Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

Similar documents
Medical Device Cybersecurity: FDA Perspective

FDA & Medical Device Cybersecurity

Addressing Cybersecurity in Infusion Devices

Cyber Risk and Networked Medical Devices

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

Addressing the elephant in the operating room: a look at medical device security programs

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

I. The Medical Technology Industry s Cybersecurity Efforts and Requirements

The Next Frontier in Medical Device Security

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Securing Biomedical Devices. IT Challenges - A View from the Trenches

Information Governance, the Next Evolution of Privacy and Security

Below we ve highlighted several of the key points from the final guidance document.

Cybersecurity and Hospitals: A Board Perspective

Consideration of Cybersecurity vs Safety Risk Management

Healthcare HIPAA and Cybersecurity Update

MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

Cybersecurity for Health Care Providers

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Comprehensive Cyber Security Risk Management: Know, Assess, Fix

Navigating Regulatory Issues for Medical Device Software

Electronic Communication of Personal Health Information

CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

CHIME and AEHIS Cybersecurity Survey. October 2016

PULSE TAKING THE PHYSICIAN S

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Executive Insights. Protecting data, securing systems

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Managing Medical Device Cybersecurity Vulnerabilities

MassMEDIC s 21st Annual Conference

Cyber Security Program

Designated Cyber Security Protection Solution for Medical Devices

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Regulators & Manufacturers (Ken) Hackers & Security Officers (Jon) Providers & Patients (Angel)

Modeling Factors Associated with Healthcare Data Breaches. Session #155, March 3, 2018 Dr. Alex McLeod, Dr. Diane Dolezel, Texas State University

Webcast title in Verdana Regular

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852

Session 77X Patient Safety Partnership: Predicting and Preventing Threats

HIPAA Compliance Checklist

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Cybersecurity, the Challenges Healthcare Faces AUGUST 17, 2018 BUILDING LEADERS TRANSFORMING HOSPITALS IMPROVING CARE HTS3 2018

Securing Wireless Medical Infusion Pumps A Use Case

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Secrets of successful medical device connectivity. Agenda 4/5/17. * The secrets:

mhealth SECURITY: STATS AND SOLUTIONS

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality

Connected Medical Devices

Getting over Ransomware - Plan your Strategy for more Advanced Threats

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

Medical device security The transition from patient privacy to patient safety

JUST WHAT THE DOCTOR ORDERED: A SOLUTION FOR SMARTER THERAPEUTIC DEVICES PLACEHOLDER IMAGE INNOVATORS START HERE.

Cyber Insurance: What is your bank doing to manage risk? presented by

Keys to a more secure data environment

Copyright 2018 by Boston Scientific, Inc.. Permission granted to INCOSE to publish and use. #hwgsec

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Medical Device Cybersecurity A Marriage of Safety and Security

Cybersecurity Fundamentals Paul Jones CIO Clerk & Comptroller Palm Beach County CISSP, ITIL Expert, Security+, Project+

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Cyber fraud and its impact on the NHS: How organisations can manage the risk

8 Must Have. Features for Risk-Based Vulnerability Management and More

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

R E P O R T. Cybersecurity in healthcare: The diagnosis. 1 Report Security in Healthcare: The diagnosis

The McGill University Health Centre (MUHC)

April 28, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

The Guide Book to Data Security

Mobility, Security Concerns, and Avoidance

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

2015 HFMA What Healthcare Can Learn from the Banking Industry

Always in touch. IntelliVue Telemetry System with Smart-hopping technology, surveillance of ambulatory cardiac patients

Cybersecurity Auditing in an Unsecure World

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

THREAT REPORT Medical Devices

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Patient Information Security

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

The Role of the CMIO in Advancing Cybersecurity

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

Medical Device Vulnerability Management

Designing Secure Medical Devices

The Medical Device Paradox. Hospital Systems and Device OEMs Race Against Time to Close the Patient Safety Cyber Gap

2017 ANNUAL CONFERENCE RECAP

IT Risk: Are You Prepared?

Security and Privacy Governance Program Guidelines

DOD Medical Device Cybersecurity Considerations

April 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

The Role of IT in HIPAA Security & Compliance

A HOSPITAL S HEALTH STARTS WITH ITS NETWORK INFRASTRUCTURE

Appendix A: Imperatives, Recommendations, and Action Items

Ransomware, Viruses, and Hackers in Health Care: Five Steps to Avoid Being the Next Victim. Michael Overly and Chanley Howell.

Cyber Security Issues

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

SOLUTION BRIEF Virtual CISO

Transcription:

May 5 & 6, 2017 Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare Marc Schlessinger, RRT, MBA, FACHE Senior Associate Applied Solutions Group

Evolution of the Connected Medical Device Self contained device per bed space Interoperable therapy/diagnosis system with data exchange to various information systems.

Cybersecurity Landscape in Healthcare Medical devices are increasingly used with a network connection to enhance safety and workflow Documentation Data transfer Software updates Troubleshooting Calibration More connected more vulnerabilities

What is different about healthcare when it comes to cybersecurity? 100 s of device manufacturers Long useful life 10+ year old device is not uncommon Clinical limitations Life critical functions Large attack surface Patient and visitor access to areas with sensitive devices Emergency situations Device needs to be available right now!

Medical Device Hacking What do we know today?

Medical Device Hacking What do we know today? NO EVIDENCE OF PATIENT HARM Several device vulnerabilities have been identified by security researchers Hard coded passwords Remote device access/control Disruption of device communication to other systems Modification of some device configurations How serious are these vulnerabilities?

Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System FDA Safety Communication (July 31, 2015) Remote ability to control an infusion pump We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps. - FDA

What if a device was compromised Disabled communication to other information systems Impact normal workflow e.g., data does not flow to the patient s EHR Disabled the device Availability of the device to perform its intended function may be limited Possibly mitigated by a back up unit As a vector to attack the organization s network Compromised wireless network credentials Compromised enterprise network

What if a device was compromised Alter the intended operation of the device Change device configuration or settings Difficult, extended device access required there are easier ways to hurt people Steal PHI Confidential patient information lost Loss of trust in the organization Financial impacts, fines

Healthcare Facility Action Plan How to Address Cybersecurity?

Problem of Legacy Devices Long useful life of a medical device Finding XP as a part of medical equipment is common legacy systems Some devices may not have up-to-date security capabilities Available security patches are likely limited Document which legacy devices are connected to the network and what data do they hold -> address the risk accordingly

Securing Medical Devices A Significant Resource Drain Equipment management Patch management Staff security training Vulnerability scanning Risk management RFP language to include security features Device Integration Test Lab

Equipment Management Start with Documentation! Identify Which devices are connected to the network? Document Software versions Network configuration settings IP Addresses MAC Addresses Prioritize Does the device hold PHI? Life critical functionality what happens if you cannot use the device?

Patch Management Challenges in Updating Medical Devices How to ensure that medical devices are up to date with the latest security patches? Develop a policy for updating your medical devices Challenges: Lagging security patches at best 2-3 months behind Often hands on update required Equipment down time -> impact patient care Disconnect between FDA and the manufacturer Security patches do not need a new 510(k)

Staff Security Training Ensure appropriate security training is in place Phishing scams Identifying suspect emails, do not click on all email links USBs can spread viruses and cause device malfunction ECRI Top 10 Hazard 2015 USB use policy Block USB use if merited Passwords do matter! Promote the importance of strong passwords Password sharing Passwords do not belong on a post-it-note by the nurses station BYOD Bring your own device Establish a policy on how to deal with BYOD

Vulnerability Scanning Standard network tool to identify known vulnerabilities Commonplace for IT assets Limited to known vulnerabilities Medical devices Can I scan it? Not always Network scanning took out a facility s telemetry system Scanning for medical devices may be best done during the day shift, so in case something does go wrong there is sufficient staffing to address it.

Risk Management What to do with my networked medical devices? Identify existing vulnerabilities Develop compensating controls to minimize risk e.g., block commonly used communication ports Human resources to address network security needs e.g., CISO Consider the adoption of ANSI/AAMI/IEC 80001-1:2010

ANSI/AAMI/IEC 80001-1:2010 Application of risk management for IT Networks incorporating medical devices Standard for healthcare facilities How to implement a risk management system to address networked devices Downsides Expensive and difficult to implement

RFP language to include security features Include language about common security features Buying a system based on Windows XP with a lot of known vulnerabilities is not necessarily the best idea MDS2 Manufacturer Disclosure Statement for Medical Device Security Require it! VA Directive 6550 for Pre-procurement Assessment

Device Integration Test Lab Clinical engineering test and validate every patch and update prior to release Ensure all systems are functioning as intended Lab would include medical device and test server Expensive! Some very high end/large hospitals have this capability.

Regulatory Issues

Regulatory Perspective FDA and cybersecurity FDA s evolving approach to cybersecurity Cybersecurity is a consideration during new 510(k) submissions according to FDA officials Incentivize sharing of vulnerability information Curb the silent fixes Content of premarket submissions for management of cybersecurity in medical devices (10/2014) Guidance for manufacturers on how to address and identify cybersecurity during design and development Guidance for preparing premarket submissions

Regulatory Perspective FDA and cybersecurity FDA s evolving approach to cybersecurity Postmarket Management of Cybersecurity in Medical Devices (Draft 01/2016) Managing postmarket cybersecurity vulnerabilities for medical devices Promote good behavior among manufacturers How about the already cleared devices that might be vulnerable?

Why are we doing this? Ransomware The New Normal Most recent public occurrences MedStar Health (03/2016) Methodist Hospital (03/2016) Hollywood Presbyterian (02/2016) Low Risk High Reward

Download the ECRI Infographic Cybercrime: The Healthcare Epidemic of the 21st Century at: https://www.ecri.org/pages/cybersecurityinfographic.aspxhttps://www.ecri.org/pages/cybersecurity-infographic.aspx

Questions? Marc Schlessinger Senior Associate Applied Solutions (610) 825-6000 ext. 5420 mschlessinger@ecri.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback