Securing IoT Medical Devices

Steven C. Markey, MSIS, PMP, CISSP, CIPP/US , CISM, CISA, STS-EV, CCSK, CCSP, Cloud +

Principal, nControl, LLCAdjunct Professor

Source: NECCRSource: Fitbit

Source: HealthInfoSec

Securing IoT Medical Devices

• Presentation Overview– IoT? Huh….– Vulnerabilities & Exploits– Hacking Examples– Security / Privacy by Design– Where Do We Go From Here?

Securing IoT Medical Devices

• IoT? Huh....– IoT = Internet of Things

• Ubiquitous Connectivity (e.g., 802.11x, 802.15, 3G / 4G, WMTS)• Data Portability / Interoperable Data Synching

– EDI = Electronic Data Interchange

• Redundant Technologies & Methods– Java, Linux, Open-source APIs, etc.– Cocoa Touch Layer, etc.

– Medical / Healthcare Esoteric Language & Nuances• WMTS = Wireless Medical Telemetry Services• Regulatory Requirements: HIPAA / HITECH, FDA• Healthcare Digitization: PPACA (i.e., Obamacare)

– ICD-9 / 10 for US = EDI

Securing IoT Medical Devices

• Vulnerabilities & Exploits– Data in Motion (DIM) Challenges

• (Distributed) Denial of Service = DoS / DDoS– Disable the Device via Signal – Dick Cheney’s Heart, No Wireless

• Man in the Middle (MITM) – Sniff / Alter Packets– Economic DoS (EDoS)

– Data in Use (DIU) Challenges• DLP

– Is sandboxing that effective?

– Data at Rest (DAR) Challenges• Jailbreak• Crack Weak Cryptography

Securing IoT Medical Devices

• Hacking Examples

Securing IoT Medical Devices

Source: Flickr

• Security / Privacy By Design– Security / Privacy Requirements– Threat Modelling– Misuse Cases– Compensating Controls

Securing IoT Medical Devices

• Security / Privacy By Design– Security / Privacy Requirements

• Access Controls– Mobile Medical Applications (MMAs)

» Sandboxed w/ Strong Password Protections– Wearable Medical Devices (WMDs)

» Self-contained with DLP Protections– Embedded Medical Devices (EMDs)

» Secure, Configurable, Intuitive GUIs – Like a Wireless Router

• Cryptography– Strong Encryption / Hashing for DAR / DIM / DIU– Transparent Data Encryption (TDE)

» Follow the Apple Model– Homomorphic Encryption (HE)

Securing IoT Medical Devices

• Security / Privacy By Design– Threat Modelling

• Performance / DDoS / Quality of Service (QoS)• Nonrepudiation – Data, Patches• False Positives – Alerts, Data Transfer• Data Retention

– Misuse Cases• EDoS

– Insurance– Clinical Visits

• Physiological, Psychological Stress• Device Misconfiguration – Data Loss, Transaction Integrity• GPS

Securing IoT Medical Devices

• Security / Privacy By Design– Compensating Controls

• SIEM Operational Awareness• Tokenization• DLP• IAM• MDM / MAM• Physical Access Controls

Securing IoT Medical Devices

Securing IoT Medical Devices

• Where Do We Go From Here?– National / Industry / Workgroup Standards

• FDA• HIMSS• HITRUST• NIST

– Thought Leadership• OWASP• ISC2• ISSA

– Device Certification / Attestation• FDA• HITRUST

Securing IoT Medical Devices

Securing IoT Medical Devices

Source: HealthInfoSec

• Questions?• Contact

– Email: smarkey@ncontrolsec.com– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey