Wireless Infusion Pumps: Securing Hospitals Most Ubiquitous Medical Device

Similar documents
SECURING ELECTRONIC HEALTH RECORDS ON MOBILE DEVICES

How To Be A Successful Health Care Security Consultant

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Why Digital Certificates Are Essential for Managing Mobile Devices

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

CHIS, Inc. Privacy General Guidelines

Critical Controls for Cyber Security.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Table of Contents. Introduction. Audience. At Course Completion

Symantec Mobile Management 7.2

SECURING ELECTRONIC HEALTH RECORDS ON MOBILE DEVICES

Mobile Device Security Is there an app for that?

Deploying iphone and ipad Mobile Device Management

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Symantec Mobile Management for Configuration Manager 7.2

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Hands on, field experiences with BYOD. BYOD Seminar

The User is Evolving. July 12, 2011

Addressing NIST and DOD Requirements for Mobile Device Management

NIST Cybersecurity Framework Manufacturing Implementation

Looking at the SANS 20 Critical Security Controls

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Symantec Managed PKI Service Deployment Options

Cisco Mobile Collaboration Management Service

Altius IT Policy Collection Compliance and Standards Matrix

Copyright 2013, 3CX Ltd.

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Automation Suite for NIST Cyber Security Framework

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Symantec Mobile Management 7.1

ios Enterprise Deployment Overview

Mobile Device Management for CFAES

Transporter from Connected Data Date: February 2015 Author: Kerry Dolan, Lab Analyst and Vinny Choinski, Sr. Lab Analyst

The ForeScout Difference

GE Measurement & Control. Cyber Security for NEI 08-09

e2e Secure Cloud Connect Service - Service Definition Document

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Mobile Security & BYOD Policy

Enterprise Mobile App Management Essentials. Presented by Ryan Hope and John Nielsen

Kaspersky Security for Mobile Administrator's Guide

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CRR-NIST CSF Crosswalk 1

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

ipad in Business Security

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

iphone in Business Security Overview

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Acano solution. Security Considerations. August E

Bellevue University Cybersecurity Programs & Courses

Systems Manager Cloud Based Mobile Device Management

Deploying iphone and ipad Security Overview

Remote Services. Managing Open Systems with Remote Services

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Sophos Mobile Control SaaS startup guide. Product version: 6

Mobile First Government

Workplace-as-a-Service BYOD Management

Cybersecurity Framework Security Policy Mapping Table

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

John Essner, CISO Office of Information Technology State of New Jersey

Guideline on Safe BYOD Management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

ForeScout MDM Enterprise

Implementing Cisco IOS Network Security v2.0 (IINS)

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

The BYOD of Tomorrow: BYOD 2.0. What is BYOD 1.0? What is BYOD 2.0? 3/27/2014. Cesar Picasso, MBA SOTI Inc. April 02, 2014

Mobile Device Management Version 8. Last updated:

AirWatch for ios Devices

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Introduction to Cyber Security / Information Security

Designing a Windows Server 2008 Network Infrastructure

SANS Top 20 Critical Controls for Effective Cyber Defense

Advanced Configuration Steps

Ensuring the security of your mobile business intelligence

Chris Boykin VP of Professional Services

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

BYOD: End-to-End Security

Recommended IP Telephony Architecture

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design.

Athena Mobile Device Management from Symantec

MCITP MCITP: Enterprise Administrator on Windows Server 2008 (5 Modules)

Transcription:

Wireless Infusion Pumps: Securing Hospitals Most Ubiquitous Medical Device The Healthcare Sector at the NCCoE MARCH, 3 2016

THE NATIONAL CYBERSECURITY LAB HELPS SECURE HIT 1. About Us: The National Cybersecurity Lab 2. Wireless Infusion Pumps Project 3. Q&A 2

ABOUT THE NATIONAL CYBERSECURITY LAB

STRATEGIC PLAN VISION ADVANCE CYBERSECURITY A secure cyber infrastructure that inspires technological innovation and fosters economic growth MISSION ACCELERATE ADOPTION OF SECURE TECHNOLOGIES Collaborate with innovators to provide real-world cybersecurity capabilities that address business needs GOAL 1 PROVIDE PRACTICAL CYBERSECURITY Help people secure their data and digital infrastructure by equipping them with practical ways to implement cost-effective, repeatable and scalable cybersecurity solutions GOAL 2 INCREASE RATE OF ADOPTION Enable companies to rapidly adopt commercially available cybersecurity technologies by reducing their total cost of ownership GOAL 3 ACCELERATE EFFECTIVE INNOVATION Empower innovators to creatively address businesses most pressing cybersecurity challenges in a state-of-theart collaborative environment 4

FOUNDATIONS NIST ITL The NCCoE is part of the NIST Information Technology Laboratory and operates in close collaboration with the Computer Security Division. As a part of the NIST family, the center has access to a foundation of prodigious expertise, resources, relationships and experience. PARTNERSHIPS The NCCoE is motivated by results. Established in 2012 through a partnership between NIST, the State of Maryland and Montgomery County, the NCCoE is dedicated to furthering innovation through the rapid identification, integration and adoption of practical cybersecurity solutions. ITL THOUGHT LEADERSHIP Cryptography Identity Management Key Management Risk Management Secure Virtualization Software Assurance Security Automation Security for Cloud and Mobility Trusted Roots of Hardware Vulnerability Management Secure Networking Usability and Security 5

PARTICIPATION BENEFITS Advance your organization s adoption of practical cybersecurity solutions that are usable, repeatable and secure Access integrated cybersecurity solutions that match your industry s specific business needs Rely on cybersecurity solutions that are built on commercially available technologies Increase your organization s ability to innovate by bridging technology gaps Work with cyber innovators in a trusted, state-of-the-art, collaborative environment Deepen your organization s understanding of cybersecurity capabilities, relevant costs and integration and adoption methods Broaden your organization s awareness of cybersecurity technologies and standard 6

NATIONAL CYBERSECURITY EXCELLENCE PARTNERS Welcome to the NCCoE 7

PROJECTS: USE CASES AND BUILDING BLOCKS The NCCoE seeks use case problems that are Broadly applicable across much of a sector, or across sectors Complex enough that our reference designs will need to be based on the combination of multiple commercially available technologies Focus on a business-driven cybersecurity problem facing a particular sector (e.g., health care, energy, financial services) Building Blocks Technology-specific problems that cross sector boundaries (e.g., roots of trust in mobile devices, trusted cloud computing, software asset management, attribute based access control) Welcome to the NCCoE 8

NCCOE PROJECT LIFECYCLE Needs Assessment Identify industry s most pressing cybersecurity challenges Concept Analysis Define, prioritize and validate the highest priority Develop Use Case Collaborate with our Community of Interest to develop a Form Build Team Invite participation from industry and build a qualified team Design & Build Plan, design, and build the Use Case reference solution in a lab environment and capture in the Integrate & Test Test and validate the Use Case reference solution Publish & Evangelize Publish, post, and demonstrate the reference solution cybersecurity Use Case to execute the Practice Guide documented challenges Use Case and in the Practice develop a Guide reference solution Infusion pump project t We are here Welcome to the NCCoE 9

CURRENT PROJECTS PROJECT STAKEHOLDERS HEALTH CARE TEAM Collaborate with innovators to provide real-world cybersecurity capabilities that address business needs Tech Firms Industry Academia Government NCCoE National Cybersecurity FFRDC* National Cybersecurity Excellence Partnership (NCEP) Partners *Sponsored by NIST, the National Cybersecurity Federally Funded Research & Development Center (FFRDC) is operated by the MITRE Corporation 10

SECURING THE U.S. ECONOMY CURRENT SECTORS OF FOCUS HEALTH IT EHRs and Mobile Devices Wireless Infusion Pumps Energy IdAM Situational Awareness Financial Access Rights Management IT Asset Management Transportation Retail Data Integrity Point of Sale. 11

Wireless Infusion Pumps Project

SECURITY CONSIDERATIONS 13

WIRELESS INFUSION PUMP USE CASE SCOPE The scope of this use case is to follow the life cycle of an infusion pump from planning the purchase of the pump to decommissioning the device. Life cycle management includes: Procurement On boarding of asset Training and instructions for use Configuration Usage Maintenance Decontamination Decommissioning Devices 14

HIGH LEVEL ARCHITECTURE PoC Medication System Pharmacy emar Drug Library Workstation Drug Library Workstation Patient Wireless IV-pump Nurse Nurse CPOE IV Pump Server Medical Device wifi SSID Alarm Manager Biomed Engineer engineer Drug Library System 15

THIS ARCHITECTURE MAY INCLUDE: The Patient The Health Care Professional Wireless Infusion Pump Wireless Network Alarm Manager Electronic Medication Administration Record (emar) System Point of Care Medication System Pharmacy Computerized Physician Order Entry (CPOE) Drug Library Biomed Engineering 16

INFUSION PUMP SECURITY CHALLENGES Access codes Access point (AP)/Wireless network configuration Alarms Asset management and monitoring Credentialing Credentialing server Maintenance and updates Pump variability Utilization 17

RISK ASSESSMENT METHODOLOGY Methodology Steps Identify thread source and events vulnerabilities and predisposing conditions Determine likelihood of occurrence determine magnitude of impact risk We offer two methodologies for conducting risk assessment: 1) Table-driven 2) Attack/fault-tree assessment 18

RISK ASSESSMENT Our risk assessments focused on identifying threats that might lead to: Loss of confidentiality unauthorized disclosure of sensitive information Loss of integrity unintended or unauthorized modification of data or system functionality Loss of availability impact to system functionality and operational effectiveness 19

MAJOR THREATS Based on our risk assessment, the major threats to confidentiality, integrity, and availability are: Lost or stolen mobile devices Users o Walk away from logged-on mobile device o Download viruses or other malware o Connect to an unsecure Wi-Fi network Inadequate o Access control and/or enforcement o Change management o Configuration management o Data retention, backup and recovery 20

MAPPING CSF FUNCTIONS TO COLLABORATOR PRODUCTS CSF Function Company Application / Product Identify (ID) RSA Archer GRC centralized enterprise, risk and compliance management tool Protect (PR) MedTech Enginuity OpenEMR web-based and open source electronic health record and open source Apache Web Server supporting technologies open source PHP open source MySQL open source ModSecurity Apache module extension, web application firewall (supporting OpenEMR) open source OpenSSL cryptographically secures transmissions between mobile devices and the OpenEMR web portal service Various mobile devices Windows, IOS and Android tablets Fiberlink MaaS360 Cloud-based mobile device policy manager open source iptables firewall stateful inspection firewall open source Root CA / Fedora PKI manager cryptographically signs identity certificates to prove authenticity of users and devices open source domain name system (DNS) and performs host or fully qualified domain resolution to IP DNS encryption (DNSE) / Bind9 addresses open source secure configuration manager / creation, continuous monitoring, and maintenance of Puppet Enterprise secure server and user hosts Cisco local and remote mobile NAC radius-based authentication, authorization and accounting (Identity Services Engine) management server Cisco VPN server (ASAv 9.4) enterprise class virtual private network server based on both TLS and IPSEC open source URbackup online remote backup system used to provide disaster recovery Cisco wireless access point (RV220W) Wi-Fi access point Use 21

MAPPING SECURITY CHARACTERISTICS TO THE CSF AND HIPAA Security Characteristics CSF Function CSF Category HIPAA Requirements access control Protect (PR) Access Control (PR.AC) 164.312 (a) audit controls/ Detect (DE) Security Continuous Monitoring (DE.CM) 164.312(b) monitoring device integrity Protect (PR) Access Control (PR.AC) ( 164.312 (c)), 164.308 (a)(5)(ii)(b) Data Security (PR.DS) ( 164.312 (c)), 164.308 (a)(5)(ii)(b) Information Protection Processes and Procedures (PR.IP) Protective Technology (PR.PT) ( 164.312 (c)) ( 164.312 (c)) Detect (DE) Security Continuous Monitoring (DE.CM) ( 164.312 (c)) ( 164.312 (c)), 164.308 (a)(5)(ii)(b) person or entity authentication Protect (PR) Access Control (PR.AC) 164.312(d), 164.308 (a)(5)(ii)(d), 164.312 (a)(2)(i) transmission security Protect (PR) Access Control (PR.AC) 164.312 (e) Data Security (PR.DS) 164.312 (e)) Technology (PR.PT) 164.312 (e)) 22

ARCHITECTURE METHODOLOGIES Traditional Engineering Practices Defense in Depth Modular Networks and Systems 23

SCENARIO BASED EVALUATION Lost Mobile Device Scenario OpenEMR Access Scenario Physical Access Scenario Internal Network Access Scenario 24

REVIEW OF WHAT S IN A PRACTICE GUIDE The guide: 1. Maps security characteristics to standards and best practices from NIST and other standards organizations, and to HIPAA rules 2. Provides a detailed architecture and capabilities that address security controls 3. Facilitates ease of use through automated configuration of security controls 4. Addresses the need for different types of implementation, whether inhouse or outsourced 5. Provides a how-to for implementers and security engineers 25

EXAMPLE OF HOW-TO SECTION Mobile Devices System Requirements Android device: Android operating system 4.1 and up, screen size 7 and up, and Wi-Fi enabled Apple devices: Apple ios 7 and up, screen size 7 and up, Wi-Fi enabled You will also need the following parts of this guide: Section 3.3, Access Point: Cisco RV220W Section 7.1, Fedora PKI Section 8.2.1, MDM Setup Section 9.1, Cisco Identity Services Engine 26

EXAMPLE OF HOW-TO SECTION Integrated Host Based Security System INTEGRATED PORTS AND PROTOCOL FIREWALLING SERVICES Workstations Mobile Devices INTEGRATED VIRUS, MALWARE AND HOST INTRUSTION PROTECTIONS Integrated Secure Configuration Baseline and Control System Servers INTEGRATED DATA AT REST PROTECTIONS 27

SUMMARY OF SECURITY TECHNOLOGIES Prepare Mobile Device for MDM enrollment 1. Perform factory reset - This step is optional. If factory reset is necessary for an Android device, be sure to check the options for backing up and restoring your data (https://support.google.com/androidone/answer/2819582). Follow these steps to perform the factory reset: On your mobile device, open the Settings menu. Under Personal, tap on Backup & Reset. Under Personal data, tap on Factory Data Reset. After pressing Reset Device, the device will start to reboot into recovery mode and begin to wipe the tablet and return the device to its factory conditions. Startup the device and follow the instructions on the screen to set up the device for a new user. Be sure the Date and Time setting is correct. Otherwise, the wrong date and time could affect the process for validating the certificates for authentication. 28

REVIEW OF WHAT S IN A PRACTICE GUIDE The guide: 1. Maps security characteristics to standards and best practices from NIST and other standards organizations, and to HIPAA rules 2. Provides a detailed architecture and capabilities that address security controls 3. Facilitates ease of use through automated configuration of security controls 4. Addresses the need for different types of implementation, whether inhouse or outsourced 5. Provides a how-to for implementers and security engineers 29

CURRENT STATUS PROJECT Received feedback from public Responding to comments now Revised use case draft will then be released 30

CONTACT US http://nccoe.nist.gov/forums 240-314-6800 HIT_nccoe@nist.gov 9700 Great Seneca Hwy, Rockville, MD 20850 100 Bureau Drive, Mail Stop 2002, Gaithersburg, MD 20899 Thank You 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information