Scott Bolt Ege
-
Upload
diego-oswaldo -
Category
Documents
-
view
217 -
download
0
Transcript of Scott Bolt Ege
-
8/17/2019 Scott Bolt Ege
1/23
Cybersecurity for
Medical Devices: Three Threads Intertwined
Presented to MedSun audioconferenceCybersecurity of Medical
Deviceson April 12th 2!!"
byScott #olte
$Scott%#olte&'e%co()Product Security Pro'ra(
Mana'er*+ ,ealthcare
-
8/17/2019 Scott Bolt Ege
2/23
-irst the Patient.s Thread
-
8/17/2019 Scott Bolt Ege
3/23
/ 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
4hat Really is at 5is67
Co((on focus on individual (edical devices isi(portant8 but misleading%
Most (edical syste(s can be secured si(ply bydisconnectin' the( fro( the networ6%
9nfortunately what would be lost and what reallyneeds to be protected is the secure transfer of clinicalinfor(ation between (edical syste(s%
The right information, before the right people, at
the right time, improves patient treatment.Security improvements must not impede thatinformation ow.
-
8/17/2019 Scott Bolt Ege
4/23
e;t A Manufacturer.s Thread
-
8/17/2019 Scott Bolt Ege
5/23
" 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
Constraints on Manufacturers
Manufacturers rarely need to 'et approval fro( -DA withre'ards to Cybersecurity ective operation after chan'esincludin' /rd party patches%
o one can predict i(pact of /rd party chan'es on clinicaloperations in advance% Therefore verifyin' and validatin'see(in'ly (inor chan'es (ay ta6e si'ni
-
8/17/2019 Scott Bolt Ege
6/23
@ 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
*+ ,ealthcare Initiatives in autshellProduct Develop(ent Chan'es: +li(inatin' default but unnecessary networ6 services to reduce theopportunities for future attac6s%
Bbective = auto(ated vulnerability assess(ents at each product release%
-or(al desi'n re?uire(ents syste( au'(ented with new security re?uire(ents%
Br'aniational Capabilities Chan'es: +nhancin' re(ote service technolo'y to i(prove response ti(es%
Bpti(iin' validation = veri
-
8/17/2019 Scott Bolt Ege
7/23
-inally the ,ealthcare Provider.s Thread
-
8/17/2019 Scott Bolt Ege
8/23
E 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
Proceed with Caution
Traditional IT assu(ptions and procedures need toacco((odate uni?ue (edical device realities%
*eneric IT security best practices indiscriminatelyapplied to (edical devices without (anufacturer
coordination can pose patient safety ris6% -or e;a(ple: auto(atic patchin' can and has bro6en (edical devices networ6 vulnerability scans can disrupt clinical operations
antivirus software can disrupt ti(esensitive clinical operations
(isidenti
-
8/17/2019 Scott Bolt Ege
9/23
F 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
Gon' Ter( Perspective 5e?uired
9nli6e (ost IT syste(s (edical devices life cycles canbe 1! 1" 2! years or lon'erH
4hile 'eneral purpose hardware = software need to bereplaced re'ularly to 6eep up with evolvin' needs
(edical devices will continue to perfor( their focusedpurpose ade?uately for (any years%
eed to assu(e underlyin' operatin' syste(s (ay beused years lon'er than IT (ana'ers typically e;pect%
-
8/17/2019 Scott Bolt Ege
10/23
1! 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
The S6y is NOT -allin'
All security proble(s are not e?ual% Threat prioritiation with a phased re(ediation plan is re?uired%
5esponse to speci
-
8/17/2019 Scott Bolt Ege
11/23
11 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
Bn'oin' Co((unications
Cooperation between hospital IT sta> and clinicalpersonnel is critical since both parties have essential6nowled'e% It is dan'erous when they wor6independently%
Cooperation between healthcare providers and e?uip(ent(anufacturers is also critical for the e;act sa(e reasons%
Treat security proble(s and concerns li6e any otherproble( with a (edical device% They are haards thatneed to be appropriately addressed%
Don.t reinvent the wheel or set up special channels useestablished support (echanis(s%
-
8/17/2019 Scott Bolt Ege
12/23
12 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectricCo(pany
Secure etwor6 Desi'ns
Medical devices are provided with
-
8/17/2019 Scott Bolt Ege
13/23
4eavin' the Threads To'ether
-
8/17/2019 Scott Bolt Ege
14/23
1 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
4e Must 4or6 To'ether
Interoperability is essential as with DICBM ,GL andother clinical standards%
Manufacturers (ust continue to wor6 to'ether andwith healthcare providers on security standards
otherwise clinical interoperability (ay be under(ined%Industry foru(s should be used to develop and0orpublicie standards = best practices% $See +MA,IMSS etc% pa'es in Additional Information appendi;%)
-
8/17/2019 Scott Bolt Ege
15/23
1" 0Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
MDS2: A Pattern for Thin's toCo(e7Goo(in' April 2!!" ,IPAA security re'ulations were drivin' a lotof churn for (anufacturers and healthcare providers throu'hout2!!%
The ,IMSS Medical Device Security 4or6'roup reco'nied theopportunity to si(plify throu'h standardiation and rose to thechallen'e%
The Manufacturers Disclosure !tatement for Medical Device !ecurit
y $MDS2) was developed in ust a couple of (onths last fall isalready a de facto industry standard%
MDS2 is a (odel of how collective wisdo( can strea(linin'e>ective co((unication between all parties%
More infor(ation on the MDS2 (ay be found in the Additional Information appendi;%
http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99
-
8/17/2019 Scott Bolt Ege
16/23
1@ 0
Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
Conclusion
+veryone has thin's they can do on their own to (ana'eris6 both i((ediately and lon' ter(%
Industry foru(s should be used to share 6nowled'e anddevelop co((on solutions%
*+ ,ealthcare will continue to wor6 with our custo(ersand our peers to develop better products standards andpractices for the industry%
Medical device cybersecurity ris6s can be (ana'edwithout interferin' with patient care8 if we wor6to'ether%
-
8/17/2019 Scott Bolt Ege
17/23
Additional Infor(ation
-
8/17/2019 Scott Bolt Ege
18/23
1E 0
Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
*+ ,ealthcare
The ever 'rowin' security portalhttp:00www%'ehealthcare%co(0usen0security0inde;%ht(l includes: Manufacturer"s Disclosure !tatement
for Medical Device !ecurity #MD!$ % for *+ ,ealthcare products
-As
Product vulnerability infor(ation
http://www.gehealthcare.com/usen/security/index.htmlhttp://www.gehealthcare.com/usen/security/index.html
-
8/17/2019 Scott Bolt Ege
19/23
1F 0
Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
+MA Security = PrivacyCo((itteeSPC.s (aterial athttp:00ne(a%or'0prod0(ed0security0 includes: &rea'(Glass ) An Approach to Grantin* +mer*ency Access to
,ealthcare !ystems -atchin* O(the(!helf !oft/are 0sed in Medical Information !ystems
Defendin* Medical Information
!ystems A*ainst Malicious !oft/are
http://nema.org/prod/med/security/http://nema.org/prod/med/security/
-
8/17/2019 Scott Bolt Ege
20/23
2! 0
Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
,IMSS Medical Device Security4*,IMSS wor6 'roup.s (aterial athttp:00www%hi(ss%or'0ASP0topicsN(edicalDevice%asp includes: ori'inal Manufacturer"s Disclosure !tatement for Medical
Device !ecurity #MD!$ %1
Depart(ent of Jeterans A>airs. Medical Device Isolation Architecture Guide1
lin6s to current issues trends
and tools
contact information to join work group.
http://www.himss.org/ASP/topics_medicalDevice.asphttp://www.himss.org/ASP/topics_medicalDevice.asp
-
8/17/2019 Scott Bolt Ege
21/23
21 0
Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
Bri'inal MDS2 a ,u'e Step-orwardIn the style of DICBM confor(ance state(ents and I,+inte'rations pro
-
8/17/2019 Scott Bolt Ege
22/23
22 0
Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
+nhanced MDS2 as ew Model7
Sponsor
Manufacturer
9ser
Three or'aniations wor6 to'ether to eOciently shareinfor(ation% Sponsor
-
8/17/2019 Scott Bolt Ege
23/23
2/ 0
Scott #olte 02!!"!12
Copyri'ht 3 2!!" by *eneral +lectric
Co(pany
Device Pro