Scott Bolt Ege

8/17/2019 Scott Bolt Ege

1/23

Cybersecurity for

Medical Devices: Three Threads Intertwined

Presented to MedSun audioconferenceCybersecurity of Medical

Deviceson April 12th 2!!"

byScott #olte

$Scott%#olte&'e%co()Product Security Pro'ra(

Mana'er*+ ,ealthcare

mailto:[email protected]:[email protected]


2/23

-irst the Patient.s Thread


3/23

/ 0Scott #olte 02!!"!12

Copyri'ht 3 2!!" by *eneral +lectricCo(pany

4hat Really is at 5is67

Co((on focus on individual (edical devices isi(portant8 but misleading%

Most (edical syste(s can be secured si(ply bydisconnectin' the( fro( the networ6%

9nfortunately what would be lost and what reallyneeds to be protected is the secure transfer of clinicalinfor(ation between (edical syste(s%

The right information, before the right people, at

the right time, improves patient treatment.Security improvements must not impede thatinformation ow.


4/23

e;t A Manufacturer.s Thread


5/23

" 0Scott #olte 02!!"!12


Constraints on Manufacturers

Manufacturers rarely need to 'et approval fro( -DA withre'ards to Cybersecurity ective operation after chan'esincludin' /rd party patches%

o one can predict i(pact of /rd party chan'es on clinicaloperations in advance% Therefore verifyin' and validatin'see(in'ly (inor chan'es (ay ta6e si'ni


6/23

@ 0Scott #olte 02!!"!12


*+ ,ealthcare Initiatives in autshellProduct Develop(ent Chan'es: +li(inatin' default but unnecessary networ6 services to reduce theopportunities for future attac6s%

Bbective = auto(ated vulnerability assess(ents at each product release%

-or(al desi'n re?uire(ents syste( au'(ented with new security re?uire(ents%

Br'aniational Capabilities Chan'es: +nhancin' re(ote service technolo'y to i(prove response ti(es%

Bpti(iin' validation = veri


7/23

-inally the ,ealthcare Provider.s Thread


8/23

E 0Scott #olte 02!!"!12


Proceed with Caution

Traditional IT assu(ptions and procedures need toacco((odate uni?ue (edical device realities%

*eneric IT security best practices indiscriminatelyapplied to (edical devices without (anufacturer

coordination can pose patient safety ris6% -or e;a(ple: auto(atic patchin' can and has bro6en (edical devices networ6 vulnerability scans can disrupt clinical operations

antivirus software can disrupt ti(esensitive clinical operations

(isidenti


9/23

F 0Scott #olte 02!!"!12


Gon' Ter( Perspective 5e?uired

9nli6e (ost IT syste(s (edical devices life cycles canbe 1! 1" 2! years or lon'erH

4hile 'eneral purpose hardware = software need to bereplaced re'ularly to 6eep up with evolvin' needs

(edical devices will continue to perfor( their focusedpurpose ade?uately for (any years%

eed to assu(e underlyin' operatin' syste(s (ay beused years lon'er than IT (ana'ers typically e;pect%


10/23

1! 0Scott #olte 02!!"!12


The S6y is NOT -allin'

All security proble(s are not e?ual% Threat prioritiation with a phased re(ediation plan is re?uired%

5esponse to speci


11/23

11 0Scott #olte 02!!"!12


Bn'oin' Co((unications

Cooperation between hospital IT sta> and clinicalpersonnel is critical since both parties have essential6nowled'e% It is dan'erous when they wor6independently%

Cooperation between healthcare providers and e?uip(ent(anufacturers is also critical for the e;act sa(e reasons%

Treat security proble(s and concerns li6e any otherproble( with a (edical device% They are haards thatneed to be appropriately addressed%

Don.t reinvent the wheel or set up special channels useestablished support (echanis(s%


12/23

12 0Scott #olte 02!!"!12


Secure etwor6 Desi'ns

Medical devices are provided with


13/23

4eavin' the Threads To'ether


14/23

1 0Scott #olte 02!!"!12

Copyri'ht 3 2!!" by *eneral +lectric

Co(pany

4e Must 4or6 To'ether

Interoperability is essential as with DICBM ,GL andother clinical standards%

Manufacturers (ust continue to wor6 to'ether andwith healthcare providers on security standards

otherwise clinical interoperability (ay be under(ined%Industry foru(s should be used to develop and0orpublicie standards = best practices% $See +MA,IMSS etc% pa'es in Additional Information appendi;%)


15/23

1" 0Scott #olte 02!!"!12


Co(pany

MDS2: A Pattern for Thin's toCo(e7Goo(in' April 2!!" ,IPAA security re'ulations were drivin' a lotof churn for (anufacturers and healthcare providers throu'hout2!!%

The ,IMSS Medical Device Security 4or6'roup reco'nied theopportunity to si(plify throu'h standardiation and rose to thechallen'e%

The Manufacturers Disclosure !tatement for Medical Device !ecurit

y $MDS2) was developed in ust a couple of (onths last fall isalready a de facto industry standard%

MDS2 is a (odel of how collective wisdo( can strea(linin'e>ective co((unication between all parties%

More infor(ation on the MDS2 (ay be found in the Additional Information appendi;%

http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99


16/23

1@ 0

Scott #olte 02!!"!12


Co(pany

Conclusion

+veryone has thin's they can do on their own to (ana'eris6 both i((ediately and lon' ter(%

Industry foru(s should be used to share 6nowled'e anddevelop co((on solutions%

*+ ,ealthcare will continue to wor6 with our custo(ersand our peers to develop better products standards andpractices for the industry%

Medical device cybersecurity ris6s can be (ana'edwithout interferin' with patient care8 if we wor6to'ether%


17/23

Additional Infor(ation


18/23

1E 0



Co(pany

*+ ,ealthcare

The ever 'rowin' security portalhttp:00www%'ehealthcare%co(0usen0security0inde;%ht(l includes: Manufacturer"s Disclosure !tatement

for Medical Device !ecurity #MD!$ % for *+ ,ealthcare products

-As

Product vulnerability infor(ation

http://www.gehealthcare.com/usen/security/index.htmlhttp://www.gehealthcare.com/usen/security/index.html


19/23

1F 0



Co(pany

+MA Security = PrivacyCo((itteeSPC.s (aterial athttp:00ne(a%or'0prod0(ed0security0 includes: &rea'(Glass ) An Approach to Grantin* +mer*ency Access to

,ealthcare !ystems -atchin* O(the(!helf !oft/are 0sed in Medical Information !ystems

Defendin* Medical Information

!ystems A*ainst Malicious !oft/are

http://nema.org/prod/med/security/http://nema.org/prod/med/security/


20/23

2! 0



Co(pany

,IMSS Medical Device Security4*,IMSS wor6 'roup.s (aterial athttp:00www%hi(ss%or'0ASP0topicsN(edicalDevice%asp includes: ori'inal Manufacturer"s Disclosure !tatement for Medical

Device !ecurity #MD!$ %1

Depart(ent of Jeterans A>airs. Medical Device Isolation Architecture Guide1

lin6s to current issues trends

and tools

contact information to join work group.

http://www.himss.org/ASP/topics_medicalDevice.asphttp://www.himss.org/ASP/topics_medicalDevice.asp


21/23

21 0



Co(pany

Bri'inal MDS2 a ,u'e Step-orwardIn the style of DICBM confor(ance state(ents and I,+inte'rations pro


22/23

22 0



Co(pany

+nhanced MDS2 as ew Model7

Sponsor

Manufacturer

9ser

Three or'aniations wor6 to'ether to eOciently shareinfor(ation% Sponsor


23/23

2/ 0



Co(pany

Device Pro

Scott Bolt Ege

Documents

Transcript of Scott Bolt Ege