IoT in Healthcare - NCHICA · IoT in Healthcare Lee Olson, CISSP, CISM, Mayo Clinic Rosemary...
Transcript of IoT in Healthcare - NCHICA · IoT in Healthcare Lee Olson, CISSP, CISM, Mayo Clinic Rosemary...
IoT in HealthcareLee Olson, CISSP, CISM, Mayo Clinic
Rosemary Herhold, CPA, CISA, CISSP, Duke Health
Agenda
What is IoT?
Common IoT Control Weaknesses
IoT threats and loss scenarios
Where are the risks?
Inventory challenges
Mayo IoT device Assessment Program
Practical IoT Remediation
What is IoT?
From Wikipedia:
• The Internet of things (IoT) is the inter-networking of physical devices, vehicles (also referred to as "connected devices" and "smart devices"), buildings, and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.
• Device that does a particular task
Hapifork
Why IoT Matters
• Every second 127 items are added to the Internet. (McKinsey)
• Worldwide there will be 3.4 devices connected to the Internet per person by 2020, according to the 11th annual update of the Cisco Visual Networking Index (VNI) (Cisco, 2016)
Network Connectivity
Data communications:
• Wireless connectivity options growing significantly
• IoT to human
• IoT devices exchanging information
• e.g. transmission of signals collected by sensors over networks
• Low-power wireless communication technologies are necessary and emerging.
• Power consumption is a one of the challenges facing IoT sensors
• Smart devices, such as wearables, are powered from batteries
• Energy harvesting technologies are being used (self-powered devices)
Wireless PAN
• LoWPAN
• Uses low-power radio modules
• Communication software running needs to be low-power
• Microprocessor is low power
• Technologies are Bluetooth LE, ZigBee, 6LoWPAN and WirelessHART.
• Typical use is a fitness tracker
Wireless WAN
• Wireless WAN technologies developing
• Need to support massive number of devices
• LTE-M, NB-IoT WAN technology based on cellular
• LoRa and SIGFOX technology based on non-cellular networks.
• Focus is also on low power usage.
Good Fast
Cheap
IoT?
Development
Questions
• What will the market
reward?
• Ship it if meets
quality specs, or “if
it works”?
Rule: select * FROM (serial
number of the button) Rule that
is listening for
Button clicks.
Looking at Lambda function – example SMS
With a little JavaScript it is ready to roll quickly.
Control Weaknesses
• Weak passwords, no lockout
• Backdoors
• Lack of encryption or weak ciphers
• Shared secrets (or keys) across all devices
• Rush to production issues, such as debugging interfaces still available
• Patches not released
• Insecure updates
Inventory
Determine what type of devices that you are concerned about.
Per the example risk assessment, priority devices are:
• IP Cameras
• IoT related to Environmental controls
• Internet facing devices
• Devices directly connected to a patient
• Devices that are connected to the AMC network that are not on their own subnet
Determine the network subnets/segments to scan
• E&O may be a good place to start.
CMDB
• Expected growth could create many Cis
• Need to understand device roles
• CMDB is critical to security - if a vulnerability is discovered or a patch needs applied, Security needs to locate all of the devices.
Example Risk AnalysisIoT/CE Scenario Loss Event Threat Actor Occurrence
LikelihoodMetric Potential Loss
(“Inherent”)
Remote patient monitoring: asensor captures data such asglucose readings, heart rate, etc.Data isn’t sent to the physician.Patient’s condition worsens withresultant costs.
Patient may sue AMC and/or devicemanufacturer. AMC would holddevice manufacturer accountable.
Vendor Low Number of Patients Low
Data leakage - company makingcardiac monitors could have datacompromised in the cloud.
Breach at vendor creates breachnotification expenses which maynot be reimbursed.
Vendor Low Number of Records Low
Information harvesting Guests in hospital intercept what is going over airwaves. Contractors with data center access could install rogue devices and exfiltrate data.
Guests/Vendor
Very Low Number of devices communicating via non-802.11 or wired.
Very low
Compromise of Internet-exposed heat, cooling or badging systems
Physical destruction of assets or denial of service
Hacker Very High Number of Internet exposed devices
Potentially High
Example Risk AnalysisIoT/CE Scenario Loss Event Threat Actor Occurrence
LikelihoodMetric Potential Loss
(“Inherent”)
Compromise of Internet-exposed IP cameras
Patient may sue Hacker or curious Insider
Very High Number of Internet exposed devices
Potentially High
Compromise of IoT device leads your organization to be used to attack others.
Embarrassing, but no loss. Hacker High Number of connected devices
Low
Compromise of IoT device leads to further network compromise.
Loss of data or records Hacker or rogue employee
High Data stored on devices within the same subnet
Potentially High
Compromise of IoT/CE device leads to direct patient harm.
Patient may sue Hacker or rogue employee
Medium Number of devices that are patient connected.
Potentially Very High
CE – unprotected USB port leads to record loss or direct patient harm (if connected).
Loss of data, patient may sue Rogue employee or Guest
Low Number of devices with USBs
Potentially High
Risk Assessment Conclusion
• Target remediation to:
• Internet-exposed devices
• Devices attached to patients
• Those in subnets with patient data
Device Discovery Tools
• Nmap, Tenable (Banner identification)
• Rapid7
• IoT seeker
• Yellow Jacket
• NAC
• Shodan
• Provides Patient Care, Education
and Research
• 65,000 Employees
• 4,100 Employed physicians & scientist
• 3,500 Residents & students
• Large group practices in MN, AZ, FL,
WI with 70 smaller sites
• Over 1.3 million unique patients per year
• Interconnected systems and
devices
• ~230,000 active IP addresses
• Over 14,000 unique devices on network
• Unique attributes:
• High profile patients (In the press: Middle East
leaders, U.S. presidents, foreign dignitaries,
sports figures, etc.)
• Significant intellectual property assets
• Classified research
Device Variation
• Operating Systems
• Software Maintenance
• Software Maintenance Processes
• Software Maintenance Tools
• Configurations
• Network Connectivity
• Encryption
• External Access Needs and Methods
• Security
Assumptions We Need to Make
• All networks are inherently insecure
• Security requires multiple layers of defense, starting at the border and must include individual devices
• The greatest security impacts come from:
• Having an inventory of devices and software
• Patching operating systems and software
• Limiting software that be run on a system (whitelisting, anti-virus)
• Restricting administrative privileges
• Having no default, hardcoded or non-expiring passwords
Conduct Vulnerability Assessment
Common Issues
• Unpatched operating system & third party applications
• Publicly available account information, passwords, source code, manuals, diagrams for reverse engineering exploits
• Passwords are the same for every item sold
• Configuration vulnerabilities
• Unneeded ports & services left open
• Unneeded files left on system
Common Issues and Concerns
• Operational Security Gaps
• Authentication Vulnerabilities
• Application Vulnerabilities
• Configuration Vulnerabilities
• Unpatched Software
• Lack of Encryption
FDA Commissioner: “The threat of cyber attacks is no longer theoretical.”
Authentication Vulnerabilities and Issues
• Poor authentication practices
• Use of simple passwords
• Inadequate or no encryption
• Local storage of accounts & passwords
• Inability to use centralized institutional credential stores
• Multiple uses for single accounts
• Use of single support account and password for ALL customers
• Use of hard coded passwords
• Available publicly, in configuration files, manuals, source code, etc.
• Insecure remote support methods – no MFA
Partner with vendor to remediate issues
Track vulnerabilities (actions, owners, dates, comments, etc.)
Understand that vendors will remediate some risks and others
will be accepted based on situation
•Many vendors are engaged and trying to catch up
•Struggling to change internal culture and build awareness
•Adding new skill sets
•Questioning whether security is a priority
•Lack of security processes for development and testing
•Coding standards with security tollgates
•Hardening configuration standards
•Conducting vulnerability, fuzz, & penetration testing
Lack of adequate processes to apply updates & patches across
install base
•Typical Vendor Responses
•Initial reaction is generally guarded
•Follow up meetings have been more productive
•Remediation timelines are prolonged
•Ensure you get connected to the right person at the vendor to address the issues
Application Vulnerabilities and Issues
• Generally “fragile applications”
• Susceptible to denial of service attacks (small and large scale)
• Required to run with elevated privileges
• Unable to run anti-virus or use white listing
• If able, folders may be excluded
• Application impacts when using local security agents
• Inability to scan devices with traditional tools
• Intermittently on the nework
• Vulnerable to a large number of known exploits
• Open source and third-party software vulnerabilities
• Inability to upgrade
Configuration Vulnerabilities and Issues
• Unneeded high-risk functionality & ports left accessible or required
• FTP, TFTP, Telnet, etc.
• Unneeded files and applications left on systems• Install instructions• Tools• Communication software
• Default users and passwords not removed or changed
• Security software disabled
• Default settings left on software, hardware and security features
Fixing Facilities Systems: Everyone Has a Role
Vendors
• Vendors
• Design in security for living in a hostile environment
• Make devices easily and efficiently upgradable
• Include security in testing
• Follow security best practices
• Review operational security
• Have a prescriptive baseline for security
• Provide a framework for best practice
• Make cyber-security issues a mandatory reportable event
• Revise issue submission and reporting to facilitate the entry and reporting of security issues
• Regulatory actions for cyber-security issues
• Exclusions in DMCA for cyber-security testing
Government Security Agencies (IE ICS-CERT)
• Database of reported vulnerabilities
• Provide intelligence for medical device issues and attacks
• Investigations of issues and events
• Security research
Fixing Facilities Systems: Everyone Has a Role
Vendors
• Design in security for living in a hostile environment
•Make devices easily and efficiently upgradable
• Include security in testing
•Follow security best practices
•Review operational security
Healthcare Providers
• Develop network mitigation strategies
• Implement any appropriate endpoint strategies
•Targeted monitoring
• Implement “defense in depth”
• Include contract language that requires security, testing and liability
•Review or test new equipment
•Manage your vendors
Unpatched Software Issues
• Running on older operating systems with no upgrade paths
• Various versions of Windows (and DOS)
• Various versions of Linux / Unix
• Old proprietary systems
• Unpatched software, commercial applications, and open source software with published exploits
• Resource intensive process for updates and patching
• “Sneaker-net” upgrade processes
• Frequent failures of upgrades
• Immature vendor patching processes
• Device impacts
• Partial patching
Risk Prioritization• Prioritize by high-risk attributes
1. Supported operating system
2. Ability to upgrade operating systems
3. Ability to upgrade 3rd party / open source / application
4. Able to use AV or, preferably, whitelisting
5. No hard coded or default passwords
6. Meets account use best practices• No non-expiring passwords
• No accounts with elevated admin privileges
• Least privilege
These 6 high risks are a good place to start
Understand what’s important. Consider: • Volume• Sensitivity• Targetability
Save comprehensive testing for high risk / high value / unusual
devices
Assessments and Testing• Assessments and Testing
• Focus on new high-priority devices• Greatest potential to cause patient harm
• Greatest potential to widely disrupt operations
• Impact to network
• Engage all stakeholders• Clinical Users, Biomed, IT, Facilities, Supply Chain, Vendor
• Assess the whole “device family”• Follow the data flow to determine what to include in the assessments
• Consistent, repeatable, efficiently, high quality process• Documentation of workflow
• Standard processes, documentation, templates and checklists
• Testing standards
• Reuse previous assessments & documentation to fast track repeat purchases
Lots of levels to pull to be able
to match your resources & abilities to
assessments
Pen testing is time consuming and expensive – push testing to vendors as part of their process
Inherent Risk
Severity Finding Name
H Non Compliance with Mayo Clinic Account Standards
H Runs an unsupported operating system (OS)/firmware
H Operating system (OS)/firmware not routinely patched
H Anti-virus software not applied and/or routinely updated
H Default hardcoded passwords in device software
H Unpatched 3rd party software and/or lack of routine patching process
H Remote access for vendor support does not comply with Mayo Clinic Remote Access policy
M Lacks user authentication
M Contains unnecessary active media and network ports & services
M Uses a local database and/or unencrypted hard drive to store data (PHI)
M Minimally Configured and Unpatched Terminal Server
L Operating System (OS)/firmware support ending within two years
R Vendor did not provide requested Vulnerability Assessment
R Vendor has not signed the required Information Security Schedule (ISS) covering the purchase of this product
R Device is located in an unsecure location
R Vendor provided firewall is disabled
Compensating controls
• Account password will be changed to be unique to Mayo Clinic
• Password length and complexity (at least 15 characters with special characters, upper and lower case letters, etc.)
• Set up account with least privileged access
• Whitelist the devices that are accessed
• Whitelist the applications that are accessed
• Multifactor authentication
• Transparent screen lock in place with timeout functionality enabled in accordance with Mayo standards
• Physical firewall
• Software firewall
• Physical network segmentation
• Virtual isolation (VLAN)
Compensating controls
• Device is located in a restricted area with badge access required
• Security patches are assessed on a routine basis (min of monthly and max of semi-annual). Security patches are assessed on an ad-hoc basis.
• Disabled unnecessary ports/services
• Write filter image manager (i.e. Deep Freeze w/reboot process)
• The OS is locked down to prevent the installation of software, email access and internet/web browsing capabilities
• Volume of PHI records being processed is low
• PHI fields being captured on device is low
• PHI is purged on a regular basis (min of quarterly update or record count of 100K)
• Account can be enabled and disabled as needed or elevate rights for time needed
Compensating controls
• Port can be enabled and disabled as needed
• Lower privileges of the account
• Password is encrypted with Mayo’s approved algorithms
• There are no known vulnerabilities with (specific software) and has a limited purpose of use
• Mayo can initiate/accept remote connection and terminate connection at any time
• Proprietary OS/firmware (non-Windows)
• Non-Mayo IT managed Anti-virus
• Mayo IT managed Anti-virus
Vulnerability assessment
Severity Description Affected Components *Owner
Controller Widget
HHardcoded and default credentials in Controller (9.8)
X X V
H
Insecure Erlang Distributed Protocol Communications
(8.8)
X X V
HInsecure OpenFlow Communications (8.1)
X X V
H
Cleartext Storage of Admin Credentials in Local Storage
(7.0)
X V
M
Lack of secure-boot / Lack of storage encryption and
integrity check (6.8)
X X V
MLack of Rules Persistency (5.9)
X V
MLack of Brute Force Mitigation Techniques (5.3)
X V
MWeak Password Policy (5.3)
X V
MUse of HTTP Basic Authentication (5.3)
X V
LDebug Data Found in HTTP Response (2.5)
X V
LCacheable HTTPS Responses (2.5)
X V
ModerateNon-Compliance with Mayo Clinic Account Standards
Service Line Clinical Information Security (CIS)
DPSNumber N/A
Finding
Description
The local account Snoopy runs as a service and is used for 24/7 monitoring. The
password is set to a manufacturer default combination that is the same for every
device produced. Located in Mayo Hospital on floors 1, 2, 4 & 5 on the Jacksonville,
FL campus.
Impact Account can be misused to modify device functionality
Account can be misused to place the overarching Mayo Clinic network at risk;
the device can be used as a pivot point.
Remediation
Proposal
Comply with Mayo policy and standards for Work Accounts which use:
Expiring passwords
Non-persistent local administrative rights
Unique passwords
Non-interactive login
Affected
System(s)Widget Management Console
Exploitability Not Assessed
Policy
Reference(s)Information Access Controls - Role Based and Incremental Access Policy (8.4)*
http://mayocontent.mayo.edu/infosecurity/DOCMAN-0000189996
Server Security Management Policy
http://mayocontent.mayo.edu/infosecurity/DOCMAN-0000167858
Finding Owner Mayo Clinic
Previous
Report(s)N/A
Report Note Finding was reduced a risk rating based on compensating controls. HTM
Vendor Red Baron
Model Fokker D-7
Remediation Plan
Change the default account password for Snoopy to a combination unique to Mayo
Clinic.
Compensating controls:
Whitelist the applications that are accessed
Whitelist the devices that are accessed
Link to request Work Account and IAM standards:
http://intranet.mayo.edu/charlie/office-information-security/toolsresources/work-
accounts/
Exception Request Link:
http://intranet.mayo.edu/charlie/office-information-security/toolsresources/work-
accounts/deviation-request/
Remediation
Accountability Mayo Clinic
Evidence of
Remediation Default Snoopy password is changed to a combination unique to Mayo Clinic.
Original Planned
Remediation Date
5/9/2019
Remediation
Owner Charlie Brown
Security assessment: sample finding
Network Mitigation Strategies
• Remove from the network • Attach to the network only when
updates needed• Network segmentation and isolation
• Access Control Lists• Firewalls / IPS / IDS• Air gap• Dual network interface cards
(NICs) that are unbridged
Endpoint and System Mitigation Strategies
• Remove unneeded applications• IE, MS Office, etc.
• Change default passwords• Patch and update if possible• Remove unneeded or generic accounts• Limit privileged accounts• Review configurations of databases and
third party software• Close open ports• Install advanced end point protection
• AV• Virtual patching• Host IPS
Targeted Monitoring Strategies
• Determine high risk / high impact devices• Send system logs to a SIEM or a log
manager• Install agents (as able) to monitor for
activity and file integrity• Monitor net flows for unusual traffic• Custom rules
• High priority• Immediate alerts
• Develop analytic capabilities
Defense In Depth Strategies
• Enterprise “culture of security”• Security• IT• Compliance & Privacy• Users
• Multiple layers of security designed to slow down and increase likelihood of discovering intrusions
• Defenses starts at the perimeter and work down to data
• Must include user behavior
Final Thoughts
53
While vendors have a responsibility to fix equipment, we both have a responsibility to protect patients.
The technology and knowledge exist to fix the problem, but it’s not always a technology problem.
There is no “killer app” (segmentation strategy, firewall, anti-virus, etc.) that will fix the problem.
Even if we wanted to (and could afford to), there are not a lot of secure by design devices to purchase.
Some vendors are now selling security as an add-on option.
There is a need for market pressure to produce change.