Cyber Security for your Connected Health Device

Size: px

Start display at page:

Download "Cyber Security for your Connected Health Device"

Roxanne Underwood
8 years ago
Views:

1 Cyber Security for your Connected Health Device

2 Agenda Cyber Security Emerging Threats Implications to Healthcare Healthcare Response

West Region Launch Vulnerability Assmt 2011 Launch South Central Region Launch Governance,

3 OpenSky s timeline Service Evolution Launch IT Optimization 2014 Geographic Expansion Merge with TUV Rheinland Launch Enterprise Mobility 2013 Launch Application Security 2012 Launch West Region Launch Vulnerability Assmt 2011 Launch South Central Region Launch Governance, Risk & Compliance 2010 Launch Southwest Region 2009 Launch Mid- Atlantic Region Formal Launch 1/

4 GLOBAL ORIGINS & BACKGROUND 140 YRS OF INNOVATION

5 Key Drivers for Cyber Security in Healthcare... FDA issued cyber security warning in June 2013 to address the risks FDA published draft guideline on Cyber security for medical devices (June 2013) Device manufacturers have confirmed the FDA is asking for documentation related to cybersecurity (FDA guidelines) during the approval process (510k, PMA) Most hospitals now require device manufacturers to provide evidence that the devices they are buying are secure and not succeptable to cyber security risks Increasing publicity surrounding cyber security of medical devices Actual related risks and hazards exist

manufacturers have confirmed the FDA is asking for documentation related to cybersecurity (FDA guidelines) during the approval process (510k, PMA) Most hospitals now

6 Cyber Security Emerging Threats

7 The Cyber Security Landscape Source:

8 Cyber Security by the numbers Source: Symantec Source: Symantec Twelve-Month Timeline of Data Breaches Source: Symantec Source: Symantec

9 Cyber Security Top Industry Targets $$$ is the Biggest motivator; Targets are changing; Medical PII is becoming more valuable than PCI data ($20 vs $2). Source: Mandiant M-Trends Beyond the Breach

10 Cybersecurity Attack Scenario Retail 1. Cybercriminals leveraged minor misconfigurations in the infrastructure to identify systems with direct access to the POS systems. 2. A domain controller, which provided authentication for corporate offices and retail stores, provided the vulnerable pivot point. 3. The card-harvesting malware deployed on each register searched the process memory of the POS application for magnetic stripe data stored in POS system Source: Mandiant M-Trends Beyond the Breach

11 Cybersecurity Attack Scenario Hospital 1. Cybercriminals create phishing to lure unsuspecting user to click on link that points to malware. 2. Unsuspecting user receives phishing and clicks on link. Medical Information Server Administration User Nurses Internet Lab Equipment 3. Infected Administration PC searches for other unpatched or vulnerable devices. Finding vulnerable application on lab equipment, attacks that equipment to gain access to the Medical Devices. Medical Devices Impatients

Unsuspecting user receives phishing email and clicks on link.

12 Cyber Security Implications to Healthcare

13 Internet of Things is here.

14 Top four medical device threats The security leaders interviewed listed among their top perceived threats to networked medical devices: Hacktivists wishing to cause service interruption. Thieves desiring to sell or monetize personal health information (PHI), Malicious groups or individuals seeking to cause harm to patients (possibly targeting VIP patients) Malware that evades existing antivirus engines and rules but is not specifically targeted at medical devices. Networked medical device cybersecurity and patient safety Source: Deloitte SANS Healthcare Cyber Security Report

Thieves desiring to sell or monetize personal health information (PHI), Malicious groups or individuals seeking to cause harm to patients

15 Cyber Security Spending/ Costs

16 Cyber Security Malware by Vertical

17 Highest medical fraud by compromised organizations Legend: Dark states show highest population Orange circle shows the number of organizations compromised Locations and Types of Compromised Organizations Source: SANS Healthcare Cyber Security Report Note: states with most stringiest privacy laws were also the same states most affected.

Types of Compromised Organizations Source: SANS Healthcare Cyber Security Report

18 Type of devices emitting malicious traffic Source: SANS Healthcare Cyber Security Report

19 Healthcare s response Cyber Security threats

20 Cyber Security Mitigation lifecycle Governance Risk Management Risk Identification

21 Risk Assessment Methodology Threat Agents Exposures Attacker Objectives Attacker Methods Controls Identify All possible threats, objectives, and methods Filter & Prioritize Highest risk threats, objectives, and methods Scan for Vulnerabilities Identify which vulnerabilities have controls. Those without controls are likely exposures

TÜV Rheinland helps reduce these cost MEDICAL Provide regulatory budget for global markets Device Scope OpenSky Risk Assessments and Secure Coding Product Market

22 TÜV Rheinland helps reduce these cost MEDICAL Provide regulatory budget for global markets Device Scope OpenSky Risk Assessments and Secure Coding Product Market Annual Cost Design Product Development lifecycle TÜV Rheinland Core Business Market Certification Validation Provide data testing based on regulatory requirements

23 Thank-you! Jesus Laz Montano CSO & VP of Security Services OpenSky Corporation a TÜV Rheinland Company jmontano@openskycorp.com Rayshon L. Payne Medical Account Manager TÜV Rheinland rpayne@us.tuv.com

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and