A Security Risk Management Framework for Networked Medical Devices

Transcription

1 A Security Risk Management Framework for Networked Medical Devices Anita Finnegan, Fergal Mc Caffery, Gerry Coleman Regulated Software Research Centre & Lero Dundalk Institute of Technology Dundalk THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide Lero 2013.

2 Overview Problem Background New / Proposed Guidance Overview of Solution Security Risk Management Life Cycle IEC/TR Security Assurance Cases Summary of Solution Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 2

3 Problem Background Problem Background Recent Guidance & Standards Solution Conclusion Advancements in Medical Devices Increased Use of Software Device Communication Abilities Controlled Hacking Demonstrations of Devices Black Hat Security Conference, Las Vegas Breakpoint Conference, Melbourne ICS-ALERT, Medical Devices hard-coded passwords Medical Device Security Inquiry - US Government Accountability Office (GAO) Report Challenge Balancing Security with Safety & Effectiveness THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 3

4 Guidance & Standards Problem Background Recent Guidance & Standards Solution Conclusion Issued: FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Draft Guidance for Industry and Food and Drug Administration Staff IEC/TR Guidance for the communication of medical device security needs, risks and controls Proposed: IEC/TR Guidance on standards for establishing the security capabilities identified in IEC/TR THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 4

5 Solution Framework Problem Background Recent Guidance & Standards Solution Conclusion ISO/IEC Assurance in the Life Cycle Provides Additional Processes to Extend the PRM NIST SP , ISO/IEC 27k, IEC 62443, ISO/IEC 15408, IEC/TR ISO/IEC , Process Reference Model Threat Modeling + Threat Identification ISO/IEC , Process Assessment Model Provides Description of Processes Assessed by: Process HDO User Needs Security Requirements Management Tool Security Assurance Case Product Risk Analysis Product Security Controls Security Capabilities HDO THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 5

6 Security Risk Management Life Cycle Problem Background Recent Guidance & Standards Solution Conclusion Feedback Security Risk Management & SDLC Assurance Case Development HDO Assurance Case Maintenance HDO Requirements Security Requirements Security Risk Management Requirements Design Coding Testing Test Results Operations Retirement THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 6

7 IEC/TR Problem Background Recent Guidance & Standards Solution Conclusion A framework for the disclosure of security-related capabilities necessary for managing the risk of connecting medical devices to IT-networks This technical report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls The capability descriptions in the report are intended to supply healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) with a basis for discussing risk and their respective roles and responsibilities for the management of this risk THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 7

8 IEC/TR Problem Background Recent Guidance & Standards Solution Conclusion IEC/TR Security Capabilities Automatic Logoff Audit Controls Authorization Configuration of Security Features Cyber Security Product Upgrades Health Data Integrity and Authenticity Person Authentication Third Party Components in Product Lifecycle Roadmaps Data Backup and Disaster Recovery Health Data Storage Confidentiality Physical Locks on Devices Transmission Confidentiality Emergency Access Malware Protection/ Detection Security Guides Transmission Integrity Health Data Deidentification Node Authentication System & Application Hardening THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 8

9 IEC/TR Problem Background Recent Guidance & Standards Solution Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 9

10 Security Mapping Problem Background Recent Guidance & Standards Solution Conclusion IEC/TR Security Capabilities Security Controls required for the implementation of each Security Capability ISO/IEC ISO IEC NIST SP ISO/IEC THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 10

11 Security Mapping Problem Background Recent Guidance & Standards Solution Conclusion IEC/TR Capability Security Control Source Automatic Logoff (ALOF) SR 1.4 Authenticator Management IEC SR 1.5 Strength of Password Based Authentication IEC SR 2.5 Remote session termination IEC Access Control Policy ISO/IEC Password Use ISO/IEC Unattended User Equipment ISO/IEC Clear desk & Clear Screen Policy ISO/IEC Session Time-out ISO/IEC Limitation of connection time ISO/IEC Access Control Policy ISO Password Use ISO Unattended User Equipment ISO Clear desk & Clear Screen Policy ISO Session Time-out ISO Limitation of connection time ISO AC-1 Access Control Policy & Management NIST AC-2 Account Management NIST AC-11 Session Lock NIST SI-1 System & Information Integrity Policy & NIST Procedures FDP-ACC Access control policy ISO/IEC FIA_UAU User Authentication ISO/IEC FIA_UID User Identification ISO/IEC FMT_MOF Management of Functions in TSF ISO/IEC FTA_SSL Session Locking & Termination ISO/IEC THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 11

12 Security Risk Management Problem Background Recent Guidance & Standards Solution Conclusion 1. HDO Internal Risk Assessment Identify user needs to determine required security capability of a medical device 2. Agreement between MDM and HDO Serves as the basis for one or more responsibility agreements as specified in IEC MDM Security Risk Assessment THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 12

13 Security Risk Management Problem Background Recent Guidance & Standards Solution Conclusion 4. Delivery Medical device accompanied by tailored assurance case detailing the security capability of the product 5. HDO Risk Management Ongoing security risk management using HDO tailored assurance case THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 13

14 Security Assurance Cases Problem Background Recent Guidance & Standards Solution Conclusion An assurance case is a body of evidence organised into an argument demonstrating some claim that a system holds i.e. is acceptably safe. Required when it is important to show that a system exhibits some complex property such as safety, security, or reliability. 1. Must make a claim or set of claims about a property of a system; 2. Provide a set of arguments; 3. Make clear the assumptions and judgements underlying the arguments; 4. Produce the supportive evidence THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 14

15 Assurance Case Structure Problem Background Recent Guidance & Standards Solution Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 15

16 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 16

17 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 17

18 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 18

19 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 19

20 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 20

21 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 21

22 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 22

23 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 23

24 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 24

25 MDM Assurance Case SDLC Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 25

26 MDM Assurance Case SDLC Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 26

27 MDM Assurance Case SDLC Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 27

28 MDM Assurance Case SDLC Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 28

29 MDM Assurance Case SDLC Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 29

30 MDM Assurance Case SDLC Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 30

31 MDM Assurance Case SDLC Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 31

32 HDO Assurance Case HDO Security Assurance Case Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 32

33 Conclusion Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion The aim of this risk management framework it to assist both HDOs and MDMs better understand the required security capabilities of networked devices IEC/TR sets out to develop a common framework for the communication of security needs, risks and controls. This will be further compounded with the MDS2 revision and also the potential IEC/TR Guidance on interpreting and updating the IEC/TR assurance case will be sufficiently covered and supported by these documents THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 33

34 Thank You for Listening Anita Finnegan This research is supported by the Science Foundation Ireland (SFI) Stokes Lectureship Programme, grant number 07/SK/I1299, the SFI Principal Investigator Programme, grant number 08/IN.1/I2030 (the funding of this project was awarded by Science Foundation Ireland under a co-funding initiative by the Irish Government and European Regional Development Fund), and supported in part by Lero - the Irish Software Engineering Research Centre ( grant 10/CE/I1855 THE Lero IRISH 2012 SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 34

35 Conclusion Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion 500,000 world wide insulin pump users THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero Slide 35