OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT) & Bio-medical...

Key Considerations to Securing the

Internet of Things (IoT) & Bio-

medical DevicesWebinar

Merritt MaximSeptember 14, 2016

Abstract

› Key Considerations to Securing the Internet of Things (IoT)

› IoT has evolved beyond a hyped-buzzword into available technologies on

the market that can significantly improve customer outcomes and deliver

business benefits. However, the reality of IoT as an interlinked set of

hardware, software, and ubiquitous connectivity is that it creates new

security challenges and exacerbates legacy security problems.

› In this webinar, Forrester Senior Analyst Merritt Maxim will summarize the

key IoT trends, outline the current IoT attack surface. He will also provide

guidance on how organizations can protect and defend against IoT based

threats while simultaneously enabling meet desired IoT business

objectives.

Agenda

›Current IoT Trends

›Balancing Innovation With Security In Healthcare

›The Bio-medical Device Risk Landscape

›Attack Scenarios

›The Path Forward

Current IoT Trends

Current status of IoT technologies: Forrester IoT TechRadar™, Q1 2016

Source: “TechRadar™: Internet Of Things, Q1 2016” Forrester report

IoT security — on

a significant

success trajectory

but only in

creation stage

IoT Security is still maturing….

› Lots of hype and interest; focus on OS, firmware, and

hardware level.

›Growing awareness of security concerns with IoT

›General consensus on value/need for IAM with IoT

Industry IoT deployment momentum varies widely

Source: https://www.forrester.com/report/The+Internet+Of+Things+Heat+Map+2016/-/E-RES122661 January 14, 2016.

Security Concerns still impede IoT Deployments

Base: 2,247 IT decision makers

Source: Forrester’s Business Technographics Security Survey, 2014

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

We can't find the right supplier(s)

None - we don't have any concerns

Lack of executive support

We don't think that we have an application or process that will beenhanced by M2M

Regulatory issues or concerns

Difficulty and risk of migration or installation

Lack of technology maturity

Pricing is unclear or complicated

Integration challenges

Total cost concerns (total cost of ownership)

Security concerns

What are your firm’s concerns, if any, with deploying M2M/Internet of Things technologies?

Different Worlds, different approachesArea Traditional World IoT World Difference

Authentication User-centric IoT device-centric Authenticating

devices/blocking devices

to/from IoT security

management plane

Authentication Passwords then biometrics Human to device: biometrics,

behaviors. Device-to-device:

API, certs

Authenticating user(s) and

devices to an IoT device

Provisioning and registration Life-cycle support for

predominantly users only.

Manual and bulk registration.

Life-cycle support for devices,

not just users

Provisioning and registering

devices and users to IoT

security management plane

Provisioning and registration Enterprise mobility

management

Linking many previously

unlinked but operational

devices to user

Device registration to user,

user registration to device

Provisioning and registration Static process Dynamic, fast-changing

process (e.g. connected

vehicles)

Managing relationships

between IoT devices

Provisioning and registration Manual and user-initiated User-initiated and inactivity-

Unenrolling devices from the

IoT security management

Self-services No adopted standard Forrester expects User-

Managed Access (UMA) will

emerge

Preference management,

privacy management, data

sharing consent

Self-services Web-based Based on enhanced Bluetooth

or NFC connectivity

Allowing users to perform self-

services for their IoT devices

Balancing Innovation With Security

In Healthcare

Robotic Surgery

Innovations in Healthcare

Telemedicine

mHealth

With Innovation Comes Risk

The Bio-Medical Device Risk

Landscape

A Typical Hospital Network is Flat

Complexity Is The Primary Enemy

Threat Actor Motivations

Attack Scenarios

Medical Device Security - Risk Categories

Denial-of-Service

Patient Data Theft

Therapy

Manipulation

Asset Damage

Denial-Of-Service: Scenario

Causes

• Network attack

• Malware

• Software exploitation

• Radio frequency (RF)

exploitation

Impacts

• Clinical workflow

disruption

• IT/Clinical engineering

staff disruption

Outcomes

• Patient harm

• Reputational damage

• Regulatory fines/Lawsuits

• Request for ransom

Denial-Of-Service: Evidence

› Case #1: 20 patient monitoring systems taken down in a CA-based

hospital (unreported)

› Case #2: MA-based hospital ward shut down due to malware infecting

patient monitoring systems (unreported)

› Case #3: CA-based hospital shutdown due to ransomware infecting

medical devices

Denial-Of-Service: Outlook

Therapy Manipulation: Scenario

Causes

• Malware

• Poor access controls

Impacts

• Changes in device

function/parameters

• Changes to patient data

Outcomes

• Patient harm

• Regulatory fines/lawsuits

• Request for ransom

• Changes in future

treatment decisions

Therapy Manipulation: Evidence

› Case #1: PCA Pump exploited by Austrian patient

› Case #2: PCA Pump exploited by researcher

› Case #3: Insulin Pump exploited by researcher

› Case #4: Implantable Defibrillator exploited by researcher

Therapy Manipulation: Outlook

Asset Damage: Scenario

Causes

• Network attack

• Malware

Impacts

• Clinical workflow

disruption

• IT/clinical engineering staff

disruption

Outcomes

• Patient harm

• High replacement costs

Asset Damage: Evidence

› No examples found in healthcare

› Difficult to track due to lack of consideration over security event causation

in MDRs

› Examples from other industries still prove capability

• Stuxnet malware (tarrgeted industrial centrifuges in Iran)

• Ukrainian power grid

• Reservoir dam in Westchester County NY-December 2015

Asset Damage: Outlook

Patient Data Theft: Scenario

Causes

• Malware

• Poor access

controls/device theft

• Device used as entry point

into data network

Impacts

• Direct theft of data from

device

• EMR database

compromise

Outcomes

• Patient harm due to fraud

• Patient privacy loss

• Regulatory fines/lawsuits

Patient Data Theft: Evidence

› Case #1: HIPAA fines MA-based hospital $850,000 due to CT Scanner

breach

› Case #2: Russian gang used medical devices as entry point into hospital

network; stole patient data from EMR

Update Russian info

Patient Data Theft: Outlook

High Severity Risk

The Path Forward

Step 1: Categorize Existing Devices Based On Risk

Base your risk categories on:

› Potential impact to patient

safety

› Network Connectivity

› Data Sensitivity

› Attack likelihood

› Vendor security SLA

Step 2: Implement A Clinical Risk Management Framework

Device Risk Management

Risk acceptance

Residual risk level

Reduction, mitigation and

control

Assessment, prioritization and planning

Step 3: Follow Basic Security Hygiene

› Foster a culture of security awareness within clinical engineering and

clinical departments

• Blogs, security champions, rotationships

› Eliminate default passwords

Step 4: Include Security Requirements In RFPs

Request that device manufacturers:

› Follow current application security best-practices

› Conduct threat modeling/pen testing

› Have roadmap to build security logging into software

› Present a completed MDS2 form

Step 5: Move Toward A “Zero-Trust” Architecture

› Segment devices

based on risk

› Inspect network data

as it flows between

segments

› Require secure

authentication into

network

Principles of Zero Trust

The network is designed from the inside out

Visibility: Inspect and log all traffic

Verify and never trust

Access control is on a “need-to-know” basis and is strictly enforced

All resources are accessed in a secure manner regardless of location

Need to Know

› IEC 80001-1

› MDS2

› NH-ISAC / ICS-CERT

› MDISS

› UL 2900 Cybersecurity Certification

› FDA Pre-Market and Post-Market

Cybersecurity Guidance

Closing Thought….IoT Technology focus is shifting from networks and hardware to software, platforms and analytics

› Initial IoT focus is on connecting devices, but is now extending

to applications and solutions

• Variety of applications

• Actual case studies in many industries

• Analytics and business intelligence benefits

› IT execs will engage as business embraces scalable IoT systems,

driving needs for skills in:

• Security, device management, and interoperability

• Links to analytics and systems of record

Thank you

forrester.com

Merritt Maxim

mmaxim@forrester.com

@merrittmaxim

OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT) & Bio-medical...

Technology

Cloud-based Contact Centre Maximise OnDemand - … · Cloud-based Contact Centre Maximise OnDemand Inbound & Blended Call Management Automated Outbound Dialling ... Try the OnDemand

OnDemand - Ecommerce, Shipping, Mailing, Financial Services...• Routing OnDemand Improve your firm’s logistics. Routing OnDemand can take multiple discreet points and generate

Considerations related to housing and seismic riskcode P100-1/2013 3. 2. Securing of existing buildings 3.2.1. Considerations on technical design/expertise Structural solutions implemented

Selecting an OnDemand LMS

DB2 Content Manager OnDemand Technical … Software Group DB2 Content Manager OnDemand © 2005 IBM Corporation DB2 Content Manager OnDemand Technical Overview

Oracle aplicaciones Ondemand

OnDemand Version 1cvemonitor.com/OnDemand/ODPCv17-UsersGuide-ES.pdf · 2012. 12. 17. · OnDemand Version 1.7 AST Technology Sophienstrasse 4 32051 Herford Germany Manual de instalación

Https:// Protótipo Revista onDemand

OnDemand Profile

Libra OnDemand Presentation

ThreeSquares OnDemand

OnDemand Recovery

SAS® OnDemand for Academics: Uploading and …support.sas.com/ondemand/manuals/UploadingDataUsers.pdfCopyright © 2015 SAS Institute 1 SAS® OnDemand for Academics: Uploading and

Ondemand 2/56

OnDemand Web Services

Netop ondemand

Cuvic OnDemand on JRuby

OnDEMAND Test Services Professional Services. 2 PROPRIETARY AND CONFIDENTIAL Agenda Overview of OnDEMAND OnDEMAND Enterprise Test Packages Data Center

ONDEMAND KIDS - TVNZ

OnDemand CRM Executive Brief - Tata Communications · 2018-06-21 · OnDemand CRM Executive Brief Marketing to the Masses with OnDemand CRM ... and OnDemand CRM has built out a web-to-