Securing_Medical_Devices_v3
-
Upload
steve-markey -
Category
Documents
-
view
11 -
download
1
Transcript of Securing_Medical_Devices_v3
Securing IoT Medical Devices
Steven C. Markey, MSIS, PMP, CISSP, CIPP/US , CISM, CISA, STS-EV, CCSK, CCSP, Cloud +
Principal, nControl, LLCAdjunct Professor
Source: NECCRSource: Fitbit
Source: HealthInfoSec
Securing IoT Medical Devices
• Presentation Overview– IoT? Huh….– Vulnerabilities & Exploits– Hacking Examples– Security / Privacy by Design– Where Do We Go From Here?
Securing IoT Medical Devices
• IoT? Huh....– IoT = Internet of Things
• Ubiquitous Connectivity (e.g., 802.11x, 802.15, 3G / 4G, WMTS)• Data Portability / Interoperable Data Synching
– EDI = Electronic Data Interchange
• Redundant Technologies & Methods– Java, Linux, Open-source APIs, etc.– Cocoa Touch Layer, etc.
– Medical / Healthcare Esoteric Language & Nuances• WMTS = Wireless Medical Telemetry Services• Regulatory Requirements: HIPAA / HITECH, FDA• Healthcare Digitization: PPACA (i.e., Obamacare)
– ICD-9 / 10 for US = EDI
Securing IoT Medical Devices
• Vulnerabilities & Exploits– Data in Motion (DIM) Challenges
• (Distributed) Denial of Service = DoS / DDoS– Disable the Device via Signal – Dick Cheney’s Heart, No Wireless
• Man in the Middle (MITM) – Sniff / Alter Packets– Economic DoS (EDoS)
– Data in Use (DIU) Challenges• DLP
– Is sandboxing that effective?
– Data at Rest (DAR) Challenges• Jailbreak• Crack Weak Cryptography
Securing IoT Medical Devices
• Hacking Examples
Securing IoT Medical Devices
Source: Flickr
• Security / Privacy By Design– Security / Privacy Requirements– Threat Modelling– Misuse Cases– Compensating Controls
Securing IoT Medical Devices
• Security / Privacy By Design– Security / Privacy Requirements
• Access Controls– Mobile Medical Applications (MMAs)
» Sandboxed w/ Strong Password Protections– Wearable Medical Devices (WMDs)
» Self-contained with DLP Protections– Embedded Medical Devices (EMDs)
» Secure, Configurable, Intuitive GUIs – Like a Wireless Router
• Cryptography– Strong Encryption / Hashing for DAR / DIM / DIU– Transparent Data Encryption (TDE)
» Follow the Apple Model– Homomorphic Encryption (HE)
Securing IoT Medical Devices
• Security / Privacy By Design– Threat Modelling
• Performance / DDoS / Quality of Service (QoS)• Nonrepudiation – Data, Patches• False Positives – Alerts, Data Transfer• Data Retention
– Misuse Cases• EDoS
– Insurance– Clinical Visits
• Physiological, Psychological Stress• Device Misconfiguration – Data Loss, Transaction Integrity• GPS
Securing IoT Medical Devices
• Security / Privacy By Design– Compensating Controls
• SIEM Operational Awareness• Tokenization• DLP• IAM• MDM / MAM• Physical Access Controls
Securing IoT Medical Devices
Securing IoT Medical Devices
• Where Do We Go From Here?– National / Industry / Workgroup Standards
• FDA• HIMSS• HITRUST• NIST
– Thought Leadership• OWASP• ISC2• ISSA
– Device Certification / Attestation• FDA• HITRUST
Securing IoT Medical Devices
Securing IoT Medical Devices
Source: HealthInfoSec
• Questions?• Contact
– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey