Medical Device Cybersafety A Pragmatic Approach to … · Medical Device Cybersafety –A Pragmatic Approach to Solving a Complex Problem Oct 13, ... ventilators, infusion pumps

Medical Device Cybersafety – A Pragmatic Approach to Solving a Complex Problem

Oct 13, 2016

David Clapp, ITIL, TOGAF, HCISPPPrincipal Security Architect HealthcareSymantec Corp.

“The time is ripe to stop admiring the problem”Suzanne Schwartz, MD, MBAEMCM / FDA CDRH

What do these two gentlemen have in common?

2

Both made medical decisions based out of concern that their implanted medical device could be hacked!

Copyright © 2016 Symantec Corporation

Dick Cheney, former U.S. VP Jay Radcliffe, Security Researcher

Medical Device Cybersecurity - Agenda

1 Cybersecurity Introduction

2 Medical Devices Under Attack?

3 Regulatory Landscape

4 Solving for Complexity

5 Conclusion & Summary

6 Appendix

3Copyright © 2016 Symantec Corporation

Understanding Today’s Threat ActorsIndividuals → Organized Crime → Cyberwarfare → Hackers for Hire

Actor Motivation Assets Who

Economical, political, military

IP, credentials, classified data, infrastructure

Cyber armies, terrorists

Financial, theft, blackmail, data resale

IP, certificates, identities, credentials, trade secrets, infrastructure

Virtual crime networks, hackers for hire

Damage brand or name, support agenda

Brand, personalinformation, infrastructure

Various (Anonymous, SyrianElectronic Army, etc.)

Revenge, personalgain, whistleblower

IP, customer data, trade secrets

Current or former employees, partners, contractors

Financial gain, Competitive advantage

IP, customer data, trade secrets, operational data

Companies operatingoutside of the law

From Fame to Fortune - From Dorms to Dollars

Copyright © 2016 Symantec Corporation 4

Who is the Enemy?


http://www.symantec.com/threatreport

Symantec Internet Security Threat Report, Vol. 21


http://www.symantec.com/threatreport

Some Facts about Today’s Underground Economy:• Estimated impact on global businesses: $ 1 Trillion• Estimated profit for cyber criminals: several $100 Million

• … of which ~40% are reinvested in new technologies• A flourishing Underground Market for:

• Data (IP, trade secrets, government)• Identities (financial, medical, …)• Credentials (email, social media, gaming, corporate, …)

• As well as Goods and Services:• Hackers for Hire (attack missions)• Vulnerabilities (most-prized: zero-days)• Malware and services (incl. testing and delivery)• Tools and compute resources

• And a developing market for cyber weapons and services• Supported by a convoluted lot of state actors, criminals,

hackers of varying shades, political and financial interests.


The State of the IndustryWe have made little progress on security, really

8

The Brookings Institute, May 2016: “Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches”

9

Almost half had little or no confidence that they would

detect all breaches.

Only 21% had no or one breach in the past 2 years.

Criminal Attacks continue to increase as the root cause.

Ponemon Institute, 2016: “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data”.

The State of the Industry - We have made little progress on security, really







6 Appendix


11

Medical Device CybersecurityIntroduction to the Problem Space

Risks:• Patient safety (lives)

• Operational / Downtime

• Data Breaches / Fines

• Revenue / Financial

• Patient trust & Staff morale

• National security

Vulnerability:• Tightly regulated “turn-key” systems

• Long useful life

• Poorly protected & patched

• No detection & alerting

• Ecosystem Complexity

• Vulnerability of device, hospital, & health system

Threats:• Targeted attacks

• Collateral damage

• Malware remediation

• Theft / Loss

• Compliance violation

• Lateral attack / weakest link exploitation

• Hacktivism, terrorism


Introduction to Medical Device Cybersecurity

Why is it such a focus now, as compared to a few years back?

Main Events:

2008 – Pacemaker hack (Kevin Fu, UMass Amherst).

2011 – Insulin Pump hack (Jerome Radcliffe, Black Hat Conference).

2013 – Discovery of a wide range of vulnerabilities: surgical and anesthesia devices, ventilators, infusion pumps, defibrillators, patient monitors, laboratory equipment (Billy Rios and other Security Researchers).

2013 – Department of Homeland Security Alerts (ICS CERT); Government Accountability Office Report

2014 – FBI Alerts to Healthcare Industry, NIST NCCoE Medical Device Use Case project launched, AAMI/ECRI safety warning on cyber risks.

2014 – FDA Cybersecurity Guidance and Workshop - Premarket

2015 – HHS OIG announced that it will include networked medical devices in upcoming audits.

2016 – FDA Cybersecurity Guidance and Workshop – Postmarket (draft)


13

Medical Device Security – not just a Healthcare Topic


14

Medical Device Risks - Examples• Device hacks• Device loss/theft (PHI breach)• Drug abuse• Patch deployment failure• Multiple reports on device testing –

with disastrous results• ICS-CERT (DHS), FBI, FDA warnings• Audit & Compliance Risk


15

Medical Devices – Now Targeted and Exploited!

• MedJack: Medical Device Hijack• APT exploit of Medical Devices• 3 hospitals, 3 different medical

devices (Blood Gas, X-Ray, PACS)• Undetected, difficult to remediate• “Near perfect target”:• Limited IT visibility

• Unprotected / unpatched• Entry point to the network• Common, widespread

vulnerabilities

• This is not hypothetical anymore; devices are being exploited!• Pivot point to enter network

• Invisible to IT security• Zeus, Conficker, Citadel (Ransomware!)

http://deceive.trapx.com/AOAMEDJACK_210_Landing_Page.html

TrapX has since claimed that they have seen this in 60 hospitals and traced the attacks back to servers controlled by a Russian crime syndicate.

http://www.bloomberg.com/features/2015-hospital-hack/


http://deceive.trapx.com/AOAMEDJACK_210_Landing_Page.html

http://www.bloomberg.com/features/2015-hospital-hack/

16

… and, as reported by Protiviti

• Exposed 68,000 Medical Devices from a large, unnamed US health group.

• Discoverable via Shodan Search Engine.

• Thousands of misconfigurations and direct attack vectors, incl. Win XP.

• Allows for detailed mapping of network, including devices.

• MRI and Defibrillator “honeypots”.• 55,416 login attempts over 6 months.

• 299 attempts to install malware.• 24 exploits of Conficker vulnerability

• Conclusion:• Medical Devices are a recognized target!• Most likely because they are vulnerable,

not because of what they are.

• We have to assume that there are many “owned” devices out there.

http://www.bbc.com/news/technology-34390165


Sept. 2015

http://www.bbc.com/news/technology-34390165

17

Medical Devices – More Insight• Analyzed 3 new hospitals• Evolution of MedJack attack strategy• Botnets and backdoor exploits under

control of an attacker• Repackaging of old malware:• Attacks often remained undetected by

traditional security in place• Targeting older / unpatched versions of

Windows, thus not affecting normal IT• But not detected by unprotected devices

• There is indication that this is a deliberately chosen attack strategy

• Identified targets:• Fluoroscopy workstation• PACS / MRI• C-Arm X-Ray

• Attacks well orchestrated and moving across networks after beachhead was established

http://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_MEDJACK.2.pdfCopyright © 2016 Symantec Corporation

June 2016

http://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_MEDJACK.2.pdf

Medical Device Reality Check


Desired:• Secure devices (C-I-A)• Responsible use of COTS• Cost-effective lifecycle management• End-of-life process• Minimize support incidents due to

SW & security issues• Protect intellectual property• Maintain manufacturing integrity

Reality:• Increasingly targeted and

sophisticated hacks (cyber crime)• Highly publicized vulnerabilities• Growing regulatory pressures, but

also clarity• Customer expectations• Process & overhead• Yet another quality issue to deal with

Desired:• Secure devices (A-I-C)• Secure ecosystem (integration,

network, handling, maintenance)• Compliance (HIPAA, TJC)• Minimize risks: patient safety, care

delivery, revenue• Comprehensive Security RA• Minimize duplicate efforts

Reality:• Insecure devices• Unclear security responsibility• Security not a purchasing &

maintenance driver• Incomplete asset inventory• Incomplete vie/security properties• Not included in Security RA• Complex change management

Dev

ice

Man

ufa

ctu

rer

HC

Del

iver

y O

rg.

19

Medical Device Cybersecurity: Impact PotentialWhat we know to date


Cyb

er C

on

flic

t

Mar

ket

man

ipu

lati

on

Pat

ien

t H

arm

Car

e D

eliv

ery

Clin

ical

Op

erat

ion

s

Dru

g A

bu

se

Secu

rity

Exp

loit

IP T

hef

t

Dat

a B

reac

h

IT Im

pac

t

“Pro

du

ct Im

pro

vem

ents

”

Actual events:

Malicious Attack R R R

Malware Infection

R R R R

Other R R R R

Security Research R D D D D D D

R = ReportedD = Demonstrated

Co

ns

eq

uen

ce

sR

isk

s

20

Medical Device CybersecurityWhat the discussion comes down to


Patient Safety Patient Trust

Device Functionality

Device Performance

Treatment Decisions

Network Reliability

Alarm Delays

Patient Harm

Revenue LossDrug Abuse

Unauthorized Access

Beachhead Attack

Cyberwarfare

Data Breach

ePHI Exposure

Treatment Delays

Staff Productivity

Blackmail / Ransom

Intellectual Prop. Theft

Assassination, Murder

Cyberterrorism, Hacktivism

Patient Criminal IndirectNational

Cybercrime

Law Suits & Fines

Public Opinion

Availability – Integrity - Confidentiality

Challenges of Complexity

Technical

• Number of Systems & Types

• Number of Platforms

• Number of Vendors• Network

Complexity• Remote Access

Organizational

• Device Ownership• BioMed to IT

Relationship• Security & Risk

Responsibility• Procurement

Decisions• 3rd Party

Maintenance

Operational

• Regulatory Restraints

• Multiple Regulations

• Change Management

• 24/7 Operations• Device to System

Dependencies• Continual Change

Complexity is part of the problem. It is a true “System of Systems” challenge – on all levels: technical, organizational, operational, and impact potential.

Impact

• Patient Safety• Care Delivery• Patient Treatment

Decisions• Privacy Breaches• Compliance

Violations• Risk of Law Suites

and Fines• Revenue Stream• National Security


Complexity abound:Cybersecurity, Patient Safety, Care Delivery,

Reputation, Law Suits, Fines, and Patient Trust!

Medical Device Introduction: Key Takeaways

• Vulnerabilities everywhere we look.• Medical devices have become a identified target.• Change is difficult: education, design practices, regulatory

burden, complexity, economic limitations.• A risk to the device, healthcare system and national security!








6 Appendix


Regulatory & Government Stakeholders

Regulatory Complexity – Overlaps and Gaps

Requiring multiple Risk Analyses?

FDASafety and

Effectiveness

HHSAssure C-I-A of ePHI (HIPAA)

The Joint Commission

Medical Equipment Safety

(EC 02.04.01)

Medical Device Cybersecurity:

Regulatory Overlap yet Execution Gaps

Other Stakeholders:FBI – Crime PreventionDHS – National SecurityFTC – Consumer ProtectionFCC – Wireless ReliabilityNIST – Standardization (national)ISO – Standardization (global) UL – Assurance & CertificationIEEE – Engineering FrameworksOthers: HIMSS, AAMI, IHE, VA/DoD,

MDISS, Mitre, NEMA, …


HDO

Mfr.

25

FDA Regulation to assure Safety and Effectiveness

General Controls, e.g.:• Manufacturer registration• Device listing with FDA• Quality System / GMP• Labeling• Reporting (MDR)• 510(k) Premarket Notification

Class I Class II Class III

Increasing Patient Safety Risk = Increasing Regulatory Controls

•General Controls •General Controls• Special Controls

•General Controls• Premarket Approval

(PMA)Certain Class I/II device types are listed as “510(k) exempt”

Special Controls, e.g.:• Performance standards• Postmarket surveillance• Special labeling

FDA position on cybersecurity updates:a) Should be part of Mfrs. Quality System b) Do not require resubmission to the FDA

PMA:• Scientific and regulatory

documentation to prove safety and effectiveness


US Food and Drug Administration (FDA)Evolving view on Off-the-Shelf (OTS) software

“Guidance for Industry on Compliance of Off-the-Shelf Software Use in

Medical Devices”

1999 2005 (2009) 2014

• Treating OTS software like any other device component:• Requires documentation• Include in verification &

validation• Specific hazard analysis

and mitigation• Describe residual risk

“Guidance for Industry -Cybersecurity for Networked

Medical Devices Containing Off-the-Shelf (OTS) Software”

“Content of Premarket Submissions for Mgmt. of Cybersecurity in Medical

Devices -Guidance for Industry”

• Cybersecurity requires software lifecycle mgmt. = patching

• Clarified that:• Vulnerabilities can affect safety• Cybersecurity is part of the

manufacturer’s Quality System and Corrective Action Plan

• Security patches do not require resubmission to the FDA

• Manufacturer responsibility:• Limit unauthorized access• Ensure trusted content• Provide a fail-safe mode• Retention & recovery

• Documentation:• Hazard analysis, mitigation• Cybersecurity controls• Patching & lifecycle mgmt.• Security instructions

SW as a static component

SW’s unique lifecycle mgmt. & security needs

Software system cybersecurity needs

Draft: Postmarket Management of Cybersecurity in Medical Devices

2016

• “Essential Clinical Performance”

• ISAO• Inf. Sharing Analysis

Org.• Certain protections

• Clarification on Security Patches and Updates

• Vulnerability mgmt.

Transparency & vulnerability sharing


FDA Guidance (Oct. 2014):• Identify & Protect• Limit access to trusted users • E.g. no common or hardcoded passwords

• Ensure trusted content

• Detect, Recover, Respond• Detect, recognize, log, and act upon

security incidents• Actions to be taken• Protect critical functionality

• Recover device configuration

• Cybersecurity documentation• Hazard analysis, mitigation, design

considerations• Traceability matrix (cybersecurity

controls to risks)

• Update and patch management• Manufacturing integrity• Recommended security controlshttp://www.fda.gov/downloads/MedicalDevices/DeviceRegul

ationandGuidance/GuidanceDocuments/UCM356190.pdf


FDA reported that 53% of submitted 510(k) applications did not include cyber risk information

http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf


FDA Postmarket Guidance (Draft Jan. 2016):

• Cybersecurity is a shared responsibility

• “Information Sharing Analysis Organization”• ISAO - Multi-Stakeholder

• Voluntary but: actionable, transparent, trusted• Information shielded from release, exempt

from regulatory use and civil litigation• Critical component of a comprehensive

approach to cybersecurity

• Introduces “Essential Clinical Performance”

• “Cybersecurity routine patches and updates”• Generally not required to be reported• Unless serious adverse health consequences

or unacceptable residual risk

• Other key Manufacturer guidance:• Threat and incident monitoring• Vulnerability disclosure policy

• Receive and process vulnerability reports• Practice good cyber hygiene



Impact of FDA Regulation on Providers:

• For “regulated medical devices” manufacturer approval is required:• Can not install unapproved after-market security

• Can not install unapproved patches (even OS or other COTS)

• Can not install unapproved management agents

• But – there are exceptions:

Note – this slide is a highly summarized interpretation of the FDA guidance, please refer to the actual document for regulatory and legal advice.Copyright © 2016 Symantec Corporation 29

Regulated Non-regulated

Medical Device SW-only Device Other Clinical Other OT

Examples MRI, EKG, Monitoring

PACS viewer or server

Pharmacy, Fridges, Sterilization

Building, HVAC, Telco

Device No No Yes* Yes*

Platform No In most cases* Yes* Yes*

System Maybe* In most cases* Yes* Yes*

* = check with manufacturer to:• Understand “envelope” of the regulated device• Potential contract, warranty, or support implications







6 Appendix


The Problem SpectrumA (simplified) View of Medical Device Risks

31

General platform, wired/wireless network

Implantable, proprietary, short range comm

High risk of operational impact due to broad vulnerabilities, e.g. malware related shutdown.

But – little patient safety risk!

Requires targeted attack, technical skill, and affects only one patient.

But – patient’s can die

“Collateral Damage” Security Research

The big “IF”Assassination, murder, attack on hospital or

manufacturer reputation

Targeted attack on highly vulnerable

hospital ecosystem

Anything in between

Impact

Like

liho

od

Impact

Like

liho

od


Medical Device Cybersecurity Path ForwardSummary


Protect Device

Manufacturer HDO

• Hardened design• Software best practices• HIDS/HIPS• Key/Certificate-based

technologies:• Encryption• Device certificates• Code signing• Secure boot

• Secure handling• Media use, esp. USB• Integration best

practices

Protect Ecosystem

Manufacturer HDO

• Secure remote access• Strong password / 2FA• Security best practices

documentation• Enablement & Training

• Network architecture• Security event

monitoring• Firewalls / Gateways• Enablement & Training

Manage Devices

Manufacturer HDO

• Lifecycle mgmt. (patch & update deployment)

• V&V incl. security, e.g. pen testing

• Vulnerability disclosure• Software BOM (Supply

Chain)

• Procurement & Contracting

• Asset management (incl. security)

• Dependency mgmt.• Risk Management:

• Risk Assessment: safety, security, privacy, operations, reputation

• Mitigation

Manage Incidents

Manufacturer HDO

• Threat & Vulnerability monitoring and management

• Regulatory reporting

• Detect, Respond, Recover

• Impact Analysis, Forensics

• Communication & Decision making

• Report as needed

33

Whitelisting Behaviors: SandboxingTraditional Approach: Malware Blocking

Ineffective on zero-day Effective on zero day

Ensures self-protection Protects OS critical resources

Customization or separate product Protects applications from each other

Large footprint Small footprint

Signature based Behavior / policy based

Internet access required No internet access required

Reactive Proactive

Example 1:

Protecting the Device – Host-based Security

Standard Platforms (Windows, Linux, QNX)


Appropriate for networked general compute devices (servers, workstations)

Appropriate for dedicated purpose and embedded systems.

Example 1: Critical System Protection (SES:CSP)

34

On-device security:• Ease Lifecycle Management

and Patch pressures• EOL OS “lifeline”• App & Process Whitelisting• Process/Port control• System administration

Manufacturer Use:

FDA-regulated Medical Device:• Example: Imaging, Diagnostics• Protect platform and critical files• Control traffic and system behavior• Elevate lifecycle management pressure

HDO use with non-regulated systems:(Still advisable to check with manufacturer)

Supporting IT System• Workstations, ServersSoftware-only Medical Device:• Example: PACS workstation• Protect platform (install on workstation)Non-Medical Device:• Example: fridges, building systems, nurse call, etc.• Install on Device as permitted by Contract/Warranty


NetworkProtection(Host IPS)

ExploitPrevention

(Host IPS)

SystemControls(Host IPS)

Auditing &Alerting(Host IDS)

Symantec Critical System

Protection Embedded

• Restrict apps & O/S behaviors

• Protect systems from buffer overflow

• Intrusion prevention for zero-day attacks

• Application control

• Monitor logs and security events

• Consolidate & forward logs for archives and reporting

• Smart event response for quick action

• Close back doors (block ports)

• Limit network connectivity by application

• Restrict traffic flow inbound and outbound

• Lock down configuration & settings

• Enforce security policy• De-escalate user privileges• Prevent removable media

use

Note tie-back to FDA Cybersecurity Guidance


Example 1: Critical System Protection (SES:CSP)

Example 2: Managed Key (mPKI) Infrastructure

Three main use cases

Traditional

2FA

SSL / TLS / DTLS

Email

Encryption

IoT / embedded

Device Certs

Secure boot

Code signing

• Full certificate Lifecycle Management: issue, enroll, manage, revoke

• Certificate hierarchy (hardware “root of trust”)

• Secure boot, secure updates, chain of trust, chain of custody

• Delivery models: public CA, private CA, IoT-specific CA

Industry-specific

Electronic transactions

EPCS


Example 3: Symantec Anomaly Detection – Coming Soon

37Symantec Confidential

• Anomaly Detection passively listens to network traffic

• No disruption to operations, no downtime

• Anomaly Detection is a software solution typically deployed on a gateway or router in each department/floor

• Operates with <500MB RAM

• Doesn’t require new hardware

• Anomaly Detection will feature a dual UI

• Edge UI – Enables floor-level monitoring and incident investigation

• Aggregate UI – Aggregated view for whole hospital

• Anomaly Detection performs deep packet inspection to look into the message payloads

• Compare against HL7 & DICOM standards

• Establish expected ranges of payload values (i.e. sensor readings)

• Catch packets malformed at the L7 layer

Anomaly Detection provides 2 key features


1. Asset Detection provides users with a single pane of glass view of the assets in their network, learned automatically

2. Anomaly Detection protects healthcare systems from zero day attacks and subtle, sophisticated attacks in real time

Asset Detection Anomaly Detection

1

2

The first step is Asset Detection


• By passively observing message traffic, this solution can map the network assets and communication channels

• What devices are present, and their specs: IP and MAC address, device type and manufacturer (when possible)

• Which devices communicate with which other devices

• The solution will display these devices through a clear, detailed UI

Asset Detection enables greater system monitoring and understanding, and is the first step in Anomaly Detection

1

Anomaly Detection proactively identifies attacks by flagging anomalous activity


• Anomaly Detection learns the baseline of activity in the system at the most granular level

• IP addresses, active ports, protocols, message length, etc.

• Deep packet inspection – expected field values and ranges

• Once the system baseline is established, anomalous activity is flagged for investigation

• Anomaly detection utilizes machine learning algorithms to detect new, subtle attacks that wouldn’t trigger basic detection rules

• Doesn’t require user to set rules or policies (unless they choose to)

• Incidents are prioritized based on perceived criticality

• User will see where the incident took place, why the incident was flagged

• User has option to provide feedback to inform detection performance

2

The Complete Healthcare Security Picture

41

Symantec SOC

Log Collection Agent

Security Analysts

Customer Portal

DeepSight Global Threat Intelligence

Data Warehouse

CorrelationAnomaly Detection

Biomedical Network

IT Production Network

Example 4: Medical Device Asset and Risk Management

Copyright © 2016 Symantec Corporation 42Utilize existing standards: MDS2 and ISO/IEC 80001 series

Asset Management• Assets & configurations• IT and security properties• Understand use case

Procurement & Contracts• Security requirements• Define vendor obligations• Sign-off & approval

Security Risk Assessment• Comprehensive risk score • Impact vs. likelihood

Risk Mitigation• Device (with manufacturer)• External (network, handling)

Risk Management• Continual, comprehensive• Device risk ↔ system risk

Lifecycle Mgmt.• Onboarding -> EOL• Upgrades & patching• Change management• Dependency mgmt.• Replacement planning

Incident Response• Analysis & recovery• Management & reporting• Forensic investigation• Vendor communication• Process improvement

Security Risk Analysis• Threat landscape• Vulnerability profile(s)

Example 4: Provider Best Practices ApproachData Flow and Example Architecture

43

Control Compliance Suite: Risk Management

Altiris: Unified Asset View

Other(DHCP, NAC,…)

3rd Party CMMS

Procurement & Contracting

Device Security Properties (MDS2)

Manufacturer

Remediation & Mitigation

Asset risk scoring

Frameworks(IEC 80001, NIST, …)

3rd Party CMDB

Network Security Gateway

Symantec

DeepSightSecurity Intelligence

Managed Security Services

Utilize existing data sources as available.


Overcoming Limitations:• Incomplete asset view• Limited IT & security

visibility• Lack of asset discovery• Disparate processes• Can’t automate patching

Benefits:• Single, holistic view:

• Assets• Security• Risks

• Risk mitigation• Change management• Automate remediation

& patch workflows• Front-to-back process

integration

Example 4: Biomedical Asset ManagerResource Association and Dependency


45

• Comprehensive, across management systems and data sources

• Include BioMed and IT / Security properties; role-specific views

• Agentess discovery and scansUnify Asset Data

• CMMS, CMDB, NAC, AD, etc.

• Ticketing and other workflow systems

• Security management systems

Integrate with Existing Systems

• Device to IT (server, workstation, network)

• Infrastructure, location, ownership

• Prevent device impact due to IT changes

Map Device Dependencies

• Deliver comprehensive asset list for risk scoring

• Automate Risk Management processes and policy management

• Support risk mitigation & documentation

Supporting Risk Management

• Procurement , contracting, license management

• Lifecycle management, maintenance, updates and patching, recalls

• End-of-life processes

Full Front-to-Back Integration


Example 4: Biomed Asset Management: BenefitsHolistic database to address ITSec and BioMed needs







6 Appendix


Securing the Medical Device EcosystemHow Symantec is helping Stakeholders

Secure Communication & Access

Protect Manufacturing Integrity

Protect Intellectual Property

Secure Devices

Protect Critical Data

Regulatory & PolicyManagement

Asset Management

Risk Mgmt. & Mitigation

Network Security

Device Manufacturer Healthcare Delivery Organization

Server hardening, authentication

Code signing, secure boot, platform hardening

Messaging certs, encryption, mPKI

Platform hardening, authentication

Authentication & access mgmt.

Contract & Requirements Mgmt.

Holistic & ComprehensiveAsset Inventory & View

Risk scoring and assessment,mitigation management

Security gateway; anomaly detection


Cybersafety – It’s a shared Responsibility

48

Increasing and Sophisticated Cyber Threats

Growing Regulatory Pressure & Compliance Risks

Complex and Highly Integrated Ecosystem of Vulnerable Devices

Pro

cure

me

nt

& C

on

tra

ct

Man

agem

ent

Ris

k A

na

lysi

s &

M

anag

emen

t

Ass

et M

anag

emen

t

Net

wo

rk S

ecu

rity

&

Arc

hit

ectu

re

Pro

cess

es

& W

ork

flo

ws

Device Manufacturers Healthcare Providers

Encr

ypti

on

& D

ata

Pri

vacy

Pla

tfo

rm a

nd

Cri

tica

l Sy

stem

Pro

tect

ion

Dev

ice

Cer

tifi

cate

s,

Co

de

Sig

nin

g, S

ecu

re B

oo

t

Secu

rity

Cap

abili

ties

(d

etec

tio

n, l

ogg

ing)

Cyb

ers

ecu

rity

D

ocu

me

nta

tio

n &

Up

dat

es

Acc

ess

& A

uth

en

tica

tio

n

Shared Problem

Coordinated Solutions Approach


Thank you!

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

David Clapp

[email protected]

(262) 424-2061







6 Appendix


51

Internet of Things (IoT)Security Reference Architecture:www.symantec.com/iot


http://www.symantec.com/iot

52

https://www.securityevaluators.com/hospitalhack/


https://www.securityevaluators.com/hospitalhack/

IEEE: Building Code for Medical Device Software Security• Nov. 2014 Workshop

• Released May 2015

• Addressing device manufacturers’ secureSW design needs.

• Key Elements:• Avoid vulnerabilities

• Cryptography

• SW integrity

• Impede attackers

• Enable detection

• Safe degradation

• Restoration

• Maintain operations

• Support privacy

http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-device-software-security.pdf 53

http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-device-software-security.pdf

IHE International - PCD MEMPatient Care Device Domain, Medical Equipment Management

MEM Whitepapers: • Cybersecurity (2011: Education &

Problem Baseline)

• Cybersecurity Best Practices (2015)

• Medical Device Patching (2015)co-authored by MDISS and IHE


Asset & Supply Chain Management

• Manufacturer Disclosure Statement for Medical Devices Security (MDS2)

• Medical Device Securityshould be part of theProcurement Process:- RFP Language - Request NEMA MDS2

• Developed in cooperation by HIMSS and NEMA

• New version Oct. 2013

• More detailed (2 -> 6 pages)

• Now harmonized withIEC 80001 technical controls

http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx



56

IEC 80001 SeriesApplication of Risk Management for IT-Networks Incorporating Medical Devices

IEC 80001-1:2010 - “Part 1: Roles, responsibilities and activities”

IEC 80001-2-1:2012 - “Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples”

IEC 80001-2-2:2012 - “Part 2-2: Guidance for the communication of medical device security needs, risks and controls”

IEC 80001-2-3:2012 - “Part 2-3: Guidance for wireless networks”

IEC 80001-2-4:2012 - “Part 2-4: General implementation guidance for Healthcare Delivery Organizations”

IEC 80001-2-5:2014 - “Part 2-5: Application guidance -- Guidance for distributed alarm systems”

IEC 80001-2-6:2014 - “Part 2-6: Application guidance -- Guidance for responsibility agreements”

IEC 80001-2-7:2015 - “Part 2-7: Application guidance for healthcare delivery organizations (HDOs) on how to self-assess their conformance with IEC 80001-1”

IEC 80001-2-8 “Part 2-8: Application guidance -- Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2”

IEC 80001-2-9 “Part 2-9: Application guidance -- Guidance for use of security assurance cases to demonstrate confidence in IEC/TR 80001-2-2 security capabilities”

From: “VA Medical Device Protection Program (MDPP)”, presented at the NIST Health Security Conference, May 11, 2011

Segregation (VLAN Network, Access Control)

57

Biomedical Instrumentation & Technology (BI&T)Volume 50, Issue 1 (Jan./Feb. 2016)

58

http://aami-bit.org/toc/bmit/50/1

http://aami-bit.org/toc/bmit/50/1

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

NIST Critical Infrastructure Cybersecurity Framework


http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

http://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf

ETSI: Critical Security Controls for Effective Cyber Defence


http://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf

References - FDA

Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and FDA Administration Staff (Jan 2016) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

Content of Premarket Submission for Management of Cybersecurity in Medical Devices: Guidance for Industry and FDA Administration Staff (Oct. 2014)http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

Information for Healthcare Organizations about FDA's "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software“ (updated July 2015) http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm

Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication (2013) http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm?source=govdelivery

Cybersecurity for Networked Medical Devices is a Shared Responsibility: FDA Safety Reminder (updated Oct. 2014) http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm

Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (Jan. 2005) http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm

Off-The-Shelf Software Use in Medical Devices (Sept. 1999) http://www.fda.gov/downloads/MedicalDevices/.../ucm073779.pdf

61



http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm?source=govdelivery

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm

http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm

http://www.fda.gov/downloads/MedicalDevices/.../ucm073779.pdf

References - OtherMedical Device Software Patching, IHE PCD in Cooperation with MDISS (Oct. 2015), http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.1_2015-10-14.pdf

Medical Equipment Management, Medical Device Cyber Security Best Practice Guide, IHE PCD (Oct. 2015), http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Cyber-Security_Rev1.1_2015-10-14.pdf

Medical Equipment Management, Cyber Security, IHE PCD (May 2011), http://ihe.net/Technical_Framework/upload/IHE_PCD_White-Paper_MEM_Cyber_Security_Rev2-0_2011-05-27.pdf

Building Code for Medical Device Software Security, IEEE Computer Society, May 2015, http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-device-software-security.pdf

Medical Device Isolation Architecture Guide, V2.0, US Department of Veterans Affairs (Aug. 2009), http://s3.amazonaws.com/rdcms-himss/files/production/public/HIMSSorg/Content/files/MedicalDeviceIsolationArchitectureGuidev2.pdf

Medical Devices Security Technical Implementation Guide, V1 R1, Defense Information Systems Agency (DISA) (July 2010), http://iase.disa.mil/stigs/Documents/unclassified_medical_device_stig_27July2010_v1r1FINAL.pdf

Patching Off-the-Shelf Software Used in Medical Information Systems, NEMA/COCIR/JIRA Security and Privacy Committee, Oct. 2004, http://www.medicalimaging.org/wp-content/uploads/2011/02/Patching_OffTheShelfSoftware_Used_in_MedIS_October_2004.pdf

Manufacturer Disclosure Statement for Medical Device Security, NEMA (Oct. 2013); http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx 62

http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.1_2015-10-14.pdf

http://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Cyber-Security_Rev1.1_2015-10-14.pdf

http://ihe.net/Technical_Framework/upload/IHE_PCD_White-Paper_MEM_Cyber_Security_Rev2-0_2011-05-27.pdf

http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-device-software-security.pdf

http://s3.amazonaws.com/rdcms-himss/files/production/public/HIMSSorg/Content/files/MedicalDeviceIsolationArchitectureGuidev2.pdf

http://iase.disa.mil/stigs/Documents/unclassified_medical_device_stig_27July2010_v1r1FINAL.pdf

http://www.medicalimaging.org/wp-content/uploads/2011/02/Patching_OffTheShelfSoftware_Used_in_MedIS_October_2004.pdf
