May 5 & 6, 2017 Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare Marc Schlessinger, RRT, MBA, FACHE Senior Associate Applied Solutions Group
Evolution of the Connected Medical Device Self contained device per bed space Interoperable therapy/diagnosis system with data exchange to various information systems.
Cybersecurity Landscape in Healthcare Medical devices are increasingly used with a network connection to enhance safety and workflow Documentation Data transfer Software updates Troubleshooting Calibration More connected more vulnerabilities
What is different about healthcare when it comes to cybersecurity? 100 s of device manufacturers Long useful life 10+ year old device is not uncommon Clinical limitations Life critical functions Large attack surface Patient and visitor access to areas with sensitive devices Emergency situations Device needs to be available right now!
Medical Device Hacking What do we know today?
Medical Device Hacking What do we know today? NO EVIDENCE OF PATIENT HARM Several device vulnerabilities have been identified by security researchers Hard coded passwords Remote device access/control Disruption of device communication to other systems Modification of some device configurations How serious are these vulnerabilities?
Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System FDA Safety Communication (July 31, 2015) Remote ability to control an infusion pump We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps. - FDA
What if a device was compromised Disabled communication to other information systems Impact normal workflow e.g., data does not flow to the patient s EHR Disabled the device Availability of the device to perform its intended function may be limited Possibly mitigated by a back up unit As a vector to attack the organization s network Compromised wireless network credentials Compromised enterprise network
What if a device was compromised Alter the intended operation of the device Change device configuration or settings Difficult, extended device access required there are easier ways to hurt people Steal PHI Confidential patient information lost Loss of trust in the organization Financial impacts, fines
Healthcare Facility Action Plan How to Address Cybersecurity?
Problem of Legacy Devices Long useful life of a medical device Finding XP as a part of medical equipment is common legacy systems Some devices may not have up-to-date security capabilities Available security patches are likely limited Document which legacy devices are connected to the network and what data do they hold -> address the risk accordingly
Securing Medical Devices A Significant Resource Drain Equipment management Patch management Staff security training Vulnerability scanning Risk management RFP language to include security features Device Integration Test Lab
Equipment Management Start with Documentation! Identify Which devices are connected to the network? Document Software versions Network configuration settings IP Addresses MAC Addresses Prioritize Does the device hold PHI? Life critical functionality what happens if you cannot use the device?
Patch Management Challenges in Updating Medical Devices How to ensure that medical devices are up to date with the latest security patches? Develop a policy for updating your medical devices Challenges: Lagging security patches at best 2-3 months behind Often hands on update required Equipment down time -> impact patient care Disconnect between FDA and the manufacturer Security patches do not need a new 510(k)
Staff Security Training Ensure appropriate security training is in place Phishing scams Identifying suspect emails, do not click on all email links USBs can spread viruses and cause device malfunction ECRI Top 10 Hazard 2015 USB use policy Block USB use if merited Passwords do matter! Promote the importance of strong passwords Password sharing Passwords do not belong on a post-it-note by the nurses station BYOD Bring your own device Establish a policy on how to deal with BYOD
Vulnerability Scanning Standard network tool to identify known vulnerabilities Commonplace for IT assets Limited to known vulnerabilities Medical devices Can I scan it? Not always Network scanning took out a facility s telemetry system Scanning for medical devices may be best done during the day shift, so in case something does go wrong there is sufficient staffing to address it.
Risk Management What to do with my networked medical devices? Identify existing vulnerabilities Develop compensating controls to minimize risk e.g., block commonly used communication ports Human resources to address network security needs e.g., CISO Consider the adoption of ANSI/AAMI/IEC 80001-1:2010
ANSI/AAMI/IEC 80001-1:2010 Application of risk management for IT Networks incorporating medical devices Standard for healthcare facilities How to implement a risk management system to address networked devices Downsides Expensive and difficult to implement
RFP language to include security features Include language about common security features Buying a system based on Windows XP with a lot of known vulnerabilities is not necessarily the best idea MDS2 Manufacturer Disclosure Statement for Medical Device Security Require it! VA Directive 6550 for Pre-procurement Assessment
Device Integration Test Lab Clinical engineering test and validate every patch and update prior to release Ensure all systems are functioning as intended Lab would include medical device and test server Expensive! Some very high end/large hospitals have this capability.
Regulatory Issues
Regulatory Perspective FDA and cybersecurity FDA s evolving approach to cybersecurity Cybersecurity is a consideration during new 510(k) submissions according to FDA officials Incentivize sharing of vulnerability information Curb the silent fixes Content of premarket submissions for management of cybersecurity in medical devices (10/2014) Guidance for manufacturers on how to address and identify cybersecurity during design and development Guidance for preparing premarket submissions
Regulatory Perspective FDA and cybersecurity FDA s evolving approach to cybersecurity Postmarket Management of Cybersecurity in Medical Devices (Draft 01/2016) Managing postmarket cybersecurity vulnerabilities for medical devices Promote good behavior among manufacturers How about the already cleared devices that might be vulnerable?
Why are we doing this? Ransomware The New Normal Most recent public occurrences MedStar Health (03/2016) Methodist Hospital (03/2016) Hollywood Presbyterian (02/2016) Low Risk High Reward
Download the ECRI Infographic Cybercrime: The Healthcare Epidemic of the 21st Century at: https://www.ecri.org/pages/cybersecurityinfographic.aspxhttps://www.ecri.org/pages/cybersecurity-infographic.aspx
Questions? Marc Schlessinger Senior Associate Applied Solutions (610) 825-6000 ext. 5420 mschlessinger@ecri.org