Medical Device Cybersafety A Pragmatic Approach to … · Medical Device Cybersafety –A Pragmatic...
Transcript of Medical Device Cybersafety A Pragmatic Approach to … · Medical Device Cybersafety –A Pragmatic...
Medical Device Cybersafety – A Pragmatic Approach to Solving a Complex Problem
Oct 13, 2016
David Clapp, ITIL, TOGAF, HCISPPPrincipal Security Architect HealthcareSymantec Corp.
“The time is ripe to stop admiring the problem”Suzanne Schwartz, MD, MBAEMCM / FDA CDRH
What do these two gentlemen have in common?
2
Both made medical decisions based out of concern that their implanted medical device could be hacked!
Copyright © 2016 Symantec Corporation
Dick Cheney, former U.S. VP Jay Radcliffe, Security Researcher
Medical Device Cybersecurity - Agenda
1 Cybersecurity Introduction
2 Medical Devices Under Attack?
3 Regulatory Landscape
4 Solving for Complexity
5 Conclusion & Summary
6 Appendix
3Copyright © 2016 Symantec Corporation
Understanding Today’s Threat ActorsIndividuals → Organized Crime → Cyberwarfare → Hackers for Hire
Actor Motivation Assets Who
Economical, political, military
IP, credentials, classified data, infrastructure
Cyber armies, terrorists
Financial, theft, blackmail, data resale
IP, certificates, identities, credentials, trade secrets, infrastructure
Virtual crime networks, hackers for hire
Damage brand or name, support agenda
Brand, personalinformation, infrastructure
Various (Anonymous, SyrianElectronic Army, etc.)
Revenge, personalgain, whistleblower
IP, customer data, trade secrets
Current or former employees, partners, contractors
Financial gain, Competitive advantage
IP, customer data, trade secrets, operational data
Companies operatingoutside of the law
From Fame to Fortune - From Dorms to Dollars
Copyright © 2016 Symantec Corporation 4
Who is the Enemy?
5Copyright © 2016 Symantec Corporation
http://www.symantec.com/threatreport
Symantec Internet Security Threat Report, Vol. 21
6Copyright © 2016 Symantec Corporation
Some Facts about Today’s Underground Economy:• Estimated impact on global businesses: $ 1 Trillion• Estimated profit for cyber criminals: several $100 Million
• … of which ~40% are reinvested in new technologies• A flourishing Underground Market for:
• Data (IP, trade secrets, government)• Identities (financial, medical, …)• Credentials (email, social media, gaming, corporate, …)
• As well as Goods and Services:• Hackers for Hire (attack missions)• Vulnerabilities (most-prized: zero-days)• Malware and services (incl. testing and delivery)• Tools and compute resources
• And a developing market for cyber weapons and services• Supported by a convoluted lot of state actors, criminals,
hackers of varying shades, political and financial interests.
Copyright © 2016 Symantec Corporation 7
The State of the IndustryWe have made little progress on security, really
8
The Brookings Institute, May 2016: “Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches”
9
Almost half had little or no confidence that they would
detect all breaches.
Only 21% had no or one breach in the past 2 years.
Criminal Attacks continue to increase as the root cause.
Ponemon Institute, 2016: “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data”.
The State of the Industry - We have made little progress on security, really
Medical Device Cybersecurity - Agenda
1 Cybersecurity Introduction
2 Medical Devices Under Attack?
3 Regulatory Landscape
4 Solving for Complexity
5 Conclusion & Summary
6 Appendix
10Copyright © 2016 Symantec Corporation
11
Medical Device CybersecurityIntroduction to the Problem Space
Risks:• Patient safety (lives)
• Operational / Downtime
• Data Breaches / Fines
• Revenue / Financial
• Patient trust & Staff morale
• National security
Vulnerability:• Tightly regulated “turn-key” systems
• Long useful life
• Poorly protected & patched
• No detection & alerting
• Ecosystem Complexity
• Vulnerability of device, hospital, & health system
Threats:• Targeted attacks
• Collateral damage
• Malware remediation
• Theft / Loss
• Compliance violation
• Lateral attack / weakest link exploitation
• Hacktivism, terrorism
Copyright © 2016 Symantec Corporation
Introduction to Medical Device Cybersecurity
Why is it such a focus now, as compared to a few years back?
Main Events:
2008 – Pacemaker hack (Kevin Fu, UMass Amherst).
2011 – Insulin Pump hack (Jerome Radcliffe, Black Hat Conference).
2013 – Discovery of a wide range of vulnerabilities: surgical and anesthesia devices, ventilators, infusion pumps, defibrillators, patient monitors, laboratory equipment (Billy Rios and other Security Researchers).
2013 – Department of Homeland Security Alerts (ICS CERT); Government Accountability Office Report
2014 – FBI Alerts to Healthcare Industry, NIST NCCoE Medical Device Use Case project launched, AAMI/ECRI safety warning on cyber risks.
2014 – FDA Cybersecurity Guidance and Workshop - Premarket
2015 – HHS OIG announced that it will include networked medical devices in upcoming audits.
2016 – FDA Cybersecurity Guidance and Workshop – Postmarket (draft)
12Copyright © 2016 Symantec Corporation
13
Medical Device Security – not just a Healthcare Topic
Copyright © 2016 Symantec Corporation
14
Medical Device Risks - Examples• Device hacks• Device loss/theft (PHI breach)• Drug abuse• Patch deployment failure• Multiple reports on device testing –
with disastrous results• ICS-CERT (DHS), FBI, FDA warnings• Audit & Compliance Risk
Copyright © 2016 Symantec Corporation
15
Medical Devices – Now Targeted and Exploited!
• MedJack: Medical Device Hijack• APT exploit of Medical Devices• 3 hospitals, 3 different medical
devices (Blood Gas, X-Ray, PACS)• Undetected, difficult to remediate• “Near perfect target”:• Limited IT visibility
• Unprotected / unpatched• Entry point to the network• Common, widespread
vulnerabilities
• This is not hypothetical anymore; devices are being exploited!• Pivot point to enter network
• Invisible to IT security• Zeus, Conficker, Citadel (Ransomware!)
http://deceive.trapx.com/AOAMEDJACK_210_Landing_Page.html
TrapX has since claimed that they have seen this in 60 hospitals and traced the attacks back to servers controlled by a Russian crime syndicate.
http://www.bloomberg.com/features/2015-hospital-hack/
Copyright © 2016 Symantec Corporation
16
… and, as reported by Protiviti
• Exposed 68,000 Medical Devices from a large, unnamed US health group.
• Discoverable via Shodan Search Engine.
• Thousands of misconfigurations and direct attack vectors, incl. Win XP.
• Allows for detailed mapping of network, including devices.
• MRI and Defibrillator “honeypots”.• 55,416 login attempts over 6 months.
• 299 attempts to install malware.• 24 exploits of Conficker vulnerability
• Conclusion:• Medical Devices are a recognized target!• Most likely because they are vulnerable,
not because of what they are.
• We have to assume that there are many “owned” devices out there.
http://www.bbc.com/news/technology-34390165
Copyright © 2016 Symantec Corporation
Sept. 2015
17
Medical Devices – More Insight• Analyzed 3 new hospitals• Evolution of MedJack attack strategy• Botnets and backdoor exploits under
control of an attacker• Repackaging of old malware:• Attacks often remained undetected by
traditional security in place• Targeting older / unpatched versions of
Windows, thus not affecting normal IT• But not detected by unprotected devices
• There is indication that this is a deliberately chosen attack strategy
• Identified targets:• Fluoroscopy workstation• PACS / MRI• C-Arm X-Ray
• Attacks well orchestrated and moving across networks after beachhead was established
http://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_MEDJACK.2.pdfCopyright © 2016 Symantec Corporation
June 2016
Medical Device Reality Check
18Copyright © 2016 Symantec Corporation
Desired:• Secure devices (C-I-A)• Responsible use of COTS• Cost-effective lifecycle management• End-of-life process• Minimize support incidents due to
SW & security issues• Protect intellectual property• Maintain manufacturing integrity
Reality:• Increasingly targeted and
sophisticated hacks (cyber crime)• Highly publicized vulnerabilities• Growing regulatory pressures, but
also clarity• Customer expectations• Process & overhead• Yet another quality issue to deal with
Desired:• Secure devices (A-I-C)• Secure ecosystem (integration,
network, handling, maintenance)• Compliance (HIPAA, TJC)• Minimize risks: patient safety, care
delivery, revenue• Comprehensive Security RA• Minimize duplicate efforts
Reality:• Insecure devices• Unclear security responsibility• Security not a purchasing &
maintenance driver• Incomplete asset inventory• Incomplete vie/security properties• Not included in Security RA• Complex change management
Dev
ice
Man
ufa
ctu
rer
HC
Del
iver
y O
rg.
19
Medical Device Cybersecurity: Impact PotentialWhat we know to date
Copyright © 2016 Symantec Corporation
Cyb
er C
on
flic
t
Mar
ket
man
ipu
lati
on
Pat
ien
t H
arm
Car
e D
eliv
ery
Clin
ical
Op
erat
ion
s
Dru
g A
bu
se
Secu
rity
Exp
loit
IP T
hef
t
Dat
a B
reac
h
IT Im
pac
t
“Pro
du
ct Im
pro
vem
ents
”
Actual events:
Malicious Attack R R R
Malware Infection
R R R R
Other R R R R
Security Research R D D D D D D
R = ReportedD = Demonstrated
Co
ns
eq
uen
ce
sR
isk
s
20
Medical Device CybersecurityWhat the discussion comes down to
Copyright © 2016 Symantec Corporation
Patient Safety Patient Trust
Device Functionality
Device Performance
Treatment Decisions
Network Reliability
Alarm Delays
Patient Harm
Revenue LossDrug Abuse
Unauthorized Access
Beachhead Attack
Cyberwarfare
Data Breach
ePHI Exposure
Treatment Delays
Staff Productivity
Blackmail / Ransom
Intellectual Prop. Theft
Assassination, Murder
Cyberterrorism, Hacktivism
Patient Criminal IndirectNational
Cybercrime
Law Suits & Fines
Public Opinion
Availability – Integrity - Confidentiality
Challenges of Complexity
Technical
• Number of Systems & Types
• Number of Platforms
• Number of Vendors• Network
Complexity• Remote Access
Organizational
• Device Ownership• BioMed to IT
Relationship• Security & Risk
Responsibility• Procurement
Decisions• 3rd Party
Maintenance
Operational
• Regulatory Restraints
• Multiple Regulations
• Change Management
• 24/7 Operations• Device to System
Dependencies• Continual Change
Complexity is part of the problem. It is a true “System of Systems” challenge – on all levels: technical, organizational, operational, and impact potential.
Impact
• Patient Safety• Care Delivery• Patient Treatment
Decisions• Privacy Breaches• Compliance
Violations• Risk of Law Suites
and Fines• Revenue Stream• National Security
Copyright © 2016 Symantec Corporation 21
Complexity abound:Cybersecurity, Patient Safety, Care Delivery,
Reputation, Law Suits, Fines, and Patient Trust!
Medical Device Introduction: Key Takeaways
• Vulnerabilities everywhere we look.• Medical devices have become a identified target.• Change is difficult: education, design practices, regulatory
burden, complexity, economic limitations.• A risk to the device, healthcare system and national security!
Copyright © 2016 Symantec Corporation 22
Medical Device Cybersecurity - Agenda
1 Cybersecurity Introduction
2 Medical Devices Under Attack?
3 Regulatory Landscape
4 Solving for Complexity
5 Conclusion & Summary
6 Appendix
23Copyright © 2016 Symantec Corporation
Regulatory & Government Stakeholders
Regulatory Complexity – Overlaps and Gaps
Requiring multiple Risk Analyses?
FDASafety and
Effectiveness
HHSAssure C-I-A of ePHI (HIPAA)
The Joint Commission
Medical Equipment Safety
(EC 02.04.01)
Medical Device Cybersecurity:
Regulatory Overlap yet Execution Gaps
Other Stakeholders:FBI – Crime PreventionDHS – National SecurityFTC – Consumer ProtectionFCC – Wireless ReliabilityNIST – Standardization (national)ISO – Standardization (global) UL – Assurance & CertificationIEEE – Engineering FrameworksOthers: HIMSS, AAMI, IHE, VA/DoD,
MDISS, Mitre, NEMA, …
Copyright © 2016 Symantec Corporation 24
HDO
Mfr.
25
FDA Regulation to assure Safety and Effectiveness
General Controls, e.g.:• Manufacturer registration• Device listing with FDA• Quality System / GMP• Labeling• Reporting (MDR)• 510(k) Premarket Notification
Class I Class II Class III
Increasing Patient Safety Risk = Increasing Regulatory Controls
•General Controls •General Controls• Special Controls
•General Controls• Premarket Approval
(PMA)Certain Class I/II device types are listed as “510(k) exempt”
Special Controls, e.g.:• Performance standards• Postmarket surveillance• Special labeling
FDA position on cybersecurity updates:a) Should be part of Mfrs. Quality System b) Do not require resubmission to the FDA
PMA:• Scientific and regulatory
documentation to prove safety and effectiveness
Copyright © 2016 Symantec Corporation
US Food and Drug Administration (FDA)Evolving view on Off-the-Shelf (OTS) software
“Guidance for Industry on Compliance of Off-the-Shelf Software Use in
Medical Devices”
1999 2005 (2009) 2014
• Treating OTS software like any other device component:• Requires documentation• Include in verification &
validation• Specific hazard analysis
and mitigation• Describe residual risk
“Guidance for Industry -Cybersecurity for Networked
Medical Devices Containing Off-the-Shelf (OTS) Software”
“Content of Premarket Submissions for Mgmt. of Cybersecurity in Medical
Devices -Guidance for Industry”
• Cybersecurity requires software lifecycle mgmt. = patching
• Clarified that:• Vulnerabilities can affect safety• Cybersecurity is part of the
manufacturer’s Quality System and Corrective Action Plan
• Security patches do not require resubmission to the FDA
• Manufacturer responsibility:• Limit unauthorized access• Ensure trusted content• Provide a fail-safe mode• Retention & recovery
• Documentation:• Hazard analysis, mitigation• Cybersecurity controls• Patching & lifecycle mgmt.• Security instructions
SW as a static component
SW’s unique lifecycle mgmt. & security needs
Software system cybersecurity needs
Draft: Postmarket Management of Cybersecurity in Medical Devices
2016
• “Essential Clinical Performance”
• ISAO• Inf. Sharing Analysis
Org.• Certain protections
• Clarification on Security Patches and Updates
• Vulnerability mgmt.
Transparency & vulnerability sharing
Copyright © 2016 Symantec Corporation 26
FDA Guidance (Oct. 2014):• Identify & Protect• Limit access to trusted users • E.g. no common or hardcoded passwords
• Ensure trusted content
• Detect, Recover, Respond• Detect, recognize, log, and act upon
security incidents• Actions to be taken• Protect critical functionality
• Recover device configuration
• Cybersecurity documentation• Hazard analysis, mitigation, design
considerations• Traceability matrix (cybersecurity
controls to risks)
• Update and patch management• Manufacturing integrity• Recommended security controlshttp://www.fda.gov/downloads/MedicalDevices/DeviceRegul
ationandGuidance/GuidanceDocuments/UCM356190.pdf
Copyright © 2016 Symantec Corporation 27
FDA reported that 53% of submitted 510(k) applications did not include cyber risk information
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
FDA Postmarket Guidance (Draft Jan. 2016):
• Cybersecurity is a shared responsibility
• “Information Sharing Analysis Organization”• ISAO - Multi-Stakeholder
• Voluntary but: actionable, transparent, trusted• Information shielded from release, exempt
from regulatory use and civil litigation• Critical component of a comprehensive
approach to cybersecurity
• Introduces “Essential Clinical Performance”
• “Cybersecurity routine patches and updates”• Generally not required to be reported• Unless serious adverse health consequences
or unacceptable residual risk
• Other key Manufacturer guidance:• Threat and incident monitoring• Vulnerability disclosure policy
• Receive and process vulnerability reports• Practice good cyber hygiene
Copyright © 2016 Symantec Corporation 28
Impact of FDA Regulation on Providers:
• For “regulated medical devices” manufacturer approval is required:• Can not install unapproved after-market security
• Can not install unapproved patches (even OS or other COTS)
• Can not install unapproved management agents
• But – there are exceptions:
Note – this slide is a highly summarized interpretation of the FDA guidance, please refer to the actual document for regulatory and legal advice.Copyright © 2016 Symantec Corporation 29
Regulated Non-regulated
Medical Device SW-only Device Other Clinical Other OT
Examples MRI, EKG, Monitoring
PACS viewer or server
Pharmacy, Fridges, Sterilization
Building, HVAC, Telco
Device No No Yes* Yes*
Platform No In most cases* Yes* Yes*
System Maybe* In most cases* Yes* Yes*
* = check with manufacturer to:• Understand “envelope” of the regulated device• Potential contract, warranty, or support implications
Medical Device Cybersecurity - Agenda
1 Cybersecurity Introduction
2 Medical Devices Under Attack?
3 Regulatory Landscape
4 Solving for Complexity
5 Conclusion & Summary
6 Appendix
30Copyright © 2016 Symantec Corporation
The Problem SpectrumA (simplified) View of Medical Device Risks
31
General platform, wired/wireless network
Implantable, proprietary, short range comm
High risk of operational impact due to broad vulnerabilities, e.g. malware related shutdown.
But – little patient safety risk!
Requires targeted attack, technical skill, and affects only one patient.
But – patient’s can die
“Collateral Damage” Security Research
The big “IF”Assassination, murder, attack on hospital or
manufacturer reputation
Targeted attack on highly vulnerable
hospital ecosystem
Anything in between
Impact
Like
liho
od
Impact
Like
liho
od
Copyright © 2016 Symantec Corporation
Medical Device Cybersecurity Path ForwardSummary
32Copyright © 2016 Symantec Corporation
Protect Device
Manufacturer HDO
• Hardened design• Software best practices• HIDS/HIPS• Key/Certificate-based
technologies:• Encryption• Device certificates• Code signing• Secure boot
• Secure handling• Media use, esp. USB• Integration best
practices
Protect Ecosystem
Manufacturer HDO
• Secure remote access• Strong password / 2FA• Security best practices
documentation• Enablement & Training
• Network architecture• Security event
monitoring• Firewalls / Gateways• Enablement & Training
Manage Devices
Manufacturer HDO
• Lifecycle mgmt. (patch & update deployment)
• V&V incl. security, e.g. pen testing
• Vulnerability disclosure• Software BOM (Supply
Chain)
• Procurement & Contracting
• Asset management (incl. security)
• Dependency mgmt.• Risk Management:
• Risk Assessment: safety, security, privacy, operations, reputation
• Mitigation
Manage Incidents
Manufacturer HDO
• Threat & Vulnerability monitoring and management
• Regulatory reporting
• Detect, Respond, Recover
• Impact Analysis, Forensics
• Communication & Decision making
• Report as needed
33
Whitelisting Behaviors: SandboxingTraditional Approach: Malware Blocking
Ineffective on zero-day Effective on zero day
Ensures self-protection Protects OS critical resources
Customization or separate product Protects applications from each other
Large footprint Small footprint
Signature based Behavior / policy based
Internet access required No internet access required
Reactive Proactive
Example 1:
Protecting the Device – Host-based Security
Standard Platforms (Windows, Linux, QNX)
Copyright © 2016 Symantec Corporation
Appropriate for networked general compute devices (servers, workstations)
Appropriate for dedicated purpose and embedded systems.
Example 1: Critical System Protection (SES:CSP)
34
On-device security:• Ease Lifecycle Management
and Patch pressures• EOL OS “lifeline”• App & Process Whitelisting• Process/Port control• System administration
Manufacturer Use:
FDA-regulated Medical Device:• Example: Imaging, Diagnostics• Protect platform and critical files• Control traffic and system behavior• Elevate lifecycle management pressure
HDO use with non-regulated systems:(Still advisable to check with manufacturer)
Supporting IT System• Workstations, ServersSoftware-only Medical Device:• Example: PACS workstation• Protect platform (install on workstation)Non-Medical Device:• Example: fridges, building systems, nurse call, etc.• Install on Device as permitted by Contract/Warranty
Copyright © 2016 Symantec Corporation
NetworkProtection(Host IPS)
ExploitPrevention
(Host IPS)
SystemControls(Host IPS)
Auditing &Alerting(Host IDS)
Symantec Critical System
Protection Embedded
• Restrict apps & O/S behaviors
• Protect systems from buffer overflow
• Intrusion prevention for zero-day attacks
• Application control
• Monitor logs and security events
• Consolidate & forward logs for archives and reporting
• Smart event response for quick action
• Close back doors (block ports)
• Limit network connectivity by application
• Restrict traffic flow inbound and outbound
• Lock down configuration & settings
• Enforce security policy• De-escalate user privileges• Prevent removable media
use
Note tie-back to FDA Cybersecurity Guidance
35Copyright © 2016 Symantec Corporation
Example 1: Critical System Protection (SES:CSP)
Example 2: Managed Key (mPKI) Infrastructure
Three main use cases
Traditional
2FA
SSL / TLS / DTLS
Encryption
IoT / embedded
Device Certs
Secure boot
Code signing
• Full certificate Lifecycle Management: issue, enroll, manage, revoke
• Certificate hierarchy (hardware “root of trust”)
• Secure boot, secure updates, chain of trust, chain of custody
• Delivery models: public CA, private CA, IoT-specific CA
Industry-specific
Electronic transactions
EPCS
36Copyright © 2016 Symantec Corporation
Example 3: Symantec Anomaly Detection – Coming Soon
37Symantec Confidential
• Anomaly Detection passively listens to network traffic
• No disruption to operations, no downtime
• Anomaly Detection is a software solution typically deployed on a gateway or router in each department/floor
• Operates with <500MB RAM
• Doesn’t require new hardware
• Anomaly Detection will feature a dual UI
• Edge UI – Enables floor-level monitoring and incident investigation
• Aggregate UI – Aggregated view for whole hospital
• Anomaly Detection performs deep packet inspection to look into the message payloads
• Compare against HL7 & DICOM standards
• Establish expected ranges of payload values (i.e. sensor readings)
• Catch packets malformed at the L7 layer
Anomaly Detection provides 2 key features
38Symantec Confidential
1. Asset Detection provides users with a single pane of glass view of the assets in their network, learned automatically
2. Anomaly Detection protects healthcare systems from zero day attacks and subtle, sophisticated attacks in real time
Asset Detection Anomaly Detection
1
2
The first step is Asset Detection
39Symantec Confidential
• By passively observing message traffic, this solution can map the network assets and communication channels
• What devices are present, and their specs: IP and MAC address, device type and manufacturer (when possible)
• Which devices communicate with which other devices
• The solution will display these devices through a clear, detailed UI
Asset Detection enables greater system monitoring and understanding, and is the first step in Anomaly Detection
1
Anomaly Detection proactively identifies attacks by flagging anomalous activity
40Symantec Confidential
• Anomaly Detection learns the baseline of activity in the system at the most granular level
• IP addresses, active ports, protocols, message length, etc.
• Deep packet inspection – expected field values and ranges
• Once the system baseline is established, anomalous activity is flagged for investigation
• Anomaly detection utilizes machine learning algorithms to detect new, subtle attacks that wouldn’t trigger basic detection rules
• Doesn’t require user to set rules or policies (unless they choose to)
• Incidents are prioritized based on perceived criticality
• User will see where the incident took place, why the incident was flagged
• User has option to provide feedback to inform detection performance
2
The Complete Healthcare Security Picture
41
Symantec SOC
Log Collection Agent
Security Analysts
Customer Portal
DeepSight Global Threat Intelligence
Data Warehouse
CorrelationAnomaly Detection
Biomedical Network
IT Production Network
Example 4: Medical Device Asset and Risk Management
Copyright © 2016 Symantec Corporation 42Utilize existing standards: MDS2 and ISO/IEC 80001 series
Asset Management• Assets & configurations• IT and security properties• Understand use case
Procurement & Contracts• Security requirements• Define vendor obligations• Sign-off & approval
Security Risk Assessment• Comprehensive risk score • Impact vs. likelihood
Risk Mitigation• Device (with manufacturer)• External (network, handling)
Risk Management• Continual, comprehensive• Device risk ↔ system risk
Lifecycle Mgmt.• Onboarding -> EOL• Upgrades & patching• Change management• Dependency mgmt.• Replacement planning
Incident Response• Analysis & recovery• Management & reporting• Forensic investigation• Vendor communication• Process improvement
Security Risk Analysis• Threat landscape• Vulnerability profile(s)
Example 4: Provider Best Practices ApproachData Flow and Example Architecture
43
Control Compliance Suite: Risk Management
Altiris: Unified Asset View
Other(DHCP, NAC,…)
3rd Party CMMS
Procurement & Contracting
Device Security Properties (MDS2)
Manufacturer
Remediation & Mitigation
Asset risk scoring
Frameworks(IEC 80001, NIST, …)
3rd Party CMDB
Network Security Gateway
Symantec
DeepSightSecurity Intelligence
Managed Security Services
Utilize existing data sources as available.
Copyright © 2016 Symantec Corporation
Overcoming Limitations:• Incomplete asset view• Limited IT & security
visibility• Lack of asset discovery• Disparate processes• Can’t automate patching
Benefits:• Single, holistic view:
• Assets• Security• Risks
• Risk mitigation• Change management• Automate remediation
& patch workflows• Front-to-back process
integration
Example 4: Biomedical Asset ManagerResource Association and Dependency
44Copyright © 2016 Symantec Corporation
45
• Comprehensive, across management systems and data sources
• Include BioMed and IT / Security properties; role-specific views
• Agentess discovery and scansUnify Asset Data
• CMMS, CMDB, NAC, AD, etc.
• Ticketing and other workflow systems
• Security management systems
Integrate with Existing Systems
• Device to IT (server, workstation, network)
• Infrastructure, location, ownership
• Prevent device impact due to IT changes
Map Device Dependencies
• Deliver comprehensive asset list for risk scoring
• Automate Risk Management processes and policy management
• Support risk mitigation & documentation
Supporting Risk Management
• Procurement , contracting, license management
• Lifecycle management, maintenance, updates and patching, recalls
• End-of-life processes
Full Front-to-Back Integration
Copyright © 2016 Symantec Corporation
Example 4: Biomed Asset Management: BenefitsHolistic database to address ITSec and BioMed needs
Medical Device Cybersecurity - Agenda
1 Cybersecurity Introduction
2 Medical Devices Under Attack?
3 Regulatory Landscape
4 Solving for Complexity
5 Conclusion & Summary
6 Appendix
46Copyright © 2016 Symantec Corporation
Securing the Medical Device EcosystemHow Symantec is helping Stakeholders
Secure Communication & Access
Protect Manufacturing Integrity
Protect Intellectual Property
Secure Devices
Protect Critical Data
Regulatory & PolicyManagement
Asset Management
Risk Mgmt. & Mitigation
Network Security
Device Manufacturer Healthcare Delivery Organization
Server hardening, authentication
Code signing, secure boot, platform hardening
Messaging certs, encryption, mPKI
Platform hardening, authentication
Authentication & access mgmt.
Contract & Requirements Mgmt.
Holistic & ComprehensiveAsset Inventory & View
Risk scoring and assessment,mitigation management
Security gateway; anomaly detection
Copyright © 2016 Symantec Corporation 47
Cybersafety – It’s a shared Responsibility
48
Increasing and Sophisticated Cyber Threats
Growing Regulatory Pressure & Compliance Risks
Complex and Highly Integrated Ecosystem of Vulnerable Devices
Pro
cure
me
nt
& C
on
tra
ct
Man
agem
ent
Ris
k A
na
lysi
s &
M
anag
emen
t
Ass
et M
anag
emen
t
Net
wo
rk S
ecu
rity
&
Arc
hit
ectu
re
Pro
cess
es
& W
ork
flo
ws
Device Manufacturers Healthcare Providers
Encr
ypti
on
& D
ata
Pri
vacy
Pla
tfo
rm a
nd
Cri
tica
l Sy
stem
Pro
tect
ion
Dev
ice
Cer
tifi
cate
s,
Co
de
Sig
nin
g, S
ecu
re B
oo
t
Secu
rity
Cap
abili
ties
(d
etec
tio
n, l
ogg
ing)
Cyb
ers
ecu
rity
D
ocu
me
nta
tio
n &
Up
dat
es
Acc
ess
& A
uth
en
tica
tio
n
Shared Problem
Coordinated Solutions Approach
Copyright © 2016 Symantec Corporation
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
David Clapp
(262) 424-2061
Medical Device Cybersecurity - Agenda
1 Cybersecurity Introduction
2 Medical Devices Under Attack?
3 Regulatory Landscape
4 Solving for Complexity
5 Conclusion & Summary
6 Appendix
50Copyright © 2016 Symantec Corporation
51
Internet of Things (IoT)Security Reference Architecture:www.symantec.com/iot
Copyright © 2016 Symantec Corporation
52
https://www.securityevaluators.com/hospitalhack/
Copyright © 2016 Symantec Corporation
IEEE: Building Code for Medical Device Software Security• Nov. 2014 Workshop
• Released May 2015
• Addressing device manufacturers’ secureSW design needs.
• Key Elements:• Avoid vulnerabilities
• Cryptography
• SW integrity
• Impede attackers
• Enable detection
• Safe degradation
• Restoration
• Maintain operations
• Support privacy
http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-device-software-security.pdf 53
IHE International - PCD MEMPatient Care Device Domain, Medical Equipment Management
MEM Whitepapers: • Cybersecurity (2011: Education &
Problem Baseline)
• Cybersecurity Best Practices (2015)
• Medical Device Patching (2015)co-authored by MDISS and IHE
54Copyright © 2016 Symantec Corporation
Asset & Supply Chain Management
• Manufacturer Disclosure Statement for Medical Devices Security (MDS2)
• Medical Device Securityshould be part of theProcurement Process:- RFP Language - Request NEMA MDS2
• Developed in cooperation by HIMSS and NEMA
• New version Oct. 2013
• More detailed (2 -> 6 pages)
• Now harmonized withIEC 80001 technical controls
http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx
55Copyright © 2016 Symantec Corporation
56
IEC 80001 SeriesApplication of Risk Management for IT-Networks Incorporating Medical Devices
IEC 80001-1:2010 - “Part 1: Roles, responsibilities and activities”
IEC 80001-2-1:2012 - “Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples”
IEC 80001-2-2:2012 - “Part 2-2: Guidance for the communication of medical device security needs, risks and controls”
IEC 80001-2-3:2012 - “Part 2-3: Guidance for wireless networks”
IEC 80001-2-4:2012 - “Part 2-4: General implementation guidance for Healthcare Delivery Organizations”
IEC 80001-2-5:2014 - “Part 2-5: Application guidance -- Guidance for distributed alarm systems”
IEC 80001-2-6:2014 - “Part 2-6: Application guidance -- Guidance for responsibility agreements”
IEC 80001-2-7:2015 - “Part 2-7: Application guidance for healthcare delivery organizations (HDOs) on how to self-assess their conformance with IEC 80001-1”
IEC 80001-2-8 “Part 2-8: Application guidance -- Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2”
IEC 80001-2-9 “Part 2-9: Application guidance -- Guidance for use of security assurance cases to demonstrate confidence in IEC/TR 80001-2-2 security capabilities”
From: “VA Medical Device Protection Program (MDPP)”, presented at the NIST Health Security Conference, May 11, 2011
Segregation (VLAN Network, Access Control)
57
Biomedical Instrumentation & Technology (BI&T)Volume 50, Issue 1 (Jan./Feb. 2016)
58
http://aami-bit.org/toc/bmit/50/1
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
NIST Critical Infrastructure Cybersecurity Framework
59Copyright © 2016 Symantec Corporation
http://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf
ETSI: Critical Security Controls for Effective Cyber Defence
60Copyright © 2016 Symantec Corporation
References - FDA
Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and FDA Administration Staff (Jan 2016) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
Content of Premarket Submission for Management of Cybersecurity in Medical Devices: Guidance for Industry and FDA Administration Staff (Oct. 2014)http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
Information for Healthcare Organizations about FDA's "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software“ (updated July 2015) http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm
Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication (2013) http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm?source=govdelivery
Cybersecurity for Networked Medical Devices is a Shared Responsibility: FDA Safety Reminder (updated Oct. 2014) http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm
Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (Jan. 2005) http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm
Off-The-Shelf Software Use in Medical Devices (Sept. 1999) http://www.fda.gov/downloads/MedicalDevices/.../ucm073779.pdf
61
References - OtherMedical Device Software Patching, IHE PCD in Cooperation with MDISS (Oct. 2015), http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.1_2015-10-14.pdf
Medical Equipment Management, Medical Device Cyber Security Best Practice Guide, IHE PCD (Oct. 2015), http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Cyber-Security_Rev1.1_2015-10-14.pdf
Medical Equipment Management, Cyber Security, IHE PCD (May 2011), http://ihe.net/Technical_Framework/upload/IHE_PCD_White-Paper_MEM_Cyber_Security_Rev2-0_2011-05-27.pdf
Building Code for Medical Device Software Security, IEEE Computer Society, May 2015, http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-device-software-security.pdf
Medical Device Isolation Architecture Guide, V2.0, US Department of Veterans Affairs (Aug. 2009), http://s3.amazonaws.com/rdcms-himss/files/production/public/HIMSSorg/Content/files/MedicalDeviceIsolationArchitectureGuidev2.pdf
Medical Devices Security Technical Implementation Guide, V1 R1, Defense Information Systems Agency (DISA) (July 2010), http://iase.disa.mil/stigs/Documents/unclassified_medical_device_stig_27July2010_v1r1FINAL.pdf
Patching Off-the-Shelf Software Used in Medical Information Systems, NEMA/COCIR/JIRA Security and Privacy Committee, Oct. 2004, http://www.medicalimaging.org/wp-content/uploads/2011/02/Patching_OffTheShelfSoftware_Used_in_MedIS_October_2004.pdf
Manufacturer Disclosure Statement for Medical Device Security, NEMA (Oct. 2013); http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx 62