Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
The Intersection of Patient Safety and Medical Device Cybersecurity
Session CYB4, March 5, 2018
Kevin A. McDonald
Director, Clinical Information Security, Mayo Clinic
Axel Wirth
Distinguished Healthcare Architect, Symantec
2
Kevin A. McDonald
Has no real or apparent conflicts of interest to report.
Axel Wirth
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
Topics
• State of Medical Device Security
• Patient Safety Impacts of Cyber Attacks
• Organizational Impacts and Risks of Cyber Attacks
• Best Practices for Reducing Risks
4
Today’s Hostile Environment
• Threat actors have multiple levels of skills • Insiders (Current & Ex)
• Script Kiddies
• Hacktivists
• Organized Crime
• Nation State
• Active adversary must be assumed• Unlimited time and resources
• Skill level to cause harm is going down
• Tools to compromise and harm systems are readily available and cheap (free)
• Harm or disruption could be deliberate or collateral
• We are way past relying upon firewalls
5
“Internet of Medical Devices”
• Healthcare is technology rich and diverse
– $110 billion (++) spent each year on medical devices
– 7,000 device manufacturers
– Between 1995 and 2010 there has been a 62% increase in the number of devices per bed
– Mean number of devices per bed is 13 (2010)
6
Medical Devices – Essential to Care Delivery
• Care is now highly dependent upon technology
• Demand for connectivity is growing
– HITECH Act and increasing use of EHRs are driving device connectivity
– 1 in 4 medical devices are network connected, with more every day
• Medical technology is used to:
– Improve patient outcomes
• Diagnostic
• Treatment
– Offset rising costs & decrease resource needs
– Decrease medical errors
– Improve access to care
– Deliver specialized knowledge
7
State of Medical Device Security
• Medical devices have many common, well known, vulnerabilities
– Buffer overflow, hardcoded passwords, poor authentication, SQL injection
• Security vulnerabilities are not unique, have been identified in other industries and have solutions
– Open Web Application Security Project – has a list of the top 10 security problems found and solutions
– CWE Top 25 Most Dangerous Software Errors – has a list of 25 most common security programming errors
• Medical devices vulnerabilities have affected patient care
– National Health Service ransomware example
• Regulatory and governmental agencies are now becoming more involved
– FDA
– DHS / ICS-CERT
– FBI
8
State of the Medical Device Vendor Security
• Security is often an “afterthought”
– Security frequently is not “by design”
– Massive legacy device security debt
• Most vendors are trying to catch up
– Struggling to change internal culture and build security awareness
– Transitioning from device manufacturers to software companies
– Unable to find staff with proper skills and knowledge
– Struggling with diversity in their products and long lead times
• Security has not been seen, or required, as a competitive advantage
• Engineers & product designers really “love” their devices and are proud of it
• Interactions with sales, legal and product managers tend to be unproductive
• Vendors are trying to build security on top of immature development processes
9
State of Healthcare Provider Security
• Hospital Demographics
– ~ 5,530 hospitals in the US
– “Average” US hospital
• 160 beds
• $10.7 million NOII
• Hospitals are under financial pressure
– In 2016 hospital CEOs identified finances at the #1 challenge
– Security tools and service costs are high
• Cybersecurity Preparations
• Healthcare is 5 to 10 years behind other industries
• Healthcare industry spends 4% to 6% of IT budget spent on security, Financial industry is 12% to 15%
• 94% of medical institutions say they have been victims of a cyber attack
• Cybersecurity resources are hard to find and expensive
Healthcare organizations have limited
dollars and resources to devote to security
10
The Status Quo Continues….
• Despite cyber threat data and growing awareness, healthcare remains unprepared
– 72% of healthcare providers have less than 200 beds and inadequate funds or resources
– 80% of device vendors have less than 50 employees and lack knowledge and experience
• Industry continues to be an “easy” target for cyber attack
– Medical devices still sold with Windows XP - unsupported since 2014 and no plans for upgrading from Windows 7
– Healthcare providers cannot manage medical devices like other technology
• Risks are attempted to be managed through “guidance”, collaboration and hand-crafted custom solutions
• There are currently few incentives or demand to sell secure devices or consequences to selling poorly secured devices
• Little consistency across vendors or devices in technology, software and security
11
Topics
• State of Medical Device Security
• Patient Safety Impacts of Cyber Attacks
• Organizational Impacts and Risks of Cyber Attacks
• Best Practices for Reducing Risks
12
Common Device & Environment Security Issues
• Operational– Web sites, publically available information, vendor social engineering, devices available for purchase
• Authentication– Not AD aware, no or easily guessed passwords, single support account for ALL customers
• Applications– “Fragile”, admin privileges, no A/V or whitelisting, unable to scan
• Configurations– Unneeded functionality operational, security software disabled, default settings, install files / users not
removed
• Patching– Unable to patch OS / applications / third party software, inefficient patching processes, “partial” patching
• Encryption– No or poor encryption of data and communications
• Environment Diversity– Many variations in software, patch levels, support processes and responsibility, can’t use standard IT tools
for support
13
Patient Care Impacts• Impacts can be directed at medical devices or collateral to other
malicious activity
• Impact directly to patient/s or can impact patient care processes
• Potential attack impacts
– Degraded or partial functionality
– Device destruction (bricking)
– Inability to access network
– Loss or inability to access data
– Denial of “service” (limited or distributed)
– Malicious data manipulation
– Malicious device manipulation
14
Patient Care Impacts
• Degraded or partial functionality– Possible causes: malware, malicious scanning, botnet activity, malicious use of
device by adversary
– Patient care impact examples: diagnostic tests or treatments might be delayed or
unable to be performed, patient monitoring can be interrupted
• Device destruction (bricking)– Possible causes: malware, scanning, malicious adversary activity
– Patient care impact examples: inability to provide diagnostic tests, therapeutic
procedures or monitoring of patients
• Inability to access the network– Possible causes: malicious scanning, unexpected device communication
– Patient care impact examples: inability to access patient information or treatment
plans, unable to save patient care data
15
Patient Care Impacts
• Loss of, or inability to access, data– Possible causes: malware, ransomware, malicious deletion
– Patient care impact examples: treatment risk due to lack of patient history
• Denial of service
– Possible causes: malware, ransomware, malicious network traffic
– Patient care impact examples: loss of diagnostic, treatment or monitoring
medical devices, single devices to wide spread based on vendors or type
• Malicious data manipulation
– Possible cause: active malicious adversary
– Patient care impact examples: altered data of allergies, current medications,
laboratory results
• Malicious device manipulation
– Possible cause: active malicious adversary
– Patient care impact examples: manipulation of pacemaker settings, IV rates,
false monitoring data
16
Patient Care Impacts Summary• Each institution needs to understand their threats, risks and current
security posture
• Historical incidents have been mainly loss of use of single or
multiple use of devices and inability to access data
• Currently no reported targeted attacks against individual patients,
devices or data
• Beyond medical devices, institutions need to understand other
vulnerabilities that can impact patient care processes or privacy:
-Nurse Call -Elevators
-HVAC -Infant abduction protection
-Pharmacy devices -Card readers
-Cameras -etc.
17
Topics
• State of Medical Device Security
• Patient Safety Impacts of Cyber Attacks
• Organizational Impacts and Risks of Cyber Attacks
• Best Practices for Reducing Risks
18
Healthcare’s Changing Risk Priorities
• Healthcare has undergone a Paradigm Shift. Traditionally:
– HIPAA-driven priorities: Confidentiality, Integrity, Availability of ePHI
– Checklist approach to satisfy the auditor
• Over the past 2-3 years, Availability has become a growing concern
– Ransomware impacted information access and therefore clinical workflows
– WannaCry shut down of hospitals (UK NHS)
– Medical Device incidents have impacted care delivery (WannaCry, MedJack)
• And we are starting to understand the Integrity problem
– Again, Medical Devices (hacks that could kill – but research only so far)
– Risk to critical systems and data … and Patient Trust
– Even just the perception of Loss of Integrity is a problem!
A new Balance between Compliance and Security
19
Healthcare’s Changing Risk PrioritiesFrom “Business Critical” over “Mission Critical” to “Life Critical”
• PHI (HIPAA)
• But also PII & PCI
• Account Information
• Billing & Payment Data
• Intellectual Property• Clinical Trials
• Research
• Designs & Formularies
• Legal & HR Documents
• Identities & Credentials
• Clinical Systems• EHR & Specialty
• Ancillary (PACS, Lab, Pharma)
• ePrescription / EPCS
• Medical Devices• Availability of clinical services
and diagnostic results
• Business Systems• Email
• Billing, Scheduling
Confidentiality IntegrityAvailability
• Critical Patient Data• Prescriptions, Medications,
Dosages
• Allergies and History
• Diagnosis and Therapy Data
• Alarms
• Critical Technical Data• Calibration
• Safety Limits
• Functionality & reliability• Risk of patient harm
Patient Experience: “Trust Zone” Harm Risk: “Patient Safety Zone”
20
Healthcare’s Changing Risk Priorities
• Shifting Global Threats are leading to changing Security Priorities:
– From accidental incidents to targeted and malicious attacks
– Changing motivation: criminal attacks, political objectives
– Complex targets: devices, information, trust
Strict Regulatory Controls to be balanced with Nimble Security
Confidentiality Availability Integrity
Past Lost or stolen devices Technical failure Accidental alteration of data
Now Financially motivated
Criminal intent (ransom, blackmail)
Political attacks (nations,
hacktivists)
Care delivery
• Ransomware
• Medical Devices
Targeted attacks: intent to
harm
Create doubt in data (and
larger healthcare system)
"Compliance only works if your enemy is the compliance auditor“Ted Harrington, Independent Security Evaluators (ISE)
21
Information Technology (IT) vs. Operational Technology (OT)
“A Tale of Two Cities” Traditional IT Cyber-Physical Systems
Example: Workstations, Servers, Mobiles Medical Devices, HVAC, Fridges
Priority: C – I – A: Mission Critical A – I – C: Safety Critical
Regulation: Some; risk of fines Highly regulated; risks of fines & jail
Technology Life: 3 to 5 years 5 to 10+ years
Security Posture: Homogeneous, mature Complex, immature, weakest link
Change Management: Regular, automated Slow, many dependencies
Window of Vulnerability: Days to weeks Months to years
Downtime: Acceptable (planned, unplanned) 24 x 7 x 365 Operation
Risk (impact): Data & operations Safety, operations, destruction
Risk (duration): Short to medium Medium to long
Recovery: Restore system & data Restore; rebuild physical systems
22
Medical Device Security - Reality Check
Medical Device Security: An Industry Under Attack and Unprepared to DefendPonemon Institute, May 2017
This one scares me …
23
Business & Financial
Patient Safety
Clinical Operations
Privacy
Security
• Intentional or unintentional incidents
• Reliability, functionality, availability
• Misdiagnosis, treatment errors
• Downtime due to equipment availability
• Impact on hospital operations
• Reduced ability to deliver care
• Information (PHI, PII, credentials)
• Data breach (transmission intercept, device loss or theft)
• Intellectual property (clinical trials & research)
• Device used as means for intrusion – beachhead attack
• Impact on network performance, e.g. alarm delays
• DDoS (origin of or impacted by)
• Reputation
• Revenue / Referrals
• Law suits / fines
• Stock value
Understanding and Managing Risks
Indirect Risks
• Patient trust
• Patient treatment decisions
• National Security
24
Organizational Impacts• Loss of brand /reputation
– Target dropped out of the top 20 brands and saw a decline in sales, delayed business expansion into Canada
• Regulatory issues
– Ransomware is considered a breach by HIPAA and is reportable
– Can result in fines, corrective action plans and being on “the wall of shame” – and headlines
• Response activities
– Post incident activities are very expensive and have a significant impact on resources and finances
25
Topics
• State of Medical Device Security
• Patient Safety Impacts of Cyber Attacks
• Organizational Impacts and Risks of Cyber Attacks
• Best Practices for Reducing Risks
26
WannaCry Ransomware Attack:• Shut down 48 hospitals in the U.K.
• Infected Bayer Infusion System
• Multiple medical device
manufacturers issued vulnerability
notifications
Petya Ransomware Attack:• Affected supply chain:
• Merck Pharmaceuticals
• FedEx (TNT division)
• Maersk (global shipping operator)
• Care delivery• Nuance transcription services
• Suspected to be “cloaked”
ransomware, actual goal likely was
disruption
27
Medical Device Incident Examples
Security Research (and TV shows)
Human Factor
(bad patients, bad doctors)
Poor Change Management
Data Breaches
Beachhead
Attack
28
Protect Device
Manufacturer HDO
• Hardened design
• Software best practices
• HIDS/HIPS (whitelisting)
• Key/Certificate-based:• Encryption
• Device certificates
• Code signing, secure
boot
• Secure handling
• Media use, esp. USB
• Secure networking
• Integration best
practices
Protect Ecosystem
Manufacturer HDO
• Secure remote access
• Strong password / 2FA
• Security best practices
documentation
• Enablement & Training
• Network architecture
• Security event
monitoring
• Firewalls / Gateways
• Enablement & Training
Manage Devices
Manufacturer HDO
• Lifecycle mgmt. (patch
& update deployment)
• V&V incl. security, e.g.
pen testing
• Vulnerability disclosure
• Software BOM (Supply
Chain)
• Procurement & Contracting
• Asset management (incl.
security)
• Dependency & Lifecycle mgmt.
• Risk Management:• Risk Assessment: safety, security,
privacy, operations, business
• Mitigation
Manage Incidents
Manufacturer HDO
• Threat & incident
monitoring
• Event sharing
• Regulatory reporting
• Detect, Respond, Recover
• Impact analysis, forensics
• Communication, decision making
• Report as needed
Medical Devices Security - Four Security Tenets
29
Medical Device Asset & Risk ManagementProgrammatic Approach
Objective: • Define a best practices approach and set of
policies and processes that enable
comprehensive and inclusive Medical
Device Cybersecurity Risk Management in
consideration of the unique medical device
use case and complementary to existing
systems and processes.
.
Lifecycle Manage-
ment
Procure-ment
Asset Manage-
ment
Risk Manage-
ment
Incident Response
30
Procurement - Purpose:• Assure cybersecurity needs (technical & process) are
included in purchasing requirements and vendor /
service provider contracts.
Pre-Procurement:• Specify cybersecurity expectations within RFI, RFP,
bids, etc.
Procurement and Contracting:• Security requirements
• Vendor commitments (patches, notifications)
• Incident support
• Security documentation
Medical Device Asset & Risk ManagementProgrammatic Approach
31
Asset Management - Purpose:• Administrative and technical management of IT
and non-IT assets, inclusive of cybersecurity.
Asset Inventory:• Status
• Version
• Network
• Asset dependencies
• PHI/PII data
• Remote access
Medical Device Asset & Risk ManagementProgrammatic Approach
32
Risk Management - Purpose:• Assess and manage medical device risks as an
ongoing process and for the purpose of risk mitigation.
Key Steps:• Risk Assessment
• Risk Mitigation
• Risk Management
Risk Categories:• Patient safety
• Clinical operations & care delivery
• Privacy
• Security
• Business
Medical Device Asset & Risk ManagementProgrammatic Approach
33
Incident Response - Purpose:• Technical and non-technical response to
cybersecurity events and incidents.
Key Steps:• Response planning & training
• Triage and containment
• Decision making and communication
• Recovery
• Forensics and lessons learned
Medical Device Asset & Risk ManagementProgrammatic Approach
34
Purpose:• Manage and maintain asset over its life, including:
• Risk mitigation
• Cybersecurity
• Compliance
Key Steps:• Onboarding
• Maintenance
• Recalls and regulatory action
• Replacement planning
• EOL management
Medical Device Asset & Risk ManagementProgrammatic Approach
35
Medical Device Asset & Risk ManagementExample for Technical Risk Mitigation Measures
Device Manufacturer
HIDS/HIPS:• Process Whitelisting
• Behavior, Network, System Controls
• Exploit Prevention
Software Controls:• Hardened Design
• Code Signing & Secure Boot
• Encryption & Obfuscation
Access & Authentication:• Strong Authentication (eg 2FA for service)
• Biometrics
Healthcare Delivery Organization
Network:• Segmentation
• Security Gateways
• Anomaly Detection
Lifecycle Management Tools:• Workflow Automation
• Discovery Automation (emerging)
• Anomaly Detection
Risk Management Tools:• Shared Risk Scoring (MDRAP)
• Workflow Automation & Integration
36
Medical Device Security – Just the Facts, Please!
2014 !
37
Learning Objectives• Describe the state of medical device cybersecurity
• Explain how patient safety may be put in jeopardy, in the event of a successful cyber-attack
• Outline the deeper implications and impact of a successful cyber-attack, malware infection, or breach, including the negative impact on organizational goodwill (an intangible asset of the organization)
• Illustrate best practices for implementing appropriate measures and controls to mitigate associated risk
38
Questions?