Addressing the elephant in the operating room: a look at medical device security programs
Ernst & Young LLP Presenters Michael Davis Healthcare Leader Baltimore +1 410 783 3740 michael.davis@ey.com Esther Lee Healthcare Leader Atlanta +1 404 217 0052 esther.lee@ey.com EY Assurance Tax Transactions Advisory EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. This presentation is 2018 Ernst & Young LLP. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is in violation of US and international law. Ernst & Young LLP expressly disclaims any liability in connection with use of this presentation or its contents by any third party. Views expressed in this presentation are those of the speakers and do not necessarily represent the views of Ernst & Young LLP. These slides are for educational purposes only and are not intended, and should not be relied upon, as accounting advice. Page 2
Agenda Medical device security examined Medical device security approach Page 3
Medical device security examined Page 4
The opportunity We ve all read about the Internet of Things (IoT) but connected medical devices represent a unique subset of challenges for providers that have yet to be addressed holistically. Currently, no standards exist in the industry for medical device security throughout its life cycle, including manufacturing and maintenance. They are often used in life and death situations, which requires a less invasive approach to monitoring and patching than servers and other network devices. While connectivity and system complexity increase, medical device turnover and maintenance cycles remain slow. Provider organizations are finding it challenging to answer the following questions: What connected medical devices do we have? Who is accountable for the security of them and the data they hold? How can devices be monitored and protected without interrupting patient care? Provider organizations need to understand and remediate the risks created by these devices if not, the impact could be realized across the business and by the patient. The threat to patient safety and business continuity is increased by the rapid surge in connected medical devices and interconnectivity. Often solution provided by manufacturers is not available unless newer version is purchased. Providers need practical methods to security these devices. Page 5
Why is medical device security a challenge? Because medical devices lack the standardization of traditional workstations and cannot be secured in the same manner, we must consider their complexities and secure medical devices differently. Increasing connectivity and complexity in device ecosystems Network connectivity is routine via Wi-Fi, Bluetooth, Ethernet and proprietary frequencies. Ecosystems incorporate mobile applications, tablets, wearables and the Internet of Things. Legacy devices run proprietary firmware with limited security capabilities. Slow turnover and maintenance cycles Legacy systems and software continue to exist and must still be supported and protected. Device updates and patches must be approved by the vendor Customized security configuration is required during deployment. Increasing security concerns 87 87 Slow turnover with legacy systems and software Devices are portable and implantable Rapidly increasing complexity and connectivity Flaws in a device could affect patient safety Updates and patches are reliant on the vendor Page 6
Importance of securing medical devices Medical devices are constantly exposed to a variety of cybersecurity threats that may impact care delivery, result in loss of sensitive information or adversely impact the organization broadly. Patient satisfaction and safety Revenue and reputation Impacts Operational continuity Hacking Malware Misuse Environmental Physical Social Error! Top threats Device vulnerability exploitation, web application attacks, denial of service Ransomware, data exfiltration, backdoors, etc. Administrative abuse, policy violations, use of non-approved assets, etc. Power failures, electrical interference, pipe leaks, etc. Device theft, local device tampering, snooping, sabotage, etc. Credential compromise, deception, manipulation, forgery, scams, etc. Device programming errors, omissions, misconfigurations, malfunctions, etc. Organizational impact Patient safety Adverse effects to patient safety due to compromised or malfunctioning device Data breach Loss of sensitive patient information and regulatory fines Loss of customer trust Negative publicity in response to malfunctioning devices resulting in loss of trust Business and revenue collection disruption Malicious backdoors in systems resulting in widespread damage to business operations and potential impact to revenue collection Financial loss Loss of customers and market leadership due to brand and reputational damage Page 7
Increasing regulatory scrutiny by the FDA The FDA has released guidance around security for medical devices, which is anticipated to evolve into regulation that will clarify the accountability structure for device security. Executive order 13636/13691 Presidential policy directives to strengthen critical infrastructure cybersecurity: 1. Improving Critical Infrastructure Cybersecurity 2. Promoting Private Sector Cybersecurity Information Sharing FDA guidance pre-market approval The FDA intends to promote the development and availability of safe and effective interoperable medical devices: 1. FDA requires clinical trial 2. Focus on cybersecurity during the design stage 3. FDA levels of concern Regulatory guidance FDA guidance post-market management The FDA addresses the need for security throughout the life cycle of medical devices: 1. Connected medical device security 2. Security throughout product life cycle 3. Risk analysis 4. Proactive security 5. No need to recertify 6. Notification for serious vulnerabilities 7. Encourage use of NIST CSF 8. Timely response 9. Vulnerability disclosure Key takeaways The FDA is likely to solidify the guidance around security for medical device into regulations requiring approval for manufacturers. There will be an opportunity to strategically guide the development of leading practices if a fundamental understanding of the major issues is developed early. Current state (2016) Page 8
Medical device security approach Page 9
Approach to mitigating medical device cyber risk An established understanding of the driving business requirements is necessary for the development of a customized definition and approach for securing medical devices. How is medical device security realized? Understand the fundamental business drivers for the security of medical devices Identify medical device security gaps and the risk landscape Document control ownership and the deployment approach while documenting integration with existing security infrastructure Benefits of structured approach Reduced duplication of effort Clear identification of timeline overruns Decreased risk of misdirection Overall improved user experience Minimized cost Methodology overview Analysis Design Implementation 1 2 3 4 Design businessfocused cyber risk program Assess maturity of program based on framework Strategically target core capabilities and integration Establish compensating security capabilities 5 based Strategically deploy security protections on risk Page 10
Design a business-focused medical device cyber risk program How should we approach medical devices? Due to the many stakeholders involved in securely deploying medical devices, well-defined responsibilities are required. Components within the medical device ecosystem can be secured using a tiered, risk-based approach at varying FDA levels of concern. Anchor to existing industry standards Program requirements: NIST CSF Device security requirements: ANSI/IEC 80001-2-2 Threats: VERIS Framework Identify Protect Detect Respond Recover C S F Key considerations Establish program vision, goals and objectives Medical device security ecosystem goals Formalize stakeholder communication Vendor Accessibility Provide the right people with access to the right data Provide self-service access for users Reliability Secure sensitive data and leverage existing infrastructure Maintain data integrity Safety Minimize risk of security events that may impact care Minimize risk and ensure compliance through governance IT Cybersecurity Biomed Note: ANSI/IEC: American National Standards Institute/International Electrotechnical Commission, VERIS: Vocabulary for Event Recording and Incident Sharing. Page 11
Target foundational capabilities and integration points across stakeholders Foundational capabilities make up the core of the medical device security program and provide scaffolding infrastructure and processes to support the secure usage of medical devices. Foundational capabilities Risk management Inventory management Secure deployment Purpose Defines the core areas to support a large-scale medical device security program Provides a supporting framework for capabilities to protect devices and respond to security incidents by understanding devices and fostering communication at the program level Supports the centralized assessment of activities performed across all stakeholders and device protection activities Considerations Decommission Plan Biomedical device life cycle Design Procure Vulnerability and patch management Network segmentation Incident detection Incident response and mitigation Activities Capability maturity assessment covering foundational (Level 1) security capabilities Security capability-centric process elicitation covering activities across all involved stakeholders Development of a customized medical device procurement questionnaire to support secure deployment activities Use Onboard Medical device policy considerations Management of devices Acceptable use Storage of sensitive electronic protected health information (ephi) Access to devices Onboarding new devices Training and awareness Roles and responsibilities ephi loss disclosure Secure device disposal Page 12