Medical Devices. Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire



Similar documents
FDA Releases Final Cybersecurity Guidance for Medical Devices

Overview of the HIPAA Security Rule

MEDICAL DEVICE Cybersecurity.

Information Technology Security Review April 16, 2012

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Nine Network Considerations in the New HIPAA Landscape

An Independent Member of Baker Tilly International

Virginia Commonwealth University School of Medicine Information Security Standard

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

What is required of a compliant Risk Assessment?

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

SECURITY. Risk & Compliance Services

John Essner, CISO Office of Information Technology State of New Jersey

A Security Risk Management Framework for Networked Medical Devices

HIPAA and HITRUST - FAQ

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Information Security Management System for Microsoft s Cloud Infrastructure

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

HEALTH CARE AND CYBER SECURITY:

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Preemptive security solutions for healthcare

Big Data, Big Risk, Big Rewards. Hussein Syed

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

The HIPAA Audit Program

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

CHIS, Inc. Privacy General Guidelines

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Microsoft s Compliance Framework for Online Services

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

HIPAA Security Rule Compliance

HIPAA Compliance Review Analysis and Summary of Results

Achieving HIPAA Security Rule Compliance with Lumension Solutions

Guide to Vulnerability Management for Small Companies

Preparing for the HIPAA Security Rule

Security Considerations for the Cloud

Application Security in the Software Development Lifecycle

HIPAA Security Rule Toolkit

HIPAA Security Alert

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Cybersecurity for Medical Devices

Data Loss Prevention Program

IT Security & Compliance. On Time. On Budget. On Demand.

CYBER SECURITY GUIDANCE

Information Security Program

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Cyber Governance Preparing for the Inevitable Perimeter Breach

WCO Customs Risk Management Compendium

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Business Associate Management Methodology

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

INFORMATION SECURITY California Maritime Academy

Altius IT Policy Collection Compliance and Standards Matrix

Information Security Program Management Standard

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

VENDOR MANAGEMENT. General Overview

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Information Security Office

FACT SHEET: Ransomware and HIPAA

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Fraud Risk Management

Security Controls What Works. Southside Virginia Community College: Security Awareness

Integrated Risk Management. Balancing Risk and Budget

DoD Strategy for Defending Networks, Systems, and Data

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

The CIO s Guide to HIPAA Compliant Text Messaging

a Medical Device Privacy Consortium White Paper

Information Security Awareness Training

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Transcription:

Medical Devices Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire

Introduction This perspective paper aims to help organizations understand the emerging issue of security in the context of medical devices. Medical devices have not historically been included in HIPAA compliance or healthcare security programs, yet their capabilities make them prime targets for exploitation. At stake are both patient safety and privacy. The main objective is to bring this issue onto the risk radar of healthcare providers that utilize these devices. SAFE VERSUS SECURE We want to believe in the safety of the devices that promise to improve our medical care. Nonetheless, the history of medical devices is littered with examples of faulty and outright bogus devices that have caused harm to the very patients they aim to benefit. A broad movement began in the 1960s to regulate medical devices and culminated in the Medical Devices Regulation Act of 1976. Among many provisions, this act authorized the Food and Drug Administration (FDA) to regulate medical devices. For devices classified to pose the highest risk to human life, pre-market approval was required to provide reasonable assurance of their safety and effectiveness. In the digital age, the new frontier is the security of electronic protected health information (ephi). HIPAA itself does not regulate medical devices, but does impose strong expectations on covered entities and business associates for the safeguarding of ephi that is created, received, maintained, or transmitted by these devices. For this reason, medical devices should be included in an organization s HIPAA Security Program. Not Science Fiction Safety can be compromised by poor security as illustrated in dramatic fashion in 2012 when security researcher Barnaby Jack (his real name) was able to wirelessly reprogram an insulin pump to deliver a fatal dose. The same researcher has also revealed the ability to remotely activate a pacemaker to deliver a fatal shock. This was a plot element on a popular TV show that led to widespread concern over the viability of the attack. The FDA felt it was necessary to respond publicly and reassure the nation that no such attacks are known. Less dramatic, but no less important, is the rising value of ephi on the black market. Personal health information is now more valuable than credit card data. According to a 2012 report issued by the Healthcare Information and Management Systems Society (HIMSS), a patient health record is valued at $50, compared to $3 for a social security number and $1.50 for a credit card

number. These points demonstrate that security is no longer a nice-to-have, but a necessary and indispensable part of medical device design and implementation. Risk Reduction Efforts Security risks from medical devices are being studied and evaluated from a variety of perspectives, from academic to governmental to industry. Given their central importance to modern medicine, it is not possible to opt out of the use of medical devices. Taming their security problems starts with understanding the dimensions of the problem. Security Research Two major efforts are underway to discover the relevant issues with security of medical devices. The Archimedes Project at Ann Arbor Research Center has been uncovering security issues since 2006. These problems range from data insecurity to safety concerns. Their research has provided valuable feedback to industry, and is influencing the security design of future medical devices. The non-profit Center for Internet Security (CIS) has initiated a broad project to develop baselines for medical device security. CIS is particularly known for its security benchmarks, especially operating system hardening guides. CIS also operates the Multi-State Information Sharing and Analysis Center and the Trusted Purchasing Alliance. They have the organizational experience and reputation to serve as a clearinghouse for security issues in medical devices. They will be partnering with the National Health Information Sharing and Analysis Center. FDA Guidance In 2013 the FDA issued a series of recommendations regarding medical devices having to do with security. Their guidance for pre-market submissions was augmented to include security dimensions, including features that implement the CIA security triad (Confidentiality, Integrity and Availability). Pre-market clearance is relevant for devices that represent the highest risk to human life. This guidance particularly points out the value of documentation of risk analysis, including life cycle recommendations. Just two months later, the FDA followed up with detailed guidance about the use of wireless in medical devices, emphasizing use of authentication and encryption. Although no attacks are known to have occurred in the real world, the exploitable vectors discovered by researchers are directly addressed in this guidance, which is likewise aimed at pre-market submissions.

ISO Guidance to Manufacturers A detailed guide to risk management for the safety of medical devices is described in ISO 14971. It makes the central philosophical point: All stakeholders need to understand that the use of a medical device entails some degree of risk. Minimization of those inherent risks is the aim of the processes outlined. All stakeholders need to These include: understand that the use of a Detailed example questions that can illuminate intended use Types of hazardous situations Sample controls that can be applied to discovered risks Help from the Industry Manufacturers have responded by issuing Manufacturer Disclosure Statements for Medical Device Security (MDS 2 ). The forms were originally developed by HIMSS and later standardized with the National Electrical Manufacturers Association (NEMA). A particular difficulty for IT personnel has been that medical devices have full computing power, but don t fit into the usual taxonomy of IT devices. Further, information about the operation of a device is often proprietary, obscuring important details useful to IT personnel attempting to proactively manage risk. The MDS 2 provides manufacturers with a structured way to disclose risk information without exposing sensitive intellectual property. It contains information about: the way the device uses ephi and how that ephi is protected ways the device can be configured for access control (both logical and physical) device options for hardening (including anti-malware) networking details backup and recovery guidance about device lifecycle medical device entails some degree of risk. The MDS 2 is an essential data source for the risk management process. A recent update to the MDS 2 standard form has increased the structured information on the form, making it even more useful and better aligned with IEC 80001 (the ISO standard for risk management of networked medical devices). In the next section, we bring together all these sources of information and show how an organization can apply them to their particular situation.

Healthcare Providers: Risk Management Individual covered entities should approach the issue of medical device security from a risk management perspective. Backed by guidance on best practices and detailed data for each medical device, organizations can effectively pursue a risk management methodology such as NIST 800-30. One simplified outline of the steps in 800-30 is: 1. Inventory and Characterize Systems 2. Threat Identification 3. Vulnerability Assessment 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Recommend Risk Controls Here we can see the usefulness of the efforts described before. The MDS 2 forms can serve as meta-data for an inventory of medical devices. Threats and vulnerabilities are being analyzed and publicized. These reports can help determine which controls will be most effective for which threats. The FDA is laying the groundwork for enhanced security expectations. Organizations can use standard risk management techniques when backed by such robust information. With an understanding of the organization s risk appetite, appropriate controls can be implemented and evaluated.

Coalfire can help Coalfire has experience working with clients who are proactively managing their security risk from medical devices. Our experience can help clients navigate this landscape more effectively and efficiently. Risk Assessment Methodology Along with the methodology briefly outlined above, Coalfire has developed a risk scorecard that encompasses a highly relevant subset of controls. This scorecard integrates data from device MDS 2 forms and the client s environment to help prioritize risk remediation efforts. Tactical and Strategic Advice The trajectory of threat growth compared with gradually improving security in medical devices means that a stable ecosystem is years away. Coalfire has advised clients at all levels of program maturity. Sectors such as banking and government have had a head start in dealing with embedded systems security, and their efforts offer valuable lessons. First, the focus must be on getting a handle on existing risk while laying a foundation for improvement. More mature programs move forward by expanding the scope of pilot programs, continuously evaluating risk, and also pushing back on device manufacturers through the procurement process. Conclusion Although there is no timeline for when medical device security will mature to match the level of general information technology, there are important steps being taken. A loose coalition of academic, government and industry experts are building the case for government and industry security mandates. In the meantime, these efforts can inform effective risk management programs for proactive covered entities. Coalfire has experience implementing this process with clients and offers comprehensive healthcare security experience.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information