Embed Size (px)
Citation preview
William Hagestad II
THE FUTURE OF CYBER WARFARE IN
HEALTHCARE
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
THE FUTURE OF CYBER WARFARE IN HEALTHCARE
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
SmithsMedicalhasanestablishedcybersecurityengineeringteamproactivelyapplyingbothPre- andpostMarketGuidanceforthecybersecurityofmedicaldevicesasencouragedbytheCyberDivisionoftheFDA
Current&FutureState:• Recruitandhiredinternationallyrecognizedwhitehathacker• Builtnationallyrecognizedcybersecurityengineeringprogramwith:
• Nobudget,criticalthinking,experienceandwilltosucceed;• FDACyberDirectoraterequestedSmithsMedicalleadership:
• CoordinatedDisclosureTTX’sinMinneapolis&McClean,VA• DisclosedResponsibly10CVEs:
• Advisory(ICSMA-16-306-01)• SmithsMedicalCADD-SolisMedicationSafetySoftwareVulnerabilities• Advisory(ICSMA-17-250-02)SmithsMedicalMedfusion 4000WirelessSyringeInfusionPumpVulnerabilities(SEP2017)
• Activelyassessmedicaldevicesforbothclinicalandtechnologicalcybersecuritycyberthreats
Cybersecurity Engineering
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
MedicalDeviceCyberSecurityMaturity
https://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/
21MARCH2016 13JANUARY2018
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAoPAAAAJDE1MGNjZThhLTgwM2MtNGE5NS1iMDkyLTA3YTc3OGUyZTg4OQ.jpg
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
https://www.ic3.gov/media/2015/150910.aspx
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
AdversariesinCyberSpace– ATaxonomy
CyberSecurityEngineering
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
WorstCaseScenario….
CyberSecurityEngineering
波音飛機被黑客入侵BoeingairplanehackedbyDHS…
Whatif…
- HVPonboardaircraftconnectedtovulnerablemedicaldevice…
- NationStateHackertargetsHVP…- Jumpsfromhackedmedicaldevice….- ToLinux-basedinflightentertainment
system…- Jumpsfromeasilycompromisedinflight
entertainmentsystem…- Toaircraftflightcontrols…- Controlsdescentofaircraft…- AugersaircraftintometropolitanCBD…- HackeddevicebecomespartofaWMD
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
https://medicaldialogues.in/indian-origin-doctor-warned-against-uk-health-service-cyber-hack/http://www.intelligentedu.com/computer_security_for_everyone/18-threats-attacks-hackers-crackers.html
WhatisSecurity?
HowshoulditapplytoMedicalDeviceManufacturers(MDM)?
HowdoesitapplytoHealthcaredeliveryOrganisations(HDO)?
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
Ransomware• WannaCry• Petya/NotPetya
• Applycommoncybersecurityengineeringbestpractices;
• Assumeanyconnecteddeviceisvulnerable;• Becomeahardtargetagainstskilledadversaries…• Fundamentalsituationalawareness….
http://time.com/4783910/why-a-global-cyber-crisis-stalled-this-time/
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
http://www.hitachi.com/hirt/publications/hirt-pub17008/index.html
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
http://blog.trendmicro.be/wp-content/uploads/2017/06/petya4.png
Petya/NotPetya
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
Activecybersecurityparticipationfromleadership…
Fromstatementcreationtopublishingonexternalwebsite2hours–IncredibleevenwithbothCEOtraveling,nocorporatecommunicationsstaffandyourstrulyenroute toanFDAevent
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
OverwhelmingGuidance's&Standards…
https://www.assured.enterprises/nist-baldrige-cybersecurity-guidelines/
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
ComparingMedicalDeviceCybersecurityRequirements:
http://blog.cm-dm.com/post/2016/10/24/Cybersecurity-in-medical-devices-Part-1-Regulations
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
• Directive95/46/ECoftheEuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata…
EuropeanUnion…ProtectionofPersonalData
• GeneralDataProtection Regulation(GDPR)….
AfterfouryearsofpreparationanddebatetheGDPRwas finallyapproved bytheEUParliamenton 14April2016.Itwillenterinforce20daysafteritspublicationintheEUOfficialJournalandwillbedirectlyapplicationinallmembersstatestwoyearsafterthisdate.Enforcementdate: 25 May2018 - atwhichtimethoseorganizationsinnon-compliance willface heavyfines.
https://www.eugdpr.org/
https://www.lepide.com/infographics/gdpr-compliance-checklist.html
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
• ApplicableDirectives– forEuropeanMedicalIndustry• CouncilDirective93/42/EEC of14June1993concerningmedicaldevicesOJL169of12July1993
EuropeanUnion… MedicalDevicesSpecific
https://ec.europa.eu/growth/sectors/medical-devices/guidance
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1993L0042:20071011:en:PDF
WhilethereareEuroCommissiondirectives…
Also,ISO’s…
July2012ENISO14971:2012,Medicaldevices— Applicationofriskmanagementtomedicaldevices
AmericanStandards…
May2016 TIR57“Principlesformedicaldevicesecurity– Riskmanagement”
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
USFood&DrugAdministration– CyberDivisiona) GuidanceforIndustry,FDAReviewersandComplianceonOff-The-ShelfSoftwareUseinMedicalDevices,U.S.
DepartmentofHealthandHumanServices, FoodandDrugAdministration,CenterforDevicesandRadiologicalHealth,OfficeofCompliance,OfficeofDeviceEvaluationissuedSeptember9,1999
b) GuidanceforIndustryCybersecurityforNetworkedMedicalDevicesContainingOff-the-Shelf(OTS)SoftwareissuedJanuary14,2005
c) MedicalDeviceDevelopmentTools,DraftGuidance,FoodandDrugAdministrationStaffissued14November2013
d) ContentofPremarketSubmissionsforManagementofCybersecurityinMedicalDevices,GuidanceforIndustryandFoodandDrugAdministrationStaffissuedOctober2,2014
e) InfusionPumpsTotalProductLifeCycleGuidanceforIndustryandFDAStaffissuedDecember2,2014f) Postmarket ManagementofCybersecurityinMedicalDevices,DraftGuidanceforIndustryandFoodandDrug
AdministrationStaffissuedonJanuary22,2016g) Updatedrecommendationsonsubmittinganew510(k)fordevicemodificationsAugust5,2016h) DecidingWhentoSubmita510KforasoftwarechangetoanexistingdeviceissuedAugust8,2016i) PostmarketManagementofCybersecurityinMedicalDevicesGuidanceforIndustryandFoodandDrug
AdministrationStaffDocumentissuedonDecember28,2016.j) DecidingWhentoSubmita510(k)foraChangetoanExistingDevice,GuidanceforIndustryandFoodandDrug
AdministrationStaffDocumentissuedonOctober25,2017k) DecidingWhentoSubmita510(k)foraSoftwareChangetoanExistingDevice,GuidanceforIndustryandFood
andDrugAdministrationStaffDocumentissuedonOctober25,2017
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
USFood&DrugAdministration– CyberDivision
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
THEFUTUREOFCYBERWARFAREINHEALTHCARE• Globalenvironmentisveryasymmetric&challenging…• MedicaldevicesconsideredpartofIoT…whyisthisimportant?
• IoTconsideredpartofCriticalInfrastructureProtection…byEU&manynations
• Vulnerablemedicaldevices=IoT…Leadingtonationalsecuritythreats…
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
HealthcareDeliveryCyberSecurityLeadershipActions
Wirelessinfusionpumpecosystems,ifnotsecuredproperly,canpossiblycontributetothefollowingHDOcyberrisks;
• accessbymaliciousactors• lossorcorruptionofenterpriseinformationandpatientdataandhealth
record• abreachofprotectedhealthinformation• lossordisruptionofhealthcareservicesviaransomware
o (e.g.;WannaCry &Petya)orotherknowncommonvulnerabilities&exploits(CVE)
• damagetoanorganization’sreputation,productivity,andbottom-linerevenue
Skyisnotfalling….orhasitalreadyfallen….?
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
MedicalDeviceThreatVectors
Data Device NetworkNoDataBackup InsecureConfigurations InsecureNetwork
Configurations
NoDataIntegrity HardcodedPasswords InsufficientFirewallRules
No DataValidation NoTamperDetection UnencryptedNetworkCommunication
WeakAuthentication InsufficientPatching LackofSegmentation
WeakAuthorization LegacyOperatingSystems LackofSegregation
NoAnti-VirusProtection
Weak/InsufficientAccessControl
Indefensible BIOS
MinimaltoZeroLogging
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
HEALTHCARE ALREADYINVOLVEDINFUTURECYBERWARFARE
• Strategic&TacticalChallenges…
• MedicalDevicesareconsideredvulnerableIoTdevices• Delayedthreatintelsharing-• MedicalDeviceManufacturersslowtoimplementcybersecurityengineering– 2years
NEWinmostcases• HealthCaredatabreachescostlycybercrime– Currentannualsunkcost$7.3BNEuros• HealthCarerecordsveryvaluabletocybercriminals,moresothanpersonalfinancialdata• Ransomwareclearandpresentdanger–
• WannaCry,NotPetya
• NationStates– DemocraticPeople’sRepublicofKoreamotivatedtoinfectIoTviaransomware20
18 ©
The M
edTe
ch F
orum
. All r
ights
rese
rved -
Rep
rodu
ction
in w
hole
or in
part
is pr
ohibi
ted.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
HEALTHCARE CYBERWARFAREvsMEDICALDEVICEMANUFACTURERS
PATIENTCAREANDPATIENTSAFETYMUSTBEASHAREDPRIORITYOFEFFORT!
• Differentexpectationsforcecybersecuritychange…
http://www.frost.com/c/10024/home.do
OurDevicesaregoodenough…
Clinicalusenotcyberuse….Noonewould
useourdevicesforintentionalharm…
YourDevicesareperfectforClinicaluse…Cyberuse….Well,weneedtodelivercare
notcybersecurityYour devicescouldbeusedforintentional
harm…
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdfhttps://csrc.nist.gov/publications/detail/sp/800-53/rev-5/drafthttps://www.nist.gov/cyberframework/csf-reference-toolhttps://nccoe.nist.gov/sites/default/files/library/sp1800/hit-infusion-pump-nist-sp1800-8-draft.pdf
CybersecurityEngineeringTasks
FDAGuidance- PostmarketManagementofCybersecurityinMedicalDevices
NISTSpecialPublication800-30RiskManagementGuideforInformationTechnologySystemsRevision12012
NISTSP800-53Rev.5(DRAFT) SecurityandPrivacyControlsforInformationSystemsandOrganizations
ApplyNIST’sCybersecurityFramework(CSF)Version1.1(DRAFT)&NISTCybersecurityFramework(CSF)ReferenceTool
MemberofNationalHealth– InformationSharingandAnalysisCenter(NH-ISAC)
FDArecommendedVulnerability&Coordinated//ResponsibleDisclosurePolicies
ParticipateinNISTNationalCyberCenterofExcellence(NCCoE)medicalinfusionpumpevaluationprogram–NISTSPECIALPUBLICATION1800-8SecuringWirelessInfusionPumpsInHealthcareDeliveryOrganizations
Importance//Relevance
BeginbuildingcontinuityofcybersecurityengineeringaroundSmiths-MedicalinfusionpumpsinaccordancewithFDADraftGuidance– NOTOPTIONAL
MedicalInfusionPumpRisk&VulnerabilityAssessments-Comprehensiveselfassessmentofourentiremedicalinfusionpumparchitecturedeterminingknowncybersecurityvulnerabilitiesofmedicalinfusionpumparchitecture… Throughtacticalcybersecurityactionsidentify&understandrisks
MapNISTSecurityControlstoDeviceDesignControls,mitigateknownvulnerabilitiesinordertoproactivelymitigateALLcyberrisktopatients
Utilise crosswalkfunctionalityofNISTCSFRefToolmappingtocybersecurityengineeringstandards
AchievecollaborativesituationalawarenessofcybersecuritythreatsdirectlyimpactingUShealthcarecommunity–actionablecyberintelligenceparticipation
Createproactivepublicidentificationandhandlingcapabilitytoidentifycyberrisks&vulnerabilitiestoSmiths-Medicalinfusionpumps
Drive&participateincybersecuritystandardsinwirelessenvironmentsformedicalinfusionpumps
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
ReviewofSmith’sMedicalriskassessmentsusingNISTSP800-57
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
ReviewofSmith’sMedicalriskassessmentsthroughNISTSP800-30…Strategic&tacticalcomponentsofourriskmanagementframework
http://broadleaf.com.au/wp-content/uploads/2014/05/2014-05-23-Managing-disruption-related-risk-600x414.png
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
Howweconductrisk&vulnerabilityassessmentsofmedicalinfusionpumps
a. IdentifyknownCommonVulnerabilitiesandExposures(CVE)
b. CategorizeCVEsbytechnologycomponent
c. Identifyprimary&secondarycompensatingcontrols
d. Assignriskevaluationparameters…traditionallythe5x5matrixi. Severity(s)ii. Probability(p)
iii. Detection(d)
e. CalculateRiskProbabilityNumber(RPN)for;i. Primarycompensatingcontrols– existingdesignedsecurityii. Secondarycompensatingcontrols– futuredesignsecurity
f. CalculateCommonVulnerabilityScorebaseduponCVSSversion3.0(2015)
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorhttps://www.certsi.es/en/blog/cvss-3-en
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
NISTSP800-30Rev1.02012
AdversaryCapabilityAssessmentReferenceTables
(a) CYBERADVERSARYCAPABILITIES&CHARACTERISTICS(b)CYBERADVERSARYINTENTCHARACTERISTICS(c)CYBERADVERSARYTARGETINGCHARACTERISTICS(d)RANGEOFEFFECTSFORNON-ADVERSARIALTHREATSOURCES
AdversaryThreatEventsReferenceTables
a) ThreatEvents(CharacterizedbyTactics,Techniques/Technology&Procedures/Protocols- TTPs)
b) DescriptionofAdversarialThreatEvent
USGovernmentReferencePublicationforthesethreatassessmenttablesisprovidedbyNISTSpecialPublication800-30GuideforConductingRiskAssessments.Available@:http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
CategoriesofRiskControl
RISK - combination of probability of occurrence of harm & severity of harmHAZARD - potential source of harmHAZARDOUS SITUATION - circumstance in which people, property, or environment are exposed to one or more hazard(s)HARM - physical injury or damage to the health of people, or damage to property or environmentSEVERITY - measure of possible consequences of a hazardRISK ANALYSIS - systematic use of available information to identify hazards & estimate the riskRISK ESTIMATION - process used to assign values to the probability of occurrence of harm & severity of that harmRISK EVALUATION - process of comparing estimated risk vs. given risk criteria to determine acceptability of riskRISK ASSESSMENT - overall process comprising a risk analysis and a risk evaluationRISK CONTROL - process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levelsRESIDUAL RISK - risk remaining after risk control measures have been taken
https://blog.greenlight.guru/iso-14971-medical-device-risk-management
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
CommonVulnerabilityResources
Baseduponnamedexamplesofcommonlyknownvulnerabilities,whichincludes;
i. Vulnerabilitieswithexploitsii. CrossSiteRequestForgeryiii. Sql injectioniv. Memorycorruptionv. GainInformationvi. CodeExecutionvii. FileInclusionviii. CrossSiteScriptingix. HTTPResponseSplittingx. DOSAttackxi. BufferOverflowsxii. GainPrivilegexiii. DirectoryTraversalxiv. Bypass‘something’
https://www.cvedetails.com/index.phphttps://www.tenable.com/sc-dashboards/cvss-temporal-risk-heat-map
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
CommonVulnerabilityResources– USGOV
https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilitieshttps://www.us-cert.gov/related-resources
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
CommonVulnerabilityResources
https://www.owasp.org/images/3/3c/OWASP_Top_10_-_2017_Release_Candidate1_English.pdf
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
ENDGAME….
http://www.hitachi.com/hirt/publications/hirt-pub17008/index.html
- PreventingHarmPatients– MostImportant!- Deterring,PreventingmoreRansomware
incidentssuchWannaCry orPetya/NotPetya
- Designingcybersecurityintomedicaldevices,notasanafterthought…
- DesiredFutureState…
- Teach,mentor&Encouragesmallermanufacturers;
- MoreactiveparticipationbyallofSmithsMedical;
- DesireforanFDACyberassistvisit…
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
Thank you
BillHagestad,
SeniorPrincipalCyberSecurityEngineering
Questions / Feedback?
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
2018
© The
Med
Tech
For
um. A
ll righ
ts re
serve
d - R
epro
ducti
on in
who
le or
in pa
rt is
proh
ibited
.
