The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
-
Upload
valdez-ladd-mba-cissp-cisa -
Category
Health & Medicine
-
view
99 -
download
1
Transcript of The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
Valdez Ladd, MBA, CISSP, CISA Pam Gilmore ISSA Raleigh, NC
THE FDA and Medical Device Cybersecurity
FDA’s scope is beyond HIPAA (Privacy & Security Rule)
Health Informatics-Provisions for Health Applications on Mobile/Smart Devices.
Application of risk management for IT-networks incorporating medical devices.
FDA and Wireless Frequency Devices
* Complements HIPAA’s security risk analysis
Vulnerability discovery
January 2013
Cybersecurity Cylance researchers Billy Rios and Terry McCorkle.
Identified 300 pieces of medical equipment vulnerable to cyber attacks
* firmware , embedded passwords and weak authentication.
June 13, 2013 FDA Safety Communication: Cybersecurity for Medical Devices and Hospital
Networks.
Assure that appropriate safeguards are in place to reduce the risk of failure due to cyber attacks for medical devices
Design security into the manufacturing process, document it and communicate it to hospitals, etc.
THE FDA and Medical Device Cybersecurity
THE FDA and Medical Device Cybersecurity
Risk Analysis
Beyond C-I-A to Medical PAINS
CIA:
Confidentiality, Integrity, & Availability
PAINS
Privacy, Availability, Authentication, Integrity, Non-repudiation and Safety
Risk and Compliance
Security Capabilities
Access controls best practices
Remove “hardcoded” passwords Limit Access to trusted uses
Role based access with time limitations
Physical locks on devices
Incident Response
Use of Fail-Safe and Recovery - Security features are recognized, logged and
acted upon
- Logging--Devices will need capacity for logging diagnostic data. Capabilities varies depending on device design
Forensics--Data captured in Hazard report
Incident Response
Ensure trusted Content with strong authentication and encryption.
Customer notification process.
CyberSecurity Design Document
FDA 501k Premarket Approval submissions by manufacturer now require cybersecurity risk analysis and protections in the design of their medical devices:
1. Hazard analysis, mitigations and design
2. Traceability Mix
3. Antivirus
Manufacturer Disclosure Statement for Medical Device Security (MDS2) v2
Developed by HIMSS and the National Electrical Manufacturers Association (NEMA)
Since 2013 Medical device manufacturers have to disclose the cybersecurity features of medical devices they sell to healthcare providers.
A hospital risk assessment tool to assess the vulnerabilities and risks of the medical devices. Allows easy comparison of security features across different devices and different manufacturers
Intrusion Detection is defined as:
"...the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource."1 More specifically, the goal of intrusion detection is to identify entities attempting to subvert in-place security controls.
Intrusion Detection and Mobile Devices
What are the risks with Health information and mobile devicesAssets: What is valuable in the system and how could it be lost?
Attackers and their motivations: Who would want to do something bad and why?What role does compliance, regulations and guidelines play in securing data?
Mobile Devices and health information
Defenses: What more could be done to prevent or mitigate attacks?
How can an attacker change the authentication data? What is the impact if an attacker can read the user profile data?
What happens if access is denied to the user profile database?
*Spoofing vs. authentication……....…...….
*Tampering vs. integrity……………..….......
*Repudiation vs. non-repudiation….....…….
*Information disclosure vs. confidentiality
*Denial of service vs. availability………...
*Elevation of privilege vs. authorization…..
STRIDE MODEL
Types of Attacks
Carrier Based Methods
Man in the middle (MiTM) attacks which can steal data Hijack wireless transmission.
Endpoints based methodsInject code to tamper with web application or web servicesStealing user sensitive phone contents using Malwares
Wireless interfaces based methods
Stealing data when its in-transit using wireless channel Exploit access and authentication access
An adversary steals sensitive data by reading SD Card based stored content
An adversary exploits OS level functionalities steal data from device Rooting or Jailbreaking the phone to access sensitive data from memory
APT’s: Advanced Persistent Threats
Detecting APTs To aid in detecting Advanced Persistent Threats (APTs)
*The Splunk platform alerts IT on attempts to remotely access the hospital’s infrastructure from foreign countries such as Russia. Russia has become well known for infecting sites with malware.
*Many attack vectors starting with phishing email to infiltrate malware, analysts can correlate Exchange, antimalware servers and firewall logs for evidence of questionable downloads.
*“Splunk allows cross-reference of any data, identifying attack patterns and unauthorized actions that would otherwise go undetected. Search for particular virus signatures to determine which devices are infected.
Wearable Medical Devices
1.) Pacemaker
2.) Insulin pumps
3.) Smart glasses (Google, Vuzix)
4.) Smart watches (Google, Apple)
5.) Smart clothing (RFID tags)
Wearables- Risks & Possible Solutions
Middlesex hospital video
Splunk and security (intrusion detection)
Success Stories from Healthcare corporations
IRhythm--
Challenges- iRhythm is a rapidly growing medical device and service company. - iRhythm required an efficient and effective way to monitor business processes,- establish baseline performance across their entire operation and continue to - track that performance as the business evolved.
BUSINESS IMPACT
*Operational intelligence and longterm planning*Business process monitoring through every stage of the business model*Operational intelligence without investing in a data warehouse *Secure data management for HIPAA
Success Stories—ING--Financial
Ensuring Regulatory Compliance
Financial services companies are subject to an ever increasingset of regulatory requirements that include Sarbanes-Oxley,PCI and Basel II, among others.
*Splunk indexes data generated by the technologies that need to be monitored for regulatory compliance.*It enables rapid retrieval of log data requested byIT auditors.
“With Splunk we achieved ROI within 60 days, and we’re ableto better meet compliance mandates and improve auditing andreporting best practices, despite reducing our compliance staff.”Legg Mason
Splunk and Compliance
• Splunk demonstrates compliance with HIPAA requirements related to unauthorized access of ePHI records. Splunk software is able to take proactive measures to pinpoint any security breaches related to ePHI records.
Security Regulations:
• FISMA – For government agencies, Splunk Securely collect, index and store all your log and Machine Data along with audit trails to meet NIST requirements. The continuous monitoring process steps in NIST 800- 137 (draft) are listed as: Define, Establish, Implement, Analyze/ Report, Respond and Review/Update.•
HIPAA - Splunk instantly assesses reports of EPHI leakage and meets HIPAA’s explicit log requirements. HIPAA and EPHI security and privacy rules include explicit requirements for audit trail collection, review, automated monitoring and incident investigation.
Splunk and Compliance
• PCI - Rapid compliance with explicit PCI requirements for log retention/review and change monitoring, comprehensive reporting on all PCI controls such as passwords and firewall policy.
• SOX - Splunk search of compliances mandated routine log review easy and straightforward. For IT controls based on ITIL, COBiT, COSO, ISO 17799, BS-7799 audit and reporting.
Conclusion
Since 2014 future devices will have device cybersecurity product life-cycle from design to operation to disposal.
Result will be strengthening of HIPPA Privacy and Security Rule in areas of Risk
Analysis for medical device purchases
About the Authors
Valdez Ladd – MBA, CISSP, CISA, COBIT 4.1 ISO/TC 215 - Health informatics, WG 4, Privacy and Security, (2011-2013)WEDI.org Cloud Security AllianceISACA.orgISC2.org
contact: www.linkedin.com/in/valdezladd
Pam Gilmore - BS Business Administration Management concentration. Member of ISSA Raleigh, NC chapter. She has been a key leader for editing of Dex One company security policy documentation and review. Technical focus is in Incident Handling, Information Security and Architecture.