Balancing Usability and Security for Medical Devices

Transcription

1 Balancing Usability and Security for Medical Devices Ken Hoyme Adven&um Labs Robert North, LLC March 17, /17/ Adven8um Labs and 1

2 Early device connec8vity was simple Human Centered Strategies Use Risk Concerns: Response 8me Alarm management Security Concerns: None In- hospital monitoring of bedside and later ambulatory pa8ents Improved awareness/response from central monitoring sta8ons Dedicated communica8ons between devices and sta8ons Separate from other hospital networks 3/17/ Adven8um Labs and Human Centered Strategies 2

3 Device connec8vity for EHR Integra8on Human Centered Strategies Use Risk Concerns: Manual entry errors Pa8ent ID errors Data overload Security Concerns: Confiden8ality Data integrity Network availability Device infec8on Hospital Network Automa8c updates into pa8ent record More accurate, 8mely informa8on Networked connec8on between devices and EMR May be shared on hospital network 3/17/ Adven8um Labs and Human Centered Strategies 3

4 Pan- enterprise Connec8vity B2B health data connec8ons to external sites Pa8ent portals, HIEs Connec8ons to outpa8ent clinics and home monitoring Mobile pa8ent devices, BYOD in- hospital Use Risk Concerns: Data islands Inconsistency Urgent condi8ons missed Configura8on by non- experts Security Concerns: Privacy Data integrity Access control Availability Vulnerability management Pa8ent safety 3/17/ Adven8um Labs and 4

5 Known Medical Device Security Vulnerabili8es Implantable/wearable devices Security researchers have demonstrated that some manufacturers have not secured the links that permit programming Field- updateable devices Researchers have demonstrated many use a single administrator password to update so\ware Devices built on common OS s Known vulnerabili8es to malware wri^en for the basic OS Networked medical devices Many demonstrated suscep8bili8es for standard network a^acks 3/17/ Adven8um Labs and 5

6 Collec8ve Response GAO report issued August 2012 Recommended FDA increase pre- and post- market scru8ny of device cybersecurity FDA dra\ guidance issued June 2013 Directs manufacturers to balance security and usability But also offers a list of security considera8ons that could nega8vely impact clinical workflow Several guidance/standards efforts underway E.g. AAMI Device Security Working Group 3/17/ Adven8um Labs and 6

7 Medical Device Access Points Physical user interface Direct user access Network connec8on Wired/wireless Remote access, remote control, configura8on Peripheral connec8ons USB, RFID, Bluetooth Posi8ve Pa8ent ID, char8ng, ambulatory link Maintenance access (may use one of the above) So\ware updates, device diagnos8cs 3/17/ Adven8um Labs and 7

8 Device Security Scope Maintain the privacy of pa8ent informa8on ID, measurements, treatments, etc. Confiden8ality Prevent unauthorized modifica8ons to pa8ent ID, measurements, sekngs and the device s so\ware Ensure that the func8onality of the device is available when needed Integrity Availability 3/17/ Adven8um Labs and 8

9 Exis8ng Security/Usability Research Authen8ca8on Secure Computer Maintenance Passwords Challenge Ques8ons Web Browsers Public Key Cryptography An8- phishing Social Networks Mobile Devices Anonymizers 3/17/2014 Not focused on medical devices in a clinical se1ng Symposium On Usable Privacy and Security 2014 Adven8um Labs and 9

10 Medical Devices are not standard IT systems 3/17/ Adven8um Labs and 10

11 Safety/Risk/Benefit Medical devices are approved because they have a demonstrated clinical benefit and use safety Prescribed for pa8ents with indicated needs Interference, loss or delay of that benefit can result in pa8ent harm Security vulnerabili8es or their mi8ga8ons can lead to interference, loss or delay if poorly addressed 3/17/ Adven8um Labs and 11

12 Workflow Management Acute care sekngs place high mul8- tasking requirements on the staff Security controls can lead to classic workflow issues including Loss of situa8on awareness Knowing workflow is blocked Confusion about what is going on Device configura8on interac8ons with security controls can also nega8vely impact workflow This can impact safety of any of the pa8ents being treated by that staff member 3/17/ Adven8um Labs and 12

13 Emergency response During medical emergencies, medical device therapies can interact with emergency response Infusion pumps, ven8lators, defibrillators Introduc8on of security controls can interfere with emergency response Design challenge create controls that secure the device in non- emergency situa8ons without interfering during emergencies 3/17/ Adven8um Labs and 13

14 Devices Cross Trust Zones The same device could be used in many different medical contexts Surgery Cri8cal Care ER/ICU Standard floor Outpa8ent Home Should the same security controls be applied in all situa8ons? 3/17/2014 Ambulatory 2014 Adven8um Labs and 14

15 Research Ques8ons 3/17/ Adven8um Labs and 15

16 Usable authen8ca8on Classic IT authen8ca8on is User ID/Password Likely used to access the EMR What medical device interac8ons should have user authen8ca8on requirements? Configuring diagnosis/therapy sekngs? In the pa8ent room versus remotely? Machine- to- machine authen8ca8on op8ons Authen8ca8on over peripheral interfaces What about so\ware updates to the device? Impact on workflow Pa8ent checks, device changes, device maintenance 3/17/ Adven8um Labs and 16

17 Authen8ca8on discussion Infusion pump Drug Library Electronic Medical Record Pa8ent ID Ini8al configura8on of device to a pa8ent? Nurse inputs to front panel? When, where, how? Drug Library updates? M2M cer8ficate EMR access? Pa8ent ID link? Pump network configura8on? Pump firmware changes? 3/17/2014 Overall impact on workflow for nursing and IT staff 2014 Adven8um Labs and 17

18 Trust- zone aware device management Spectrum Surgery/ICU Physical security exists Pa8ent associated with fixed loca8on Clinical staff physically present making rapid decisions Higher pa8ent risk IT/Clinical Engineering 8ghtly controls configura8ons Home healthcare May be no physical security Pa8ent moves about an interacts with other people Clinical staff remotely located making decisions across groups of pa8ents May have no trained IT staff suppor8ng configura8ons How should a device be designed to be used in different trust zones? Limit func8onality? Adapt security controls? Can a device automa8cally configure itself? What use errors occur if a device is misconfigured for the trust- zone it is opera8ng in? 3/17/ Adven8um Labs and 18

19 Low- impact non- repudia8on methods Privacy laws create the need for holders of pa8ent data to verify who accessed that data Example logging access via an EMR For legal, liability and best clinical care prac8ces, this requirement may be extended Who changed a device sekng, provided therapy, acknowledged an alarm What is the best means to provide such informa8on at the point of care? Balancing workflow impact, use errors, strength of electronic assurance of iden8ty and device cost 3/17/ Adven8um Labs and 19