Using Common Criteria Evaluations to Improve Healthcare Cybersecurity

Transcription

1 Approved for Public Release; Distribution Unlimited The MITRE Corporation. ALL RIGHTS RESERVED. Using Common Criteria Evaluations to Improve Healthcare Cybersecurity David Kleidermacher Blackberry Dr. David Klonoff Diabetes Technology Society Margie Zuk - MITRE

2 Background Healthcare is an attractive target for sophisticated adversaries: organized crime, nation states, hacktivists Medical devices may be an attacker s entry point, or incidentally compromised during an attack because of vulnerabilities Medical Devices Contain configurable embedded computer systems Increasingly interconnected Wirelessly connected Legacy devices Use Environment Varied responsibilities for purchase, installation and maintenance of medical devices, often siloed Variable control over what is placed on the network Inconsistent training and education on security risks

3 FDA Public Workshop: Collaborative Approaches for Medical Device and Healthcare Cybersecurity October 21-22, 2014 Co-sponsored with HHS and DHS 1300 total participants included onsite and remote Broad range of stakeholders Goals: Catalyze collaboration among all HPH stakeholders Identify barriers that impede efforts towards promoting cybersecurity Advance the discussion on innovative approaches for building securable medical devices

4 MITRE Handshake Site: Medical Device and Healthcare Cybersecurity Virtual collaboration space for HPH sector to continue discussion from public workshop Over 170 participants FAQ with rules of engagement Individual requests account MITRE sends invitation Individual responds and creates account Individual joins Handshake

5 Medical Device Ecosystem Researchers Industry Venture Capitalists Patients Medical Device Ecosystem Professional Societies Regulators Health Care Providers Payers

6 Collaborating with the Medical Device Cybersecurity Ecosystem MITRE conducting stakeholder study as a follow-on to the FDA workshop Meeting with over 70 stakeholders across the medical device ecosystem Understand stakeholder perspectives Understand cybersecurity gaps and challenges Establishing collaborative models for information sharing and a shared risk framework Participating in emerging industry efforts

7 Diabetes Technology Society Cybersecurity Standard for Connected Diabetes Devices (DTSec) Developing a cybersecurity standard and evaluation process Focus on 4 device classes Blood Glucose Monitors (BGM) Continuous Glucose Monitors (CGM) Insulin pumps (IP) Artificial Pancreas (AP) Establishing a technical community composed of clinicians, manufacturers, cybersecurity experts, academia, and government members Sub groups including Scope of Work, Protection Profile, and Assurance

8 Goals of DTSec Assurance Program Scientific approach to security evaluation Supports life-critical systems Efficient (cost and time) Enable continuous improvement Open and international

9 Medical Device Assurance 9

10 DTSec Security Functional Requirements Work in progress PP covers meters Firmware/software authenticity User data (e.g. BG readings) authenticity Secure local channel (auth+encrypt) e.g. BTLE security mode 1, level 3 User authentication to device (OPTIONAL) Information flow policy to enable safe 1-way reading from GMs to smartphone (no control allowed)

11 DTSec Security Assurance Requirements Human Life Sophisticated, Motivated Attacker Attack Threat Potential Asset Value Low Medium High High Low Medium High Medium Low Medium Medium Low Low Low Low IEC Class A: No injury or damage to health is possible Class B: Non-serious injury is possible Class C: Death or serious injury is possible Independent assurance packages can be applied to any PP

12 DTSec Security Assurance Requirements ASSURANCE PACKAGE Lifecycle Requirements TOE-independent common to manufacturer s TOEs Product Requirements TOE-dependent

13 DTSec Security Assurance Requirements ASSURANCE PACKAGE Lifecycle Requirements CM plans and process Arch, design, specification Development tool standards Flaw remediation process Product Requirements Arch, design, specification Testing of requirements Vulnerability assessment

14 DTSec: Evaluation Efficiency DTSec Class C ASSURANCE PACKAGE IEC ISO ISO Target ISO family and component IEC coverage ADV_ARC ADV_FSP ADV_IMP.1 B.5.5 ADV_INT ADV_TDS AGD_OPE AGD_PRE ALC_CMC.5 8 ALC_CMS.5 8 ATE_COV and 5.7 ATE_DPT ATE_FUN and 5.7 ATE_IND AVA_VAN.4 not covered Product Requirements Arch, design, specification Testing of requirements Vulnerability assessment

15 DTSec: Evaluation Efficiency DTSec Class C ASSURANCE PACKAGE Arch, design, specification Testing of requirements Vulnerability assessment

16 DTSec: Evaluation Efficiency Delta certification / assurance continuity Vendor documents delta Patch set, version increment, etc. Depending on scope of modifications Minor: accept and publish addendum to certificate Major: re-evaluation Gray: audit

17 DTSec Scope Near Term Publish standard Leverages ISO 15408, 18045, Defines the assurance program Accreditation of labs, certification of results, assurance maintenance Create PP(s) for important product families BGM, CGM, IP, AP Initial vendor(s) write ST(s) for initial product(s) Select and accredit initial lab(s) Lab evaluates initial product(s) against ST(s) Certify lab results Flock to the streets in rapture

18 Summary and Onward DTSec: medical device security standard and assurance program Assurance by evaluation based on ISO Administered by international multi-stakeholder non-profit Custom assurance package, leverage IEC Life-critical wireless devices AVA_VAN.4 Future Demonstrate efficient evaluations Expand to other device types, e.g. infusion pumps Lowered cost of insurance? Regulatory recommendation and/or mandate Observe and integrate with synergistic efforts

19 Contact