Disrup've Innova'ons Track Product Disrup-ons: Medical Device Cybersecurity Presenter: Adam Brand, Associate Director, Pro-vi- V. 1.1
FACULTY DISCLOSURE The faculty reported the following financial relationships or relationships to products or devices they or their spouse/life partner have with commercial interests related to the content of this CE activity: - Adam Brand (none)
Agenda The Growth of Connected Medical Devices Why Cybersecurity MaDers Current Problems The Importance of Procurement Controls Q&A
About Me Adam Brand Associate Director, Pro-vi- @adamrbrand Focus on Healthcare Security/Medical Devices Volunteer with I Am The Cavalry Security Research Group
The Growth of Connected Medical Devices
The Growth of Connected Medical Devices Drug Infusion Pumps Insulin Pumps Defibrillators Fetal Heart Rate Monitors Anesthesia Carts PreDy Much Everything!
Why Are Devices Being Connected? Upda-ng EMR Remote Monitoring Remote Care
Why Cybersecurity MaCers
Personal Impact Many of us rely on these devices daily. When we are at our most vulnerable, we will depend on these devices for life. Even at -mes when we aren t personally affected, people we care about may be.
Professional Impact Pa-ent Care Compliance Liability
What We Are Doing To deliver consistent care & protect pa'ent safety Medical Device Assessment Security- Focused Technical Assessment (not HIPAA) Research serves healthcare mission and values Equip defenders against accident and adversaries Discover pa-ent safety issues Coordina-on & No-fica-on Healthcare Providers Medical Device Makers Government Agencies (FDA and ICS- CERT) Public Awareness Security and Healthcare Conferences 1- on- 1 with healthcare providers Educa-ng FDA and Healthcare Providers Alert affected par-es Inoculate against future issues
Current Problems
Impac'ng pa'ent care and safety Device Security Issues Service creden-als publicly known and published online Treatment modifica-on Cannot adribute ac-on to individual Known soaware vulnerabili-es in exis-ng and new devices Reliability and stability issues Increased deployment cost to preserve pa-ent safety Unencrypted data transmission and service authoriza-on flaws Healthcare record privacy and integrity Treatment modifica-on
Compounded By Connec-vity Connec'vity Misconcep'ons Access to the Internet oaen means access from the Internet directly or indirectly. Direct Internet exposure through cellular. Internet exposes medical devices to malicious adversaries, background hos-lity, and random noise.
ScoD Erven Research (2014) Doing a search for anesthesia in Shodan and realized it was not an anesthesia worksta-on.
Ini-al Healthcare Organiza-on Discovery Very large US healthcare system consis-ng of over 12,000 employees and over 3,000 physicians. Including large cardiovascular and neuroscience ins-tu-ons. Exposed intelligence on over 68,000 systems and provided direct adack vector to the systems. Exposed numerous connected third- party organiza-ons and healthcare systems.
Summary Of Devices Inside Organiza-on Anesthesia Systems 21 Cardiology Systems 488 Infusion Systems 133 MRI 97 PACS Systems 323 Nuclear Medicine Systems 67 Pacemaker Systems - 31
Did We Only Find One? No. We found hundreds!! Change the search term and many more come up. Poten-ally thousands if you include exposed third- party healthcare systems.
Why Does This MaDer? It s a goldmine for adversaries & adackers!! It leaks specific informa-on to iden-fy medical devices and their suppor-ng technology systems and applica-ons. It leaks system hostnames on connected devices in the network. It oaen -mes leaks floor, office, physician name and also system -meout exemp-ons.
Poten-al ADacks - Physical We know what type of systems and medical devices are inside the organiza-on. We know the healthcare organiza-on and loca-on. We know the floor and office number. We know if it has a lockout exemp-on.
Poten-al ADacks - Phishing We know what type of systems and medical devices are inside the organiza-on. We know the healthcare organiza-on and employee names. We know the hostname of all these devices. We can create a custom payload to only target medical devices and systems with known vulnerabili-es.
Problem Awareness On the Internet, every sociopath is your next door neighbor. Dan Geer and yes, your medical devices are on the Internet.
Poten-al Adverse Pa-ent Safety Events Pa-ents hack their own infusion pumps PaCents at Linz hospital became addicted to opiates aler one of them managed to hack the computer that automaccally delivered the drug, allowing them to dial up the drugs whenever they wanted. Zoll Defibrillators CVE- 2013-7395 and CVE- 2007-6756 Default supervisor & service passwords allow physically proximate a@ackers to modify device configuracon and cause a denial of service (adverse human health effects) CareFusion Pyxis SupplySta-on CVE- 2014-5421 Hard- coded database password can result in unauthorized informacon disclosure, modificacon, and disrupcon of service
Historical Issues Manufacturer told us we can t patch/update systems hdp://www.fda.gov/medicaldevices/deviceregula-onandguidance/guidancedocuments/ucm077812.htm Manufacturer told us we can t change passwords Key organiza-onal stakeholders - lack of partnership Rela-onship with manufacturer stakeholders
Exposed, vulnerable systems Technical Proper-es All soaware has flaws. Connec-vity increases poten-al interac-ons. A soaware- driven, connected medical device is a vulnerable, exposed one. Lack of pa'ent safety alignment in medical device cyber security prac'ces
Problem Awareness Medical devices are increasingly accessible due to the nature of healthcare. HIPAA focuses on pa-ent privacy, not pa'ent safety. FDA does not validate cyber safety controls. Malicious intent is not a prerequisite for adverse pa-ent outcomes.
The Importance of Procurement Controls
Con-nue As- Is Summary of Current State FDA receives several hundred thousand reports of pa-ent safety issues per year related to medical devices Cyber safety inves-ga-ons hampered by evidence capture capabili-es. New devices are coming to market with long- known defects. Exis-ng devices aren t consistently maintained and updated. Projected Future The nature of healthcare is driving towards greater connec-vity (and therefore exposure) of devices. Adversaries change the risk equa-on unpredictably Increase in incidental contact
A BeDer Way Summary of Recommended Treatment Pa-ent safety as the overriding objec-ve Avoid failed prac-ces and itera-vely evolve beder ones Engage internal and external stakeholders Cyber Safety into exis-ng prac-ces and governance Projected Outcomes Reliable medical devices to market without undue delay or cost. Collabora-on among willing allies on common terms Medical devices resilient against accidents and adversaries
Medical Device Security Lifecycle Planning & Requirements Procurement & Contrac-ng Implementa-on Maintenance Decommission
Pa-ent Safety Concepts for Procurement Secure deployment baseline or guidance ADesta-on of security checks and tes-ng Documented vulnerability response process Bill of materials for commercial and open source soaware
Pa-ent Safety Concepts for Procurement Disclose known defects in third- party and first- party soaware Capability and documenta-on to change default creden-als Documented process for securely upda-ng soaware Security controls around data in transit and in storage
MDS2: Not Usually Enough This is a self- adesta-on - - - is it also part of the contract?
Leverage for Nego-a-ons: ICS- CERT on Hard- Coded Passwords [ ] a hard- coded password vulnerability affec-ng roughly 300 medical devices across approximately 40 vendors.
Leverage for Nego-a-ons: FDA Alert on Hospira Infusion System Due to recent cybersecurity concerns, the FDA strongly encourages health care facili-es to begin transi-oning to alterna-ve infusion systems as soon as possible.
Leverage for Nego-a-ons: FBI Alert on Connected Medical Devices Criminals can also gain access to unprotected [medical] devices Once criminals have breached such devices, they [ ] can possibly change the coding controlling the dispensing of medicines [ ]
Leverage for Nego-a-ons: OIG Audits Including Medical Devices hdp://oig.hhs.gov/reports- and- publica-ons/archives/workplan/ 2015/FY15- Work- Plan.pdf
Upcoming Free, Community- Created Resource iamthecavalry.org - @iamthecavalry
Treatment Plans It falls to all of us. Pa'ent safety is not a spectator sport. Stakeholders must understand prerequisites Mul'- stakeholder teams and conversa-ons Engage with willing allies where domains of exper-se overlap Incorporate cyber safety into exis'ng processes
Adam Brand - @adamrbrand - adam.brand@pro-vi-.com