Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CyberSecurityinWirelessMedicalDevices
BillSaltzsteinCodeBlueConsulting
CyberSecurityMeetup:July202017
Agenda
CyberSecuritymeetup:07/20/17-Saltzstein
* WhoamI,andhowdidIgethere?* Short-rangewirelessconnectivity* CybersecurityIssues* Q&A
WhoamI?
CyberSecuritymeetup:07/20/17-Saltzstein
* EE,UniversityofRochester* HPCalculators(HP-71B,HP-18/28)* HPCardiology(PagewriterXLECG,CodeMasterDefibrillator)* Instromedix(LifeSignsHomeHealth)* MedtronicsPhysio-Control(Dir.Adv.Dev.)* CodeBlueCommunications(Bluetoothmodules,consulting)* connectBlue(SalesandMarketing)* CodeBlueConsulting&CocoanutManor(BTLEproducts)* CinqCellarswinery(gratuitousplug)
Consumer,TypeI,II,IIIdevices,510(k),PMA,PMAs
Taketheredpill,NeoThinkaboutthisfromamedicaldevice…
CyberSecuritymeetup:07/20/17-Saltzstein
WhatisaMedicalDevice?
* AMedicalDeviceis“…aninstrument,apparatus,implement,machine,contrivance,implant,invitroreagent.....”,thatis“...intendedforuseinthediagnosisofdiseaseorotherconditions,orinthecure,mitigation,treatment,orpreventionofdisease,inman...”or“...intendedtoaffectthestructureoranyfunctionofthebodyofman…”(fromtheUSFDA)
CyberSecuritymeetup:07/20/17-Saltzstein
The new MDDS & Medical Device and wireless technologies
* WLAN
* 802.11b/g/n: 2.4 GHz, DSSS/OFDM
* 802.11a/n: 5.2 GHz, OFDM
* Bluetooth
* Smart Ready: 2.0+EDR, low energy: 2.4 GHz, FHSS
* NFC
* 13.56 MHz
* A-GPS (rcv only)
* L1: 1575.42 MHz
* L2: 1227.6 MHz
* Glonass (rcv only)
* L1: 1602 MHz (fc)
* L2: 1246 MHz (fc)
* CDMA EV-DO Rev. A and Rev. B (800, 1700/2100, 1900, 2100 MHz)
* UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz)
* TD-SCDMA 1900 (F), 2000 (A)
* GSM/EDGE (850, 900, 1800, 1900 MHz)
* FDD-LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26, 28, 29)
* TD-LTE (Bands 38, 39, 40, 41)
CyberSecuritymeetup:07/20/17-Saltzstein
The2.4GHzworld…
CyberSecuritymeetup:07/20/17-Saltzstein
* WiFiScanner– 802.11at2.4GHzand5GHz* Lightblue–Bluetoothlowenergy
CyberSecuritymeetup:07/20/17-Saltzstein
Demo
Examples
CyberSecuritymeetup:07/20/17-Saltzstein
* Hospitalequipment* Defibrillator* Bedsidepatientmonitor* MRI* Infusionpump* …
* Chronicdiseasemanagement* Diabetes* Pulmonary:COPD* Heartdisease* Pain
* Rxdelivery* Diagnosticsoutofhospital* External/wearable* Implanted* HomeHealth* Infusion* Dialysis* Sleepapnea
* Why?* Where?* How?
Allmedical(andhealth)devicesshallbeconnected
CyberSecuritymeetup:07/20/17-Saltzstein
Allmedicaldevicesshallbeconnected–Why?
* Connectivity* ElectronicHealthRecord(EHR)* Chargecapture(billing)* BigDataanalytics
* Wirelessisreplacingwiredconnections* Mobility/safety* Datacollection
* Telemedicine* Remoteconsultation&review(photo)* HomeHealth* AginginPlace
* HealthandFitnessCyberSecuritymeetup:07/20/17-Saltzstein
Emergency!1972-1977
* Classicanswers:* Hospital* EMS* Home
* Realanswers:* Starbucks* 37,000feet* StuckonI-5* Inthebathroom* Intheelevator
* Realenvironmentsrequirecreativesolutionsforconnectivity
CyberSecuritymeetup:07/20/17-Saltzstein
Allmedicaldevicesshallbeconnected– Where?
Examplesystem:ChronoTherapeutics
Wearable:Sensors,button,
Rxdelivery Usage,data
Settings,software
Patientinfo,data
Settings,software
AIcoaching
Usedata
EHR?
Real-timePersonalCoaching/Analytics
Billing
CyberSecuritymeetup:07/20/17-Saltzstein
Short-range Long-range
Enterprise
Photosandinformationobtainedfromwww.chronothera.com
* Tworealchoicesforshortrangedatatransfer1) WiFi–IEEE802.112) Bluetooth
a) Bluetoothclassicb) Bluetoothlowenergy
* Everythingelse* RFID/NFC–expectusageinUDIandassettracking* ZigBee,Thread–IEEE802.15.4based–coexistencechallenge* MICS(MedicalImplantCommunicationSystem)–supply,$$* MBAN(MedicalBodyAreaNetwork)-??
Wanderingandwonderinginthewideworldofshort-rangewireless
CyberSecuritymeetup:07/20/17-Saltzstein
WhataretheissuesforMedicalDevicesandnetworks?
* MedicalDevicedata* Patientinformation(personal,medical)* “ProtectedHealthInformation”-PHI
* Measurementsandwaveform* Device&networkconfigurationandprovisioning* Firmwareupgrade* Securitycertificates* Theattacksurfaceincreasesasconnectivityincreases
CyberSecuritymeetup:07/20/17-Saltzstein
Whydowecare?
* Patientlivesareatstake,bothdirectlyandindirectly!* HIPAArequirements–medicalrecordportability&privacy* Protectsyoufromunauthorizeduseofyourmedicalinformation* Eg:employerdiscriminatingforamedicalcondition
* FDArequirements* OTSsoftwareguidance* Premarketsubmissionguidance* Postmarketmanagement
* Companyreputationandvalueisatstake* StJudeMedical/MuddyWaters
CyberSecuritymeetup:07/20/17-Saltzstein
Howrealisthis?Hackingisevolvingandaccelerating!
* Earlypublicdisclosure:“PacemakersandImplantableCardiacDefibrillators:SoftwareRadioAttacksandZero-PowerDefenses”-2008IEEESymposiumonSecurityandPrivacy* 2015-Hospirainfusionpumps:https://www.wired.com/2015/06/
hackers-can-send-fatal-doses-hospital-drug-pumps/* Recently:“LosAngelesHospitalPaysHackers$17,000After
Attack”–February2016* Veryrecently:“J&Jwarnsdiabeticpatients:Insulinpump
vulnerabletohacking”–October,2016* Notmedical,butveryinteresting:SegwayBluetoothhack:
https://www.wired.com/story/segway-minipro-hackCyberSecuritymeetup:07/20/17-Saltzstein
* MedicaldevicesareIoTdevicesgoingforward* “HackedCameras,DVRsPoweredToday’sMassive
InternetOutage”,October16,2016* The‘botnetofthings’?* Ransomware,ex:WannaCry–May2017,morethan230,000computersinover150countries,lotsofhospitalcomputersincluded…
Ø Medicaldevicedesignersneedtodesignandimplementappropriatecybersecuritymeasures
CyberSecuritymeetup:07/20/17-Saltzstein
IoM:theInternetofMedical
Whydoesthishappen?Developmentlifecycle&cybersecurity
Commontimelinetodate Futuredevelopment
Time
Features
ship
implementsecurity
Time
Features
ship
implementsecurity
Revise/refinesecurity
CyberSecuritymeetup:07/20/17-Saltzstein
MakingsecuritypartoftheProductLifecycle
* Requirements* Specifications* Hazardanalysis/Riskanalysisandmanagement* Testing* Releasecriteria* Continuousmonitoring&improvement* Monitoring* Updatereleases
CyberSecuritymeetup:07/20/17-Saltzstein
Riskstoconsider-examples
* ModificationofinformationMisuseofinformation* Denialofuse* Openports* Unused/unnecessaryprofiles/services* Unauthorizedappsonsystem* Debuggingcodeorentries* OffTheShelf(OTS)softwarepatchdoesn'tgetapplied* OTSsoftwareischangedwithoutbeingvalidated* MalwareEndangerpatienthealthCompromiseidentityor
privacy
CyberSecuritymeetup:07/20/17-Saltzstein
Potentialwireless-specifichazards
* Eavesdropping* Spoof/mimicdataconnections* ManinTheMiddle(MTM)attacksduringpairing* OverTheAir(OTA)upgrades* Settingchanges* Advertisingpromiscuously
CyberSecuritymeetup:07/20/17-Saltzstein
Regulatoryguidanceandrequirements
* TheFDArecentlyclarifiedguidanceforsoftwarerevisionsduetocybersecurity* Noagencysubmissionsrequired
* NISTCybersecurityFramework,Draftv1.1-1/17* RecentUSGovernmentreport:“ReportonImprovingCybersecurityintheHealthCareIndustry”* Seereferencesprovidedforspecificguidance
CyberSecuritymeetup:07/20/17-Saltzstein
Myadvicetoclients
* Don’tpanic,butthinklikeahacker* Applyappropriatemeasuresrelativetotherisk* Considerusability* Considerpatientsafety–cannotcompromise!
* Makecybersecuritypartofhazardanalysisandmitigationprocess* Considerend-to-enddatapath* Follow&readuponnews–thisisanevolvingissue* Limitattacksurface* Considerconnectivitychangesthatpresentnewandunintended
pointsofattackordisclosure
CyberSecuritymeetup:07/20/17-Saltzstein
* BillSaltzsteinCodeBlueConsultingbill@consultcodeblue.com425-442-5854
Q&A
CyberSecuritymeetup:07/20/17-Saltzstein
CyberSecuritymeetup:07/20/17-Saltzstein
Referencematerial
RecommendedFDAguidance
* FDAlandingpageforDigitalHealth* http://www.fda.gov/medicaldevices/digitalhealth/
* GeneralWellness:PolicyforLowRiskDevices* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM429674.pdf
* MobileMedicalApplications* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf
* MedicalDeviceDataSystems,MedicalImageStorageDevices,andMedicalImageCommunicationsDevices* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM401996.pdf
* RadioFrequencyWirelessTechnologyinMedicalDevices* ohttp://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077272.pdf
* GuidanceforIndustry,FDAReviewersandComplianceonOff-The-ShelfSoftwareUseinMedicalDevices* http://www.fda.gov/downloads/MedicalDevices/.../ucm073779.pdf
* SOFTWAREASAMEDICALDEVICE(SAMD):CLINICALEVALUATION(draft)* http://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm524904.pdf
* Enforcementdiscretion* http://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/ucm368744.htm
CyberSecuritymeetup:07/20/17-Saltzstein
SelectedCybersecurityReferences
* GuidanceforIndustry-CybersecurityforNetworkedMedicalDevicesContainingOff-the-Shelf(OTS)Software* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/
ucm077823.pdf* ContentofPremarketSubmissionsforManagementofCybersecurityinMedicalDevices* http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/
UCM356190.pdf* PostmarketManagementofCybersecurityinMedicalDevices* http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf
* ISO14971:2007Medicaldevices--Applicationofriskmanagementtomedicaldevices* http://www.iso.org/iso/catalogue_detail?csnumber=38193
* HHS:YourMobileDeviceandHealthInformationPrivacyandSecurity* https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
* Archimedes–AnnArborResearchCenterforMedicalDeviceSecurity* https://secure-medicine.org
* BITAG:InternetofThings(IoT)SecurityandPrivacyRecommendations* http://www.bitag.org/documents/BITAG_Report_-
_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf* DiabetesTechnologySociety:https://www.diabetestechnology.org/dtsec.shtml
CyberSecuritymeetup:07/20/17-Saltzstein
AAMI
* TIR57:Principlesformedicaldevicesecurity—Riskmanagement* https://standards.aami.org/kws/public/projects/project/
details?project_id=876* TIR59:RiskAssessmentofradio-frequencywireless
coexistenceformedicaldevicesandsystems* https://standards.aami.org/kws/public/projects/project/
details?project_id=1114* AMSIC63.27* AAMITIR69aswellforcoexistence
CyberSecuritymeetup:07/20/17-Saltzstein
* NIST:CybersecurityPracticeGuide,SpecialPublication1800-1:"SecuringElectronicHealthRecordsonMobileDevices”* https://nccoe.nist.gov/projects/use_cases/health_it/
ehr_on_mobile_devices* NIST:GuidetoBluetoothSecurity* http://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublication800-121r1.pdf* CybersecurityFrameworkv1.1–1/17* https://www.nist.gov/cyberframework/draft-version-11
* Infusionpumpdraft* https://nccoe.nist.gov/sites/default/files/library/sp1800/hit-
infusion-pump-nist-sp1800-8-draft.pdf
CyberSecuritymeetup:07/20/17-Saltzstein
NIST
* Transcoding(andother)Whitepapers:https://www.bluetooth.com/develop-with-bluetooth/white-papers
CyberSecuritymeetup:07/20/17-Saltzstein
BluetoothSIG