Using Common Criteria Evaluations to Improve Healthcare Cybersecurity

Approved for Public Release; Distribution Unlimited. 15-2807 2015 The MITRE Corporation. ALL RIGHTS RESERVED. Using Common Criteria Evaluations to Improve Healthcare Cybersecurity David Kleidermacher Blackberry Dr. David Klonoff Diabetes Technology Society Margie Zuk - MITRE

Background Healthcare is an attractive target for sophisticated adversaries: organized crime, nation states, hacktivists Medical devices may be an attacker s entry point, or incidentally compromised during an attack because of vulnerabilities Medical Devices Contain configurable embedded computer systems Increasingly interconnected Wirelessly connected Legacy devices Use Environment Varied responsibilities for purchase, installation and maintenance of medical devices, often siloed Variable control over what is placed on the network Inconsistent training and education on security risks

FDA Public Workshop: Collaborative Approaches for Medical Device and Healthcare Cybersecurity October 21-22, 2014 Co-sponsored with HHS and DHS 1300 total participants included onsite and remote Broad range of stakeholders Goals: Catalyze collaboration among all HPH stakeholders Identify barriers that impede efforts towards promoting cybersecurity Advance the discussion on innovative approaches for building securable medical devices

MITRE Handshake Site: Medical Device and Healthcare Cybersecurity Virtual collaboration space for HPH sector to continue discussion from public workshop Over 170 participants FAQ with rules of engagement cybermed@mitre.org Individual requests account MITRE sends invitation Individual responds and creates account Individual joins Handshake

Medical Device Ecosystem Researchers Industry Venture Capitalists Patients Medical Device Ecosystem Professional Societies Regulators Health Care Providers Payers

Collaborating with the Medical Device Cybersecurity Ecosystem MITRE conducting stakeholder study as a follow-on to the FDA workshop Meeting with over 70 stakeholders across the medical device ecosystem Understand stakeholder perspectives Understand cybersecurity gaps and challenges Establishing collaborative models for information sharing and a shared risk framework Participating in emerging industry efforts

Diabetes Technology Society Cybersecurity Standard for Connected Diabetes Devices (DTSec) Developing a cybersecurity standard and evaluation process Focus on 4 device classes Blood Glucose Monitors (BGM) Continuous Glucose Monitors (CGM) Insulin pumps (IP) Artificial Pancreas (AP) Establishing a technical community composed of clinicians, manufacturers, cybersecurity experts, academia, and government members Sub groups including Scope of Work, Protection Profile, and Assurance

Goals of DTSec Assurance Program Scientific approach to security evaluation Supports life-critical systems Efficient (cost and time) Enable continuous improvement Open and international

Medical Device Assurance 9

DTSec Security Functional Requirements Work in progress PP covers meters Firmware/software authenticity User data (e.g. BG readings) authenticity Secure local channel (auth+encrypt) e.g. BTLE security mode 1, level 3 User authentication to device (OPTIONAL) Information flow policy to enable safe 1-way reading from GMs to smartphone (no control allowed)

DTSec Security Assurance Requirements Human Life Sophisticated, Motivated Attacker Attack Threat Potential Asset Value Low Medium High High Low Medium High Medium Low Medium Medium Low Low Low Low IEC 62304 Class A: No injury or damage to health is possible Class B: Non-serious injury is possible Class C: Death or serious injury is possible Independent assurance packages can be applied to any PP

DTSec Security Assurance Requirements ASSURANCE PACKAGE Lifecycle Requirements TOE-independent common to manufacturer s TOEs Product Requirements TOE-dependent

DTSec Security Assurance Requirements ASSURANCE PACKAGE Lifecycle Requirements CM plans and process Arch, design, specification Development tool standards Flaw remediation process Product Requirements Arch, design, specification Testing of requirements Vulnerability assessment

DTSec: Evaluation Efficiency DTSec Class C ASSURANCE PACKAGE IEC 62304 ISO 14971 ISO 13485 Target ISO 15408 family and component IEC 62304 coverage ADV_ARC.1 5.3 ADV_FSP.5 5.2 ADV_IMP.1 B.5.5 ADV_INT.2 5.5.3 ADV_TDS.3 5.4 AGD_OPE.1 5.2.2 AGD_PRE.1 5.2.2 ALC_CMC.5 8 ALC_CMS.5 8 ATE_COV.2 5.6.4 and 5.7 ATE_DPT.2 5.7 ATE_FUN.1 5.6.4 and 5.7 ATE_IND.2 5.7 AVA_VAN.4 not covered Product Requirements Arch, design, specification Testing of requirements Vulnerability assessment

DTSec: Evaluation Efficiency DTSec Class C ASSURANCE PACKAGE Arch, design, specification Testing of requirements Vulnerability assessment

DTSec: Evaluation Efficiency Delta certification / assurance continuity Vendor documents delta Patch set, version increment, etc. Depending on scope of modifications Minor: accept and publish addendum to certificate Major: re-evaluation Gray: audit https://www.niapccevs.org/documents_and_guidance/ccevs/scheme-pub-6.pdf

DTSec Scope Near Term Publish standard Leverages ISO 15408, 18045, 17025 Defines the assurance program Accreditation of labs, certification of results, assurance maintenance Create PP(s) for important product families BGM, CGM, IP, AP Initial vendor(s) write ST(s) for initial product(s) Select and accredit initial lab(s) Lab evaluates initial product(s) against ST(s) Certify lab results Flock to the streets in rapture

Summary and Onward DTSec: medical device security standard and assurance program Assurance by evaluation based on ISO 15408 Administered by international multi-stakeholder non-profit Custom assurance package, leverage IEC 62304 Life-critical wireless devices AVA_VAN.4 Future Demonstrate efficient evaluations Expand to other device types, e.g. infusion pumps Lowered cost of insurance? Regulatory recommendation and/or mandate Observe and integrate with synergistic efforts

Contact davek@blackberry.com dklonoff@diabetestechnology.org mmz@mitre.org