Cyber Security for your Connected Health Device

Cyber Security for your Connected Health Device

Agenda Cyber Security Emerging Threats Implications to Healthcare Healthcare Response

OpenSky s timeline Service Evolution Launch IT Optimization 2014 Geographic Expansion Merge with TUV Rheinland Launch Enterprise Mobility 2013 Launch Application Security 2012 Launch West Region Launch Vulnerability Assmt 2011 Launch South Central Region Launch Governance, Risk & Compliance 2010 Launch Southwest Region 2009 Launch Mid- Atlantic Region Formal Launch 1/2008 2008

GLOBAL ORIGINS & BACKGROUND 140 YRS OF INNOVATION

Key Drivers for Cyber Security in Healthcare... FDA issued cyber security warning in June 2013 to address the risks FDA published draft guideline on Cyber security for medical devices (June 2013) Device manufacturers have confirmed the FDA is asking for documentation related to cybersecurity (FDA guidelines) during the approval process (510k, PMA) Most hospitals now require device manufacturers to provide evidence that the devices they are buying are secure and not succeptable to cyber security risks Increasing publicity surrounding cyber security of medical devices Actual related risks and hazards exist... http://www.wired.com/2014/04/hospital-equipment-vulnerable/ 5

Cyber Security Emerging Threats

The Cyber Security Landscape Source: www.mandiant.com

Cyber Security by the numbers Source: Symantec Source: Symantec Twelve-Month Timeline of Data Breaches Source: Symantec Source: Symantec

Cyber Security Top Industry Targets $$$ is the Biggest motivator; Targets are changing; Medical PII is becoming more valuable than PCI data ($20 vs $2). Source: Mandiant M-Trends Beyond the Breach

Cybersecurity Attack Scenario Retail 1. Cybercriminals leveraged minor misconfigurations in the infrastructure to identify systems with direct access to the POS systems. 2. A domain controller, which provided authentication for corporate offices and retail stores, provided the vulnerable pivot point. 3. The card-harvesting malware deployed on each register searched the process memory of the POS application for magnetic stripe data stored in POS system Source: Mandiant M-Trends Beyond the Breach

Cybersecurity Attack Scenario Hospital 1. Cybercriminals create phishing email to lure unsuspecting user to click on link that points to malware. 2. Unsuspecting user receives phishing email and clicks on link. Medical Information Server Administration User Nurses Internet Lab Equipment 3. Infected Administration PC searches for other unpatched or vulnerable devices. Finding vulnerable application on lab equipment, attacks that equipment to gain access to the Medical Devices. Medical Devices Impatients

Cyber Security Implications to Healthcare

Internet of Things is here.

Top four medical device threats The security leaders interviewed listed among their top perceived threats to networked medical devices: Hacktivists wishing to cause service interruption. Thieves desiring to sell or monetize personal health information (PHI), Malicious groups or individuals seeking to cause harm to patients (possibly targeting VIP patients) Malware that evades existing antivirus engines and rules but is not specifically targeted at medical devices. Networked medical device cybersecurity and patient safety Source: Deloitte SANS Healthcare Cyber Security Report

Cyber Security Spending/ Costs

Cyber Security Malware by Vertical

Highest medical fraud by compromised organizations Legend: Dark states show highest population Orange circle shows the number of organizations compromised Locations and Types of Compromised Organizations Source: SANS Healthcare Cyber Security Report Note: states with most stringiest privacy laws were also the same states most affected.

Type of devices emitting malicious traffic Source: SANS Healthcare Cyber Security Report

Healthcare s response Cyber Security threats

Cyber Security Mitigation lifecycle Governance Risk Management Risk Identification

Risk Assessment Methodology Threat Agents Exposures Attacker Objectives Attacker Methods Controls Identify All possible threats, objectives, and methods Filter & Prioritize Highest risk threats, objectives, and methods Scan for Vulnerabilities Identify which vulnerabilities have controls. Those without controls are likely exposures

TÜV Rheinland helps reduce these cost MEDICAL Provide regulatory budget for global markets Device Scope OpenSky Risk Assessments and Secure Coding Product Market Annual Cost Design Product Development lifecycle TÜV Rheinland Core Business Market Certification Validation Provide data testing based on regulatory requirements

Thank-you! Jesus Laz Montano CSO & VP of Security Services OpenSky Corporation a TÜV Rheinland Company jmontano@openskycorp.com Rayshon L. Payne Medical Account Manager TÜV Rheinland rpayne@us.tuv.com