Disrup've Innova'ons Track

Similar documents
Medical Device Security: The Transition From Patient Privacy To Patient Safety. Scott Erven

HIPAA Breaches, Security Risk Analysis, and Audits

FTC Data Security Standard

JUST WHAT THE DOCTOR ORDERED?

Top Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces

Image Retention in the PACS Era

Balancing Usability and Security for Medical Devices

Computer Security Incident Handling Detec6on and Analysis

CSER & emerge Consor.a EHR Working Group Collabora.on on Display and Storage of Gene.c Informa.on in Electronic Health Records

HIPAA Privacy Policy (Revised Feb. 4, 2015)

Achieving Global Cyber Security Through Collaboration

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

HIPAA Basics. Health Insurance Portability and Accountability Act of 1996

Breakout A: From Paper to EMR- Preparing for the Transi;on

IT Change Management Process Training

Legacy Archiving How many lights do you leave on? September 14 th, 2015

Managed Services. An essen/al set of tools for today's businesses

Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

Evolution of Cyber Security in Healthcare


Program Model: Muskingum University offers a unique graduate program integra6ng BUSINESS and TECHNOLOGY to develop the 21 st century professional.

Main Research Gaps in Cyber Security

M2M & Cybersecurity Workshop TIA 2013 M2M Standards and Security. Mihai Voicu CIO/CSO ILS Technology LLC

Poten&al Impact of FDA Regula&on of EMRs. October 27, 2010

Cyber Threat Intelligence Sharing: Lessons Learned, ObservaMons, RecommendaMons

HIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss!

Business Analysis Standardization A Strategic Mandate. John E. Parker CVO, Enfocus Solu7ons Inc.

PCI VERSION 2.0 AND RISK MANAGEMENT. Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management

NIST Security Improvements. William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting

Focus On Value. Value Based Purchasing. The Pa'ent Experience: Hospitals as Bou'que Hotels? Policy (ACA) Patients. Payors And Employers

Update on the Cloud Demonstration Project

ehealth Privacy & Security Interest Group Monthly Call Friday November 14, 2014

Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

Disaster Recovery Planning and Implementa6on. Chris Russel Director, IT Infrastructure and ISO Compu6ng and Network Services York University

Graduate Systems Engineering Programs: Report on Outcomes and Objec:ves

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES

Privileged Administra0on Best Prac0ces :: September 1, 2015

Unpatchable: Living with a vulnerable implanted device

Online Enrollment Op>ons - Sales Training Benefi+ocus.com, Inc. All rights reserved. Confiden>al and Proprietary 1

Everything You Need to Know about Cloud BI. Freek Kamst

State of South Carolina Policy Guidance and Training

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Bank of America Security by Design. Derrick Barksdale Jason Gillam

Cyberprivacy and Cybersecurity for Health Data

Pu?ng B2B Research to the Legal Test

Phone Systems Buyer s Guide

VoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov

Business Analysis Center of Excellence The Cornerstone of Business Transformation

Oracle Solu?ons for Higher Educa?on

Project Por)olio Management

PES Has The Sustainable Solu2on For Chronic Care Management

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

Retail Pharmacy Clinical Services: Influence of ACOs & Healthcare Financing Models

Hawaii s Phased Plan for Alignment and Implementa7on of NGA s A Call to Ac-on for Cybersecurity

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

Brian Robinson MS ATC. Former Head Athle.c Trainer; Glenbrook South High School Faculty; Northern Illinois University

Capitalize on your carbon management solu4on investment

How To Grow A Data Center System

Splunk and Big Data for Insider Threats

Securing Information

Cyber Risks in the Boardroom

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

FDA Releases Final Cybersecurity Guidance for Medical Devices

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

Powerful Change Management Communica4on A Benefits Case Study

Bill Sieglein, Founder CSO Breakfast Club PLATINUM SPONSOR: SOLUTIONARY

ICD- 10: Learning for a Successful Transi:on Part 2. Objec.ves for the Webinars. ICD- 10 Webinar Topics

How To Change A Test Order On A Lab

Tim Blevins Execu;ve Director Labor and Revenue Solu;ons. FTA Technology Conference August 4th, 2015

Cyber Security An Exercise in Predicting the Future

Data Breach Response Planning: Laying the Right Foundation

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cybersecurity: Protecting Your Business. March 11, 2015

Security Awareness. Top Security Issues. Office of Informa(on Technology Informa5on Security Department BE CYBER SAFE

Application of Supply Chain Concepts to the Analysis Process

SCOPE. September 25, 2014, 0930 EDT

VA Pa&ent- Centered Community Care Provider Network Management Training Deck

Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies

B2B Offerings. Helping businesses op2mize. Infolob s amazing b2b offerings helps your company achieve maximum produc2vity

IT Service Management. Asset Management. Statistics & ROI Equations

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Reali9es of Being PCI Compliant

Build a HIPAA- Compliant Prac5ce. Wes Strickling, Founder & CEO

ENISA: Cybersecurity policy in Energy Dr. Andreas Mitrakas, LL.M., M.Sc., Head of Unit Quality & data mgt

Enterprise Mobile Application Lifecycle

10 Steps to Preparedness

Quality Programs for Regulatory Compliance

BPO. Accerela*ng Revenue Enhancements Through Sales Support Services

Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Update on the Cloud Demonstration Project

Syndromic Surveillance BioSense Onboarding in Arizona

ICD-10-CM for Ophthalmology. Presented by:

Qubera Solu+ons Access Governance a next genera0on approach to Iden0ty Management

About the Board. Minnesota Board of Behavioral Health and Therapy 10/24/12. Minnesota Board of Behavioral Health and Therapy

State of Michigan Department of Technology, Management & Budget. Acceptable Use of Information Technology (former Ad Guide 1460.

Telehealth care Closing the Gap to Specialty Care. Dietra Watson, MSN, RN Clinical Informa7cs

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Informa.on Systems in Organiza.ons

Transcription:

Disrup've Innova'ons Track Product Disrup-ons: Medical Device Cybersecurity Presenter: Adam Brand, Associate Director, Pro-vi- V. 1.1

FACULTY DISCLOSURE The faculty reported the following financial relationships or relationships to products or devices they or their spouse/life partner have with commercial interests related to the content of this CE activity: - Adam Brand (none)

Agenda The Growth of Connected Medical Devices Why Cybersecurity MaDers Current Problems The Importance of Procurement Controls Q&A

About Me Adam Brand Associate Director, Pro-vi- @adamrbrand Focus on Healthcare Security/Medical Devices Volunteer with I Am The Cavalry Security Research Group

The Growth of Connected Medical Devices

The Growth of Connected Medical Devices Drug Infusion Pumps Insulin Pumps Defibrillators Fetal Heart Rate Monitors Anesthesia Carts PreDy Much Everything!

Why Are Devices Being Connected? Upda-ng EMR Remote Monitoring Remote Care

Why Cybersecurity MaCers

Personal Impact Many of us rely on these devices daily. When we are at our most vulnerable, we will depend on these devices for life. Even at -mes when we aren t personally affected, people we care about may be.

Professional Impact Pa-ent Care Compliance Liability

What We Are Doing To deliver consistent care & protect pa'ent safety Medical Device Assessment Security- Focused Technical Assessment (not HIPAA) Research serves healthcare mission and values Equip defenders against accident and adversaries Discover pa-ent safety issues Coordina-on & No-fica-on Healthcare Providers Medical Device Makers Government Agencies (FDA and ICS- CERT) Public Awareness Security and Healthcare Conferences 1- on- 1 with healthcare providers Educa-ng FDA and Healthcare Providers Alert affected par-es Inoculate against future issues

Current Problems

Impac'ng pa'ent care and safety Device Security Issues Service creden-als publicly known and published online Treatment modifica-on Cannot adribute ac-on to individual Known soaware vulnerabili-es in exis-ng and new devices Reliability and stability issues Increased deployment cost to preserve pa-ent safety Unencrypted data transmission and service authoriza-on flaws Healthcare record privacy and integrity Treatment modifica-on

Compounded By Connec-vity Connec'vity Misconcep'ons Access to the Internet oaen means access from the Internet directly or indirectly. Direct Internet exposure through cellular. Internet exposes medical devices to malicious adversaries, background hos-lity, and random noise.

ScoD Erven Research (2014) Doing a search for anesthesia in Shodan and realized it was not an anesthesia worksta-on.

Ini-al Healthcare Organiza-on Discovery Very large US healthcare system consis-ng of over 12,000 employees and over 3,000 physicians. Including large cardiovascular and neuroscience ins-tu-ons. Exposed intelligence on over 68,000 systems and provided direct adack vector to the systems. Exposed numerous connected third- party organiza-ons and healthcare systems.

Summary Of Devices Inside Organiza-on Anesthesia Systems 21 Cardiology Systems 488 Infusion Systems 133 MRI 97 PACS Systems 323 Nuclear Medicine Systems 67 Pacemaker Systems - 31

Did We Only Find One? No. We found hundreds!! Change the search term and many more come up. Poten-ally thousands if you include exposed third- party healthcare systems.

Why Does This MaDer? It s a goldmine for adversaries & adackers!! It leaks specific informa-on to iden-fy medical devices and their suppor-ng technology systems and applica-ons. It leaks system hostnames on connected devices in the network. It oaen -mes leaks floor, office, physician name and also system -meout exemp-ons.

Poten-al ADacks - Physical We know what type of systems and medical devices are inside the organiza-on. We know the healthcare organiza-on and loca-on. We know the floor and office number. We know if it has a lockout exemp-on.

Poten-al ADacks - Phishing We know what type of systems and medical devices are inside the organiza-on. We know the healthcare organiza-on and employee names. We know the hostname of all these devices. We can create a custom payload to only target medical devices and systems with known vulnerabili-es.

Problem Awareness On the Internet, every sociopath is your next door neighbor. Dan Geer and yes, your medical devices are on the Internet.

Poten-al Adverse Pa-ent Safety Events Pa-ents hack their own infusion pumps PaCents at Linz hospital became addicted to opiates aler one of them managed to hack the computer that automaccally delivered the drug, allowing them to dial up the drugs whenever they wanted. Zoll Defibrillators CVE- 2013-7395 and CVE- 2007-6756 Default supervisor & service passwords allow physically proximate a@ackers to modify device configuracon and cause a denial of service (adverse human health effects) CareFusion Pyxis SupplySta-on CVE- 2014-5421 Hard- coded database password can result in unauthorized informacon disclosure, modificacon, and disrupcon of service

Historical Issues Manufacturer told us we can t patch/update systems hdp://www.fda.gov/medicaldevices/deviceregula-onandguidance/guidancedocuments/ucm077812.htm Manufacturer told us we can t change passwords Key organiza-onal stakeholders - lack of partnership Rela-onship with manufacturer stakeholders

Exposed, vulnerable systems Technical Proper-es All soaware has flaws. Connec-vity increases poten-al interac-ons. A soaware- driven, connected medical device is a vulnerable, exposed one. Lack of pa'ent safety alignment in medical device cyber security prac'ces

Problem Awareness Medical devices are increasingly accessible due to the nature of healthcare. HIPAA focuses on pa-ent privacy, not pa'ent safety. FDA does not validate cyber safety controls. Malicious intent is not a prerequisite for adverse pa-ent outcomes.

The Importance of Procurement Controls

Con-nue As- Is Summary of Current State FDA receives several hundred thousand reports of pa-ent safety issues per year related to medical devices Cyber safety inves-ga-ons hampered by evidence capture capabili-es. New devices are coming to market with long- known defects. Exis-ng devices aren t consistently maintained and updated. Projected Future The nature of healthcare is driving towards greater connec-vity (and therefore exposure) of devices. Adversaries change the risk equa-on unpredictably Increase in incidental contact

A BeDer Way Summary of Recommended Treatment Pa-ent safety as the overriding objec-ve Avoid failed prac-ces and itera-vely evolve beder ones Engage internal and external stakeholders Cyber Safety into exis-ng prac-ces and governance Projected Outcomes Reliable medical devices to market without undue delay or cost. Collabora-on among willing allies on common terms Medical devices resilient against accidents and adversaries

Medical Device Security Lifecycle Planning & Requirements Procurement & Contrac-ng Implementa-on Maintenance Decommission

Pa-ent Safety Concepts for Procurement Secure deployment baseline or guidance ADesta-on of security checks and tes-ng Documented vulnerability response process Bill of materials for commercial and open source soaware

Pa-ent Safety Concepts for Procurement Disclose known defects in third- party and first- party soaware Capability and documenta-on to change default creden-als Documented process for securely upda-ng soaware Security controls around data in transit and in storage

MDS2: Not Usually Enough This is a self- adesta-on - - - is it also part of the contract?

Leverage for Nego-a-ons: ICS- CERT on Hard- Coded Passwords [ ] a hard- coded password vulnerability affec-ng roughly 300 medical devices across approximately 40 vendors.

Leverage for Nego-a-ons: FDA Alert on Hospira Infusion System Due to recent cybersecurity concerns, the FDA strongly encourages health care facili-es to begin transi-oning to alterna-ve infusion systems as soon as possible.

Leverage for Nego-a-ons: FBI Alert on Connected Medical Devices Criminals can also gain access to unprotected [medical] devices Once criminals have breached such devices, they [ ] can possibly change the coding controlling the dispensing of medicines [ ]

Leverage for Nego-a-ons: OIG Audits Including Medical Devices hdp://oig.hhs.gov/reports- and- publica-ons/archives/workplan/ 2015/FY15- Work- Plan.pdf

Upcoming Free, Community- Created Resource iamthecavalry.org - @iamthecavalry

Treatment Plans It falls to all of us. Pa'ent safety is not a spectator sport. Stakeholders must understand prerequisites Mul'- stakeholder teams and conversa-ons Engage with willing allies where domains of exper-se overlap Incorporate cyber safety into exis'ng processes

Adam Brand - @adamrbrand - adam.brand@pro-vi-.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information