Medical Device Vulnerability Management

Similar documents
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Medical Device Cybersecurity: FDA Perspective

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

The Next Frontier in Medical Device Security

Cyber Risk and Networked Medical Devices

NOSAC. Phase I and Phase II FINAL REPORT

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

ISAO SO Product Outline

FDA & Medical Device Cybersecurity

Managing Medical Device Cybersecurity Vulnerabilities

Unit Compliance to the HIPAA Security Rule

Comprehensive Cyber Security Risk Management: Know, Assess, Fix

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

DHS Cybersecurity: Services for State and Local Officials. February 2017

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Industry role moving forward

Standard CIP 007 4a Cyber Security Systems Security Management

Synology Security Whitepaper

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

RFC 2350 YOROI-CSDC. Expectations for Computer Security Incident Response. Date 2018/03/26. Version 1.0

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Current procedures, challenges and opportunities for collection and analysis of Criminal Justice statistics CERT-GH

Addressing the elephant in the operating room: a look at medical device security programs

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Standard CIP 007 3a Cyber Security Systems Security Management

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

HPH SCC CYBERSECURITY WORKING GROUP

Security and Privacy Governance Program Guidelines

Statement for the Record

Consideration of Cybersecurity vs Safety Risk Management

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

locuz.com SOC Services

SOC for cybersecurity

Technical Guidance and Examples

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

Carbon Black PCI Compliance Mapping Checklist

Standard Development Timeline

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Standard Development Timeline

Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing

External Supplier Control Obligations. Cyber Security

CIP Cyber Security Configuration Management and Vulnerability Assessments

Addressing Cybersecurity in Infusion Devices

DOD Medical Device Cybersecurity Considerations

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Emerging Issues: Cybersecurity. Directors College 2015

Cybersecurity for Health Care Providers

European Union Agency for Network and Information Security

the SWIFT Customer Security

Certification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption

Lakeshore Technical College Official Policy

Mapping BeyondTrust Solutions to

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

The NIS Directive and Cybersecurity in

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Medical device security The transition from patient privacy to patient safety

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cyber Partnership Blueprint: An Outline

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cybersecurity Auditing in an Unsecure World

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Privileged Account Security: A Balanced Approach to Securing Unix Environments

One Hospital s Cybersecurity Journey

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Service Description: CNS Federal High Touch Technical Support

Information Governance, the Next Evolution of Privacy and Security

Cyber Security of Industrial Control Systems (ICSs)

CYBER SECURITY AIR TRANSPORT IT SUMMIT

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Updates to the NIST Cybersecurity Framework

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

2015 HFMA What Healthcare Can Learn from the Banking Industry

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Information Security Policy

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

A company built on security

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

This is a preview - click here to buy the full publication

Information Technology (CCHIT): Report on Activities and Progress

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Outline. Other Considerations Q & A. Physical Electronic

Transcription:

Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015

Market-based public health: collaborative acceleration

Objectives Define a trusted and repeatable process for medical device manufacturers and HDOs to reduce medical device security vulnerability risks within the operational environment through: Increased awareness of security vulnerabilities and impacts Improved responsiveness to addressing vulnerabilities within deployed devices Mechanisms for information sharing and analytics

Challenges 1. Organization-internal approvals for release of vulnerability information (both HDOs and manufacturers) 2. Creating a secure platform for sharing information 3. Balance of need to limit or anonymize vulnerability data vs. utility of data for analytics 4. Agreement on format and content for information 5. Maintaining process focus on high-impact vulnerabilities 6. Scalability across broad spectrum of vulnerabilities

System Attributes 1. A voluntary market-driven mechanism 2. Process must be consistent with FDA quality system regulation 3. Low risk to Manufacturers and Health Care Providers through application of a common industry process 4. Ensure that access protocols appropriately limit flow of information based; define communication protocols 5. US-based process compatible with global requirements 6. Provide a mechanism to create data for eventual use is a vulnerability analytics system 7. Feedback mechanisms on effectiveness of device vulnerability information

Policy/Guidance Outline Policy of Medical Device Cyber Security Response Group (MDCSRG) is to promote responsible disclosure of vulnerabilities affecting medical devices via a common collaborative mechanism, open to participation by all stakeholders, within a defined and controlled process, with the goal of mitigating risks to users and patients.

Process Comments: Reflect mfg-specific inputs going straight to mfg Data flows / line for HDOs Different paths for different level vulns Users Public Sources Researchers General Vulnerability ID Specific Vuln ID Vulnerability Analysis Team Assign Vuln Impact Level Alert to community Recommend Compensating Controls Manufacturers ID affected devices Define Action Plans Communicate Action Plans Execute Action Plans (per defined action process, include safety risk assessment) (per standard format, at defined time)

Criteria for Input Into Process Known engineering event indicating potential for exploit of vulnerability Vulnerability affects a widely used software component Potential impact to a broad spectrum of deployed medical devices such that the impact would include care delivery impact, patient impact, and/or data protection impact

Patient Safety Domains Intended Use: Malicious Use: Consider potential actions by malicious threat actors

Ingest Scenarios Reporter Publicity Vulnerability Type FDA Private General-Purpose Public Device-Specific General-Purpose Device-Specific ICS-CERT Private / Public General / Specific Individual Researcher Public Feeds (e.g. CVE/NVD) Private / Public Private / Public General / Specific General / Specific 0-day (public without a patch) is an important consideration, as is active exploitation.

Triage Decision Logic This is the specific case yes Triage for Advisory Vulnerability discovered Vulnerability specific to Med Device no This is the general case Vulnerability has gained widespread attention no yes Triage for Advisory Vulnerability affects general computing platform Platform known to be used in a Med Device yes no Triage for Advisory Can data call requesting additional data from manufacturer be initiated yes Platform known to be used in a Med Device no yes no Triage for Advisory Add block for safety assessment Platform known to support clinical software supporting a Med Device no yes No action Triage for Advisory

Scenario Notes Scenario Public domain vuln, comes to attention of NH-ISAC Mfg provides content for post (this chart not complete)

Example: Vulnerability Impact Levels Potential impact assessed at Triage level: Impact Value VIL Description Very High Level 3 This vulnerability could be expected to allow a threat event with multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. High Level 3 Moderate Level 2 Low Level 1 Very Low Level 1 This vulnerability could be expected to allow a threat event with a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. A severe or catastrophic adverse effect means that, for example, the threat event might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries. This vulnerability could be expected to allow a threat event with a serious adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A serious adverse effect means that, for example, the threat event might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries. This vulnerability could be expected to allow a threat event with a limited adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A limited adverse effect means that, for example, the threat event might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. This vulnerability could be expected to allow a threat event with a negligible adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. Actual impact must be assessed at device level

Example: Vulnerability Impact Levels Negligible Limited Serious Severe Multiple Operations Very Low Low Moderate High Very High Assets Very Low Low Moderate High Very High Individuals Very Low Low Moderate High Very High Nation Very Low Low Moderate High Very High Mission Capability N/A Low Moderate High Very High Minor Asset Damage N/A Low Moderate High Very High Minor Financial Loss N/A Low Moderate High Very High Individual Harm N/A Low Moderate High Very High Life-threatening or Loss N/A N/A N/A High Very High

Response Process for Vulnerability Impact Levels VIL Level 3 Actions 1) Vulnerability Alert sent to manufacturers; vulnerability alert posted 2) Manufacturers perform safety risk assessment consistent with 21CFR Part 820 requirements 3) Manufacturers initiate appropriate corrective action process for safety risks If no safety-related action, address non-safety risks: 4) Manufacturers perform non-safety risk assessment (malicious activity risk, privacy risk) 5) Manufacturers define action plans to address non-safety risks 6) Manufacturers document product info and action plans per standard format for affected products 7) Info within Comm Portal data made available to authorized subscribers (per defined timing) Level 2 Level 1 Same as Level 3, except: Manufacturers input info into Comm Portal ONLY if a product action is planned 1) Vulnerability Info posted in Comm Portal; defines as Level 1 low impact 2) Manufacturers determine need for further action

Vulnerability Communication Data Data provided by manufacturer per product affected: Vulnerability / CVE # (as applicable) Manufacturer Product Name / Identifier Vulnerability Impact Description Safety Impact per 21CFR (yes/no) Action Plan (description of planned action and timing) Rationale for Defined Action Contact information

Pilot / Implementation Assessment Front End Industry Group Review and Impact Assessment of Vulnerability + Alert Easier to pilot Manufacturer Product Review and Action Plan Process Back End Manufacturer Communication / Action Harder to pilot

Demo Scenario

Implementation Concerns Perceived risk from inter-relationship with safety management process, however process is designed to avoid this risk Need to clearly delineate process and flows within and outside the Quality Regulation

NextBleed - Scenario Security researcher announces discover of a vulnerability affecting Unix-based systems, with potential wide impact across multiple types of products. This vulnerability would allow an unauthorized user to gain access Press release and related information is reviewed by several key medical device manufacturers, MITRE, etc. Multiple manufactures notify the secretary of the Medical Device Cyber Security Response Group (MDCSRG), to include this vuln on the agenda of the next Vulnerability Response Team (VRT) meeting VRT meets and designates the vulnerability as a level 3 VRT prepares an alert statement for the subscriber community

Vulnerability Response Team Representation from: Manufacturers MITRE Health Delivery Orgs Security Industry Researcher community Observance from FDA Total group 10-12? Roles: Chairman, Vice Chairman, Secretary

New Vulnerability Alert: NextBleed Vulnerability Alert: NextBleed 20 February 2015 A security vulnerability has been identified that may impact a large number of medical devices that utilize a Unix variant or run Unix-variant services on Windows. This vulnerability has been assessed as a Level 3 vulnerability by MDCSRG. It is exploitable over network connections by various methods and the exploit does not require authentication. MDCSRG has initiated response actions by all member manufacturers. This response includes identification of affected products, assessment for patient safety risk per the regulated safety risk management process, and assessment for non-safety actions to mitigate data protection and other malicious activity risks. Manufacturers are requested to provide product information and action plans to subscribing customers 30 days following this alert 20 March 2015. For a list of participating manufacturers, CLICK HERE Overview: The NextBleed vulnerability is a vulnerability that affects all systems running the Bash login shell on variants of Unix (e.g. Linux, MacOS, HELiOS, Sun Solaris etc.). The Bash shell is the default shell for a majority of Unix-based systems produced in the past 25 years and the vulnerability is present in all versions of Bash released through today. Numerous media outlets are reporting that exploits have been seen in the wild and that the penetration testing tool Metasploit has added a module to exploit the vulnerability on affected systems.

Response Process by Manufacturer 1)Manufacturer A identifies products in service affected by vulnerability 2)Manufacturer A performs safety risk assessment on affected products consistent with 21CFR Part 820 requirements 3)Manufacturer A does not identify any products with patient safety risk such that the risk level requires action within the safety recall process 4)Manufacturer A performs non-safety risk assessment (malicious activity risk, privacy risk) on affected products 5)Manufacturer A defines action plans to address non-safety risks 6)Manufacturer A documents affected products and action plans per standard format for affected products 7)Info is distributed to authorized subscribers NOTE: Complete within 30 days

Example Format for Communication Vulnerability Name Product Type Products Affected Patient Safety Impact Shellshock Image Archive Product Alpha 1.0 Product Alpha 1.1 Shellshock Surgical XR Product 1000 Product 2000 No No Action Description Action Target Date Comments/Rationale ACTION STATUS Contact Software update in development Product update not required, will provide additional info for customers 11/20/2014 The communication outlined installation of the two patches from Microsoft at the client sites after testing on the product by Engineering. Two technical bulletins were constructed and communicated via ITPS and distributers. 12/11/2014 Investigation Summary: While several products in the Surgery portfolio use versions of bash that are vulnerable, there is no increased safety risk to patients. Complaint analysis did not indicate that any code was run remotely and there was no evidence of system parameters being changed. Additionally there is no evidence that local and remote system passwords were compromised. These systems do not use any web services or use bash as an interpreter for Common Gateway Interface (CGI) scripts so that attack vector is inconsequential. The systems do allow limited remote access using Secure Shell (SSH) for serviceability but only through authenticated connections with private passwords and usernames. Locally, to use bash, the systems need to be booted into a service menu and user authenticated as well, this would require physical system access, therefore the Shellshock CVE-2014-7169 vulnerability presents no safety risk to patients. DONE IN PROCESS John Smith john.smith@ge.com 262-555-1234 John Smith john.smith@ge.com 262-555-1234

Incident Data As a follow-up step we may create a data flow to address collection of incident data that relates to medical device vulnerabilities This data would flow from the HDOs, and would be useful to other HDOs and manufacturers to help determine risk level of a vulnerability

Vulnerability Sharing Pilot Objectives Establish a pilot process: Identify a set of known vulnerabilities for impact review (manageable number - represent a spectrum) Identify participants for Pilot vulnerability analysis team Identify impact level for sample vulnerabilities Draft sample alert statements to send to Mfgs / HDOs Manufacturers response plans - affected w/action, affected w/no action, not affected, timing, etc. Manufacturer communication naming conventions mapping info to assets Manufacturer assessment of industry-level response process and mechanisms Pilot evaluation / working process documentation Education / Communication / Implementation Plan (April 10)

Appendix

Comments Would group have ability to react quickly to vulns can it be effective operationally, need operational mechanisms responsive to urgent needs Need a comm work flow with info from various stakeholders (both within healthcare and outside experts) How can we link product inventories to pertinent data standardized numbering systems, etc. Leverage any existing systems, NH-ISAC or other, as much as possible Would sharing network potentially violate NDAs need to rework NDAs? (ideally flow goes first through mfg, then into sharing network) Define time tables

Process Document Outline 1. Purpose and Scope 2. Roles and Responsibilities Manufacturers HDOs NH ISAC Collaborative Researchers FDA / DHS Others? 3. Process Flow / Steps

Purpose and Scope Purpose: Provide a mechanism to reduce cyber security-related risks within the healthcare environment through collaborative information sharing among device manufacturers, Health Care Providers, Security Researchers, and Government partners. Participation in this mechanism will be voluntary. Scope: This process will be applicable to medical devices used in US (initial scope), with potential for expansion to other devices pertinent to healthcare-specific IT.

Roles and Responsibilities Medical Device Vulnerability Response Board (MD-VRB) Provide membership opportunity to manufacturers, HDOs, cyber security experts, Review incoming information and determine response level Determine appropriate timing for release of information Define or Review common mitigation recommendations and urgency level NH-ISAC Provide a mechanism for disclosure of vuln info to member orgs Medical Device / Healthcare IT Device Manufacturers Review sources of information for identification of cyber vulnerabilities Identify vulnerabilities / potential vulnerabilities Report potential vulnerabilities to Medical Device Vulnerability Response Board (MD-VRB) Determine product applicability Perform risk analysis to address patient safety risk within intended use Perform risk analysis and needed actions to address cyber risks Recommend short term action for affected products Initiate design change actions as appropriate Input applicable info pertaining to vulns, affected products, and actions to communication mechanism

Roles and Responsibilities (continued) Health Delivery Organizations ID Vulnerabilities Comm to mfg through appropriate mechanism Assessment of exposure level for a given vulnerability Maintain up to date documentation on network architecture to support vuln risk assessment Vulnerability Analysis Team Assess appropriate response level for vulnerabilities affecting medical devices Provide direction to manufacturers to follow appropriate response process for the determined risk level of the vulnerability Ensure responses are completes as appropriate for vuln levels Provide guidance to stakeholders on response requirements and content

Vulnerability Management System System Design Work flows / data flow schematic Functional requirements Business requirements Operational characteristics for system Implementation requirements / obstacles Project Plan and Milestones Performance Measures

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback