THE FDA and Medical Device Cybersecurity Guidance

Valdez Ladd, MBA, CISSP, CISA Pam Gilmore ISSA Raleigh, NC

THE FDA and Medical Device Cybersecurity

FDA’s scope is beyond HIPAA (Privacy & Security Rule)

Health Informatics-Provisions for Health Applications on Mobile/Smart Devices.

Application of risk management for IT-networks incorporating medical devices.

FDA and Wireless Frequency Devices

* Complements HIPAA’s security risk analysis

Vulnerability discovery

January 2013

Cybersecurity Cylance researchers Billy Rios and Terry McCorkle.

Identified 300 pieces of medical equipment vulnerable to cyber attacks

* firmware , embedded passwords and weak authentication.

June 13, 2013 FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks.

Assure that appropriate safeguards are in place to reduce the risk of failure due to cyber attacks for medical devices

Design security into the manufacturing process, document it and communicate it to hospitals, etc.

THE FDA and Medical Device Cybersecurity

THE FDA and Medical Device Cybersecurity

Risk Analysis

Beyond C-I-A to Medical PAINS

CIA:

Confidentiality, Integrity, & Availability

PAINS

Privacy, Availability, Authentication, Integrity, Non-repudiation and Safety

Risk and Compliance

Security Capabilities

Access controls best practices

Remove “hardcoded” passwords Limit Access to trusted uses

Role based access with time limitations

Physical locks on devices

Incident Response

Use of Fail-Safe and Recovery - Security features are recognized, logged and acted upon

- Logging--Devices will need capacity for logging diagnostic data. Capabilities varies depending on device design

Forensics--Data captured in Hazard report

Incident Response

Ensure trusted Content with strong authentication and encryption.

Customer notification process.

CyberSecurity Design Document

FDA 501k Premarket Approval submissions by manufacturer now require cybersecurity risk analysis and protections in the design of their medical devices:

1. Hazard analysis, mitigations and design

2. Traceability Mix

3. Antivirus

Manufacturer Disclosure Statement for Medical Device Security (MDS2) v2

Developed by HIMSS and the National Electrical Manufacturers Association (NEMA)

Since 2013 Medical device manufacturers have to disclose the cybersecurity features of medical devices they sell to healthcare providers.

A hospital risk assessment tool to assess the vulnerabilities and risks of the medical devices. Allows easy comparison of security features across different devices and different manufacturers

Intrusion Detection is defined as:

 "...the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource."1 More specifically, the goal of intrusion detection is to identify entities attempting to subvert in-place security controls.

Intrusion Detection and Mobile Devices

What are the risks with Health information and mobile devicesAssets: What is valuable in the system and how could it be lost?

Attackers and their motivations: Who would want to do something bad and why?What role does compliance, regulations and guidelines play in securing data?

Mobile Devices and health information

Defenses: What more could be done to prevent or mitigate attacks?

How can an attacker change the authentication data? What is the impact if an attacker can read the user profile data?

What happens if access is denied to the user profile database?

*Spoofing vs. authentication……....…...….

*Tampering vs. integrity……………..….......

*Repudiation vs. non-repudiation….....…….

*Information disclosure vs. confidentiality

*Denial of service vs. availability………...

*Elevation of privilege vs. authorization…..

STRIDE MODEL

Types of Attacks

Carrier Based Methods

Man in the middle (MiTM) attacks which can steal data Hijack wireless transmission.

Endpoints based methodsInject code to tamper with web application or web servicesStealing user sensitive phone contents using Malwares

Wireless interfaces based methods

Stealing data when its in-transit using wireless channel Exploit access and authentication access

An adversary steals sensitive data by reading SD Card based stored content

An adversary exploits OS level functionalities steal data from device Rooting or Jailbreaking the phone to access sensitive data from memory

APT’s: Advanced Persistent Threats

Detecting APTs To aid in detecting Advanced Persistent Threats (APTs)

*The Splunk platform alerts IT on attempts to remotely access the hospital’s infrastructure from foreign countries such as Russia. Russia has become well known for infecting sites with malware.

*Many attack vectors starting with phishing email to infiltrate malware, analysts can correlate Exchange, antimalware servers and firewall logs for evidence of questionable downloads.

*“Splunk allows cross-reference of any data, identifying attack patterns and unauthorized actions that would otherwise go undetected. Search for particular virus signatures to determine which devices are infected.

Wearable Medical Devices

1.) Pacemaker

2.) Insulin pumps

3.) Smart glasses (Google, Vuzix)

4.) Smart watches (Google, Apple)

5.) Smart clothing (RFID tags)

Wearables- Risks & Possible Solutions

Middlesex hospital video

Splunk and security (intrusion detection)

Success Stories from Healthcare corporations

IRhythm--

Challenges-iRhythm is a rapidly growing medical device and service company. -iRhythm required an efficient and effective way to monitor business processes,- establish baseline performance across their entire operation and continue to -track that performance as the business evolved.

BUSINESS IMPACT

*Operational intelligence and longterm planning*Business process monitoring through every stage of the business model*Operational intelligence without investing in a data warehouse *Secure data management for HIPAA

Success Stories—ING--Financial

Ensuring Regulatory Compliance

Financial services companies are subject to an ever increasingset of regulatory requirements that include Sarbanes-Oxley,PCI and Basel II, among others.

*Splunk indexes data generated by the technologies that need to be monitored for regulatory compliance.*It enables rapid retrieval of log data requested byIT auditors.

“With Splunk we achieved ROI within 60 days, and we’re ableto better meet compliance mandates and improve auditing andreporting best practices, despite reducing our compliance staff.”Legg Mason

Splunk and Compliance

•Splunk demonstrates compliance with HIPAA requirements related to unauthorized access of ePHI records. Splunk software is able to take proactive measures to pinpoint any security breaches related to ePHI records.

Security Regulations:

• FISMA – For government agencies, Splunk Securely collect, index and store all your log and Machine Data along with audit trails to meet NIST requirements. The continuous monitoring process steps in NIST 800- 137 (draft) are listed as: Define, Establish, Implement, Analyze/ Report, Respond and Review/Update.•

HIPAA - Splunk instantly assesses reports of EPHI leakage and meets HIPAA’s explicit log requirements. HIPAA and EPHI security and privacy rules include explicit requirements for audit trail collection, review, automated monitoring and incident investigation.

Splunk and Compliance

• PCI - Rapid compliance with explicit PCI requirements for log retention/review and change monitoring, comprehensive reporting on all PCI controls such as passwords and firewall policy.

• SOX - Splunk search of compliances mandated routine log review easy and straightforward. For IT controls based on ITIL, COBiT, COSO, ISO 17799, BS-7799 audit and reporting.

Conclusion

Since 2014 future devices will have device cybersecurity product life-cycle from design to operation to disposal.

Result will be strengthening of HIPPA Privacy and Security Rule in areas of Risk Analysis for medical device purchases

About the Authors

Valdez Ladd – MBA, CISSP, CISA, COBIT 4.1 ISO/TC 215 - Health informatics, WG 4, Privacy and Security, (2011-2013)WEDI.org Cloud Security AllianceISACA.orgISC2.org

contact: www.linkedin.com/in/valdezladd

Pam Gilmore - BS Business Administration Management concentration. Member of ISSA Raleigh, NC chapter. She has been a key leader for editing of Dex One company security policy documentation and review. Technical focus is in Incident Handling, Information Security and Architecture.