Medical Devices. Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire

Transcription

1 Medical Devices Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire

2 Introduction This perspective paper aims to help organizations understand the emerging issue of security in the context of medical devices. Medical devices have not historically been included in HIPAA compliance or healthcare security programs, yet their capabilities make them prime targets for exploitation. At stake are both patient safety and privacy. The main objective is to bring this issue onto the risk radar of healthcare providers that utilize these devices. SAFE VERSUS SECURE We want to believe in the safety of the devices that promise to improve our medical care. Nonetheless, the history of medical devices is littered with examples of faulty and outright bogus devices that have caused harm to the very patients they aim to benefit. A broad movement began in the 1960s to regulate medical devices and culminated in the Medical Devices Regulation Act of Among many provisions, this act authorized the Food and Drug Administration (FDA) to regulate medical devices. For devices classified to pose the highest risk to human life, pre-market approval was required to provide reasonable assurance of their safety and effectiveness. In the digital age, the new frontier is the security of electronic protected health information (ephi). HIPAA itself does not regulate medical devices, but does impose strong expectations on covered entities and business associates for the safeguarding of ephi that is created, received, maintained, or transmitted by these devices. For this reason, medical devices should be included in an organization s HIPAA Security Program. Not Science Fiction Safety can be compromised by poor security as illustrated in dramatic fashion in 2012 when security researcher Barnaby Jack (his real name) was able to wirelessly reprogram an insulin pump to deliver a fatal dose. The same researcher has also revealed the ability to remotely activate a pacemaker to deliver a fatal shock. This was a plot element on a popular TV show that led to widespread concern over the viability of the attack. The FDA felt it was necessary to respond publicly and reassure the nation that no such attacks are known. Less dramatic, but no less important, is the rising value of ephi on the black market. Personal health information is now more valuable than credit card data. According to a 2012 report issued by the Healthcare Information and Management Systems Society (HIMSS), a patient health record is valued at $50, compared to $3 for a social security number and $1.50 for a credit card

3 number. These points demonstrate that security is no longer a nice-to-have, but a necessary and indispensable part of medical device design and implementation. Risk Reduction Efforts Security risks from medical devices are being studied and evaluated from a variety of perspectives, from academic to governmental to industry. Given their central importance to modern medicine, it is not possible to opt out of the use of medical devices. Taming their security problems starts with understanding the dimensions of the problem. Security Research Two major efforts are underway to discover the relevant issues with security of medical devices. The Archimedes Project at Ann Arbor Research Center has been uncovering security issues since These problems range from data insecurity to safety concerns. Their research has provided valuable feedback to industry, and is influencing the security design of future medical devices. The non-profit Center for Internet Security (CIS) has initiated a broad project to develop baselines for medical device security. CIS is particularly known for its security benchmarks, especially operating system hardening guides. CIS also operates the Multi-State Information Sharing and Analysis Center and the Trusted Purchasing Alliance. They have the organizational experience and reputation to serve as a clearinghouse for security issues in medical devices. They will be partnering with the National Health Information Sharing and Analysis Center. FDA Guidance In 2013 the FDA issued a series of recommendations regarding medical devices having to do with security. Their guidance for pre-market submissions was augmented to include security dimensions, including features that implement the CIA security triad (Confidentiality, Integrity and Availability). Pre-market clearance is relevant for devices that represent the highest risk to human life. This guidance particularly points out the value of documentation of risk analysis, including life cycle recommendations. Just two months later, the FDA followed up with detailed guidance about the use of wireless in medical devices, emphasizing use of authentication and encryption. Although no attacks are known to have occurred in the real world, the exploitable vectors discovered by researchers are directly addressed in this guidance, which is likewise aimed at pre-market submissions.

4 ISO Guidance to Manufacturers A detailed guide to risk management for the safety of medical devices is described in ISO It makes the central philosophical point: All stakeholders need to understand that the use of a medical device entails some degree of risk. Minimization of those inherent risks is the aim of the processes outlined. All stakeholders need to These include: understand that the use of a Detailed example questions that can illuminate intended use Types of hazardous situations Sample controls that can be applied to discovered risks Help from the Industry Manufacturers have responded by issuing Manufacturer Disclosure Statements for Medical Device Security (MDS 2 ). The forms were originally developed by HIMSS and later standardized with the National Electrical Manufacturers Association (NEMA). A particular difficulty for IT personnel has been that medical devices have full computing power, but don t fit into the usual taxonomy of IT devices. Further, information about the operation of a device is often proprietary, obscuring important details useful to IT personnel attempting to proactively manage risk. The MDS 2 provides manufacturers with a structured way to disclose risk information without exposing sensitive intellectual property. It contains information about: the way the device uses ephi and how that ephi is protected ways the device can be configured for access control (both logical and physical) device options for hardening (including anti-malware) networking details backup and recovery guidance about device lifecycle medical device entails some degree of risk. The MDS 2 is an essential data source for the risk management process. A recent update to the MDS 2 standard form has increased the structured information on the form, making it even more useful and better aligned with IEC (the ISO standard for risk management of networked medical devices). In the next section, we bring together all these sources of information and show how an organization can apply them to their particular situation.

5 Healthcare Providers: Risk Management Individual covered entities should approach the issue of medical device security from a risk management perspective. Backed by guidance on best practices and detailed data for each medical device, organizations can effectively pursue a risk management methodology such as NIST One simplified outline of the steps in is: 1. Inventory and Characterize Systems 2. Threat Identification 3. Vulnerability Assessment 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Recommend Risk Controls Here we can see the usefulness of the efforts described before. The MDS 2 forms can serve as meta-data for an inventory of medical devices. Threats and vulnerabilities are being analyzed and publicized. These reports can help determine which controls will be most effective for which threats. The FDA is laying the groundwork for enhanced security expectations. Organizations can use standard risk management techniques when backed by such robust information. With an understanding of the organization s risk appetite, appropriate controls can be implemented and evaluated.

6 Coalfire can help Coalfire has experience working with clients who are proactively managing their security risk from medical devices. Our experience can help clients navigate this landscape more effectively and efficiently. Risk Assessment Methodology Along with the methodology briefly outlined above, Coalfire has developed a risk scorecard that encompasses a highly relevant subset of controls. This scorecard integrates data from device MDS 2 forms and the client s environment to help prioritize risk remediation efforts. Tactical and Strategic Advice The trajectory of threat growth compared with gradually improving security in medical devices means that a stable ecosystem is years away. Coalfire has advised clients at all levels of program maturity. Sectors such as banking and government have had a head start in dealing with embedded systems security, and their efforts offer valuable lessons. First, the focus must be on getting a handle on existing risk while laying a foundation for improvement. More mature programs move forward by expanding the scope of pilot programs, continuously evaluating risk, and also pushing back on device manufacturers through the procurement process. Conclusion Although there is no timeline for when medical device security will mature to match the level of general information technology, there are important steps being taken. A loose coalition of academic, government and industry experts are building the case for government and industry security mandates. In the meantime, these efforts can inform effective risk management programs for proactive covered entities. Coalfire has experience implementing this process with clients and offers comprehensive healthcare security experience.