Uncontrolled? Annex E, figure E.1. ISO 14971:2007 7

Essential Clinical Performance Matrix 8

Assessing Exploitability with CVSS Establish a repeatable process by leveraging existing frameworks (e.g. CVSS) Base Scoring (risk factors of the vulnerability) Attack Vector (physical, local, adjacent, network) Attack Complexity (high, low) Privileges Required (none, low, high) User Interaction (none, required) Scope (changed, unchanged) Confidentiality Impact (high, low, none) Integrity Impact (none, low, high) Availability Impact (high, low, none) Temporal Scoring (risk factors that change over time) Exploit Code Maturity (high, functional, proof-of-concept, unproven) Remediation Level (unavailable, work-around, temporary fix, official fix, not defined) Report Confidence (confirmed, reasonable, unknown, not defined) CVSS Common Vulnerability Scoring System https://www.first.org/cvss 9

Assessing Exploitability with CVSS (cont.) Establish a repeatable process by leveraging existing Frameworks (e.g. CVSS) Modified Base Scoring: Risk factors of the vulnerability + organization/device impact mitigations and/or controls Organization/device impact includes requirements for confidentiality, integrity, and availability (C, I, A) How does CIA relate to the device space? Map those requirements to essential clinical performance which could draw upon existing requirements CVSS Common Vulnerability Scoring System https://www.first.org/cvss 10

Assessing Severity Common Term Negligible Minor Serious Critical Catastrophic Possible Description Inconvenience or temporary discomfort Results in temporary injury or impairment not requiring professional medical intervention Results in injury or impairment requiring professional medical intervention Results in permanent impairment or lifethreatening injury Results in patient death ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices 441Application of Risk Management to Medical Devices: 11

Bridge the Security and Safety Worlds Asset CIA ECP Vuln. Threat Model 1 Integrity COMS Open TELNET Escalation of privilege Risk Level Control(s) 5 Firewall, close TELNET Resid. None Integrity Therapy Open TELNET Escalation of privilege 11 Firewall, close TELNET, Device Control 1.1 None Availability Confidentiality? 12

Assessment Challenges Calculating exploitability is difficult due to the active adversary. Does P1 = 1? (assume exploit?) All systems fail? There are as many motivations for hacking as there are people Josh Corman, I Am the Cavalry Not all vulnerabilities will have an uncontrolled impact to the essential clinical performance. This is the main differentiation between medical safety and IT security worlds. Complications due to vulnerability chaining. Threats may leverage multiple, possibly low risk vulns. chained together to amplify risk What devices are impacted? Vertical and horizontal analysis Bill of materials 13

When do I Fix? 1. Routinely 2. Vulnerability allows compromise 3. Compromise involves Essential Clinical Performance (ECP) 4. The theoretically compromised ECP poses uncontrolled risk

Fixing the Expected It s math, it s a language and it s art. - On Software, Judy Faulkner, EPIC CEO, @HIMSS 2016 Vulnerabilities are expected Risks evolve Active adversary

What Happens if I Fix? Depends on why you are fixing 1. Improving quality? 2. Is there risk to health? 3. Is there a violation? See 21 CFR 806.1(b)(1)

Different Risk: Two Types of Fixes Risk to essential clinical performance Yes Controlled Device enhancement (fix) Uncontrolled Three criteria: 1. No adverse events 2. Mitigate (fix) in 30 days 3. Participate in an ISAO Yes ISAO (Information Sharing and Analysis Organization) No reporting under 806 17

Fixing Challenges 1. Where are my devices? 2. Are my devices patchable? 3. How do I know my devices have been patched? 4. Can I deliver the patch quickly and securely? 5. Does the patch mitigate the risk and not create new risk?

How do I Know? A cybersecurity signal is any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device. A cybersecurity signal could originate from traditional information sources such as internal investigations, postmarket surveillance, or complaints, and/or security-centric sources such as CERTS (Computer/Cyber, Emergency Response/Readiness Teams), ISAOs and security researchers. Signals may be identified within the HPH Sector. They may also originate in another critical infrastructure sector (e.g., defense, financial) but have the potential to impact medical device cybersecurity.

Information Sharing and Analysis Organizations (ISAO) What are they? The ISAO best practice models are intended to be: Inclusive - groups from any and all sectors, both non-profit and for-profit, expert or novice, should be able to participate in an ISAO; Actionable - groups will receive useful and practical cybersecurity risk, threat indicator, and incident information via automated, real-time mechanisms if they choose to participate in an ISAO; Transparent - groups interested in an ISAO model will have adequate understanding of how that model operates and if it meets their needs; and Trusted - participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation. See: http://www.dhs.gov/isao Slide 20

Did I mention the Draft Guidance? Comment period closes Thursday, April 21, 2016 21

Defining Responsibility by Knowing Overall Design Secure Design Device Control ECP Compensating Controls 22

Responsibility Scenarios Example: TELNET access to root account with no authentication Scenario 1: Manufacturer documents purposeful decision to allow TELNET access to root account including why the decision made, risks incurred, and compensating controls to mitigate risk, and communicates how to enact the compensating control. Deployment of the control is now in the hands of the end-user. Scenario 2: Manufacturer has no documentation as to why they ve decided to violate security tenets of least privilege, access control, etc. or the decision is rationalized after the fact; however, there is no proof including lack of communication to end-users how to protect the device. Outcome: In a worst-case scenario, where a patient is harmed, who is responsible if a threat uses unauthenticated TELNET access? Does the answer change for scenario 1 and scenario 2? 23

Knowing Challenges Forensically sound evidence capture: Would you be able to tell that a death, serious injury, and/or malfunction was a cybersecurity issue or the result of an attack? What are the risks incurred? Intrusion and attack detection: Would you be able to detect when you are being attacked or have been attacked? Sharing and receiving actionable information Threat vs. Vulnerability information Intellectual Property What s on your device and when is it impacted? Key Message: Knowing how you are being attacked informs your risk analysis triage enabling better resource management 24

Overcoming Technical Challenges Available resources are innumerable: pick a standard, pick a process, implement, measure, and improve. DHS, FAA, Microsoft, NIST, AAMI, Open Web Application Security Project (OWASP) are all trusted resources. Implement a secure software development life cycle and implement a coordinated disclosure policy (see HackerOne coordinated disclosure maturity model) For devices in design and development make sure that your device is securable For devices in the field, have robust asset management capabilities and leverage the routine model discussed in the guidance Maturity takes time https://www.microsoft.com/en-us/sdl/default.aspx https://buildsecurityin.us-cert.gov/articles/knowledge/sdlc-process/secure-softwaredevelopment-life-cycle-processes http://www.nist.gov/cyberframework/ https://hackerone.com/blog/vulnerability-coordination-maturity-model 25

Timeline of Key FDA Activities 2013: Began coordination with Department Homeland Security Industrial Control Systems Cyber Emergency Response Team (DHS-ICS-CERT) in response to security researchers reporting of vulnerabilities Issued Safety Communication on shared ownership and shared responsibility among stakeholders, cyber hygiene Engaged in outreach, education, and building collaboration 2014: Executed Memorandum of Understanding with the National Health Information Sharing & Analysis Center (NH-ISAC) Final Premarket Cybersecurity Guidance Released http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedoc uments/ucm356190.pdf Convened workshop, Collaborative Approaches for Medical Device and Healthcare Cybersecurity 2015: Ongoing coordination with DHS-ICS-CERT, medical device manufacturers and security researchers on reported medical device vulnerabilities Fostered collaboration with multiple stakeholder groups across the ecosystem Issued product-specific safety communications on medical device vulnerabilities 2016: Draft Postmarket Cybersecurity Guidance Released (http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidance Documents/UCM482022.pdf) Public Workshop - Moving Forward: Collaborative Approaches to Medical Device Cybersecurity Slide 26

Workshop Summary (Jan. 20-21, 2016) Threat landscape - As many motivations for hacking as there are people Josh Corman - This isn t about FMEA, this is the active adversary Me Current FDA philosophy - Main point: Comprehensive, total-life cycle cybersecurity risk management under 21 CFR 820 http://www.fda.gov/medicaldevices/newsevents/workshopsconferences/ ucm474752.htm 27

Workshop Summary (cont.) Information Sharing and Analysis Organizations (ISAO) breakout - Main question: What does an ISAO look like? 28

Workshop Summary (cont.) Vulnerability Management breakout - New old concept: Coordinated Disclosure - No one likes to be told their baby is ugly Katie Moussouris, HackerOne 29

Workshop Summary (cont.) Manufacturer challenges with increased collaboration - Key message: Culture change is hard and maturity takes time (MS ~15 years) Gaps and action plans breakout Key message: Must make the business case for addressing gaps (legacy, disclosure, etc.) Current activities, situational awareness Key message: Lots of initiatives moving the space forward, lets not be duplicative Risk assessment tools - Key question: Information abounds; Can we make it actionable? Standards - Key message: Lot s of standards, pick one and implement 30

Next Steps Development and validation of meaningful tools for assessment of vulnerabilities in the clinical environment is an area of focus going forward Definition of the medical device Information Sharing and Analysis Organization model Outreach, outreach, outreach Consolidated Resource Page Internal and external training How are we ensuring that our policies are effective? Postmarket cybersecurity guidance docket open for public comment through Thursday, April 21, 2016 Thank You & Questions? 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback