©2014 MFMER | slide-1
-Medical Devices- Safe and Secure Procurement
Kevin McDonald, BSN, MEPD, CISSP Director, Clinical Information Security Mayo Clinic American Hospital Association, April 11 2017
©2014 MFMER | slide-2
©2014 MFMER | slide-3
Topics
• Today’s Environment
• Internet of Medical Things
• State of Security
• Common Security Issues
• Reducing Risk
• Medical Device Security Myths
• FDA Guidance
• Final Thoughts
©2014 MFMER | slide-4
Healthcare is Targeted
Computer Viruses Are "Rampant" on Medical Devices in Hospitals
More than 40 viruses hit devices including X-ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG .
FDA Safety Communication: Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System
Cyberattack at Appalachian Regional Healthcare keeping EHR down after six days
FBI Investigating: Hollywood hospital pays $17,000 in bitcoin to hackers the product with the most
vulnerabilities in the May-July period was healthcare software Philips Xper Connect, with 272 reported vulnerabilities.
Healthcare is being targeted
©2014 MFMER | slide-5
Today’s Hostile Environment
5
• Threat actors have multiple levels of skills • Insiders (Current & Ex) • Script Kiddies • Hacktivists • Organized Crime • Nation State
• Active adversary must be assumed • Unlimited time and resources
• Skill level to cause harm is going down
• Tools to compromise and harm systems are readily available and cheap (free)
• Harm or disruption could be deliberate or collateral • We are way past relying upon firewalls
©2014 MFMER | slide-6
Attack Motivations • Revenge
• Personal Gains
• Bragging Rights / Status
• Expression of Political or Social Views
• Intellectual Property Theft
• $$$$$ (ransomware, theft, etc.)
• Identity Theft – Financial / Medical
-Health records sell for $50
-Can be used for billing fraud by fake clinics
-Used for prescription fraud to get and then sell
narcotics
©2014 MFMER | slide-7
“Internet of Medical Devices” • United States healthcare is technology rich and diverse
• $110 billion (++) spent each year on medical devices • 7,000 device manufacturers • Between 1995 and 2010 there has been a 62% increase in the
number of devices per bed • Mean number of devices per bed is 13
©2014 MFMER | slide-8
Medical Devices – Essential to Care Delivery • Care is highly dependent upon technology
• Demand for connectivity is growing • HITECH Act and increasing use of EHRs are driving device
connectivity • 1 in 4 medical devices are network connected, with more every day
• Healthcare is no longer possible without technology
• Medical technology is used to: • Improve patient outcomes
• Diagnostic • Treatment
• Offset rising costs & decrease resource needs • Decrease medical errors • Improve access to care • Deliver specialized knowledge
©2014 MFMER | slide-9
“Ripe for the picking” $$’s are tight &
resources are short
State of Healthcare Security • Hospital Demographics
• ~ 5,800 hospitals in the US • “Average” US hospital
• 160 beds • $10.7 million profit
• Medical Devices • Have publically known vulnerabilities • Impacted by malware • Warnings from FDA & ICS-CERT on vulnerable devices • FBI issued public service announcement: isolate, patch/update, purchase from
security conscious vendors
• Cybersecurity Preparations - Low • Healthcare industry spends 4% to 6% of IT budget spent on security, Financial
industry is 12% to 15% • 94% of medical institutions say they have been victims of a cyber attack • Security expert shared, cybercrime is now more lucrative than the illicit drug
trade (CBS News, Sept. 2016)
©2014 MFMER | slide-10
State of the Medical Device Vendor Security • Security is often an “afterthought” (or not considered)
• Little security “by design” • Massive legacy device problems
• Most vendors are trying to catch up • Struggling to change internal culture and build security awareness • Transitioning from device manufacturers to software companies • Unable to find staff with proper skills and knowledge • Struggling with diversity in their products and long lead times
• Security has not been seen as a competitive advantage
• Engineers & product designers really “love” their devices and are proud of it • The don’t take well to calling their “baby ugly”
• Interactions with sales, legal and product managers tend to be unproductive
• Vendors are trying to build security on top of immature development processes
Vendors Naïve About Risks and the Security of Their Products
©2014 MFMER | slide-11
The Status Quo Continues…. • Despite cyber threat data and growing awareness, healthcare remains
unprepared • 72% of healthcare providers have less than 200 beds and inadequate funds or
resources • 80% of device vendors have less than 50 employees and lack knowledge and
experience
• Industry continues to be an “easy” target for cyber attack • Medical devices still sold with Windows XP - unsupported since 2014 • Healthcare providers cannot manage medical devices like other technology
• Risks are attempted to be managed through “guidance”, collaboration, hand-crafted solutions and wishful thinking
• There are currently little to no incentives to sell secure devices or consequences to selling poorly secured
©2014 MFMER | slide-12
Common Security Issues & Concerns
• Operational Security Gaps • Authentication Vulnerabilities • Application Vulnerabilities • Configuration Vulnerabilities • Unpatched Software • Lack of Encryption
©2014 MFMER | slide-13
Operational Security Gaps • Customer support web sites
• Poor identity proofing and authentication • “Helpful” documentation & software
• Publicly available: • Technical documentation • Hardcoded and default passwords • Source code • Exploits
• Devices available for purchase • Allows for reverse engineering • Testing platform for exploits
• Customer service social engineering
• Internal intranet sites with information
• Poor management of support accounts Up for auction is this used Hospira Abbott PLUM A+ IV Infusion Pump. This powers up and initiates. It passed the self test.
©2014 MFMER | slide-14
Authentication Vulnerabilities & Issues • Poor or no authentication
• No passwords or trivial and easily guessed passwords
• Unable to use multi-factor authentication
• Inability to use AD or LDAP
• Multiple uses for single accounts • Software installation • Patching • Work & service accounts
• Use of single support account & password for ALL customers
• Use of hardcoded passwords • Available publically, in configuration files, manuals, source code
• Local storage of accounts and passwords
• Insecure remote support methods
©2014 MFMER | slide-15
Application Vulnerabilities & Issues • Generally “fragile applications”
• Susceptible to denial of service attacks (small & large scale)
• Required to run with elevated privileges
• Unable to run anti-virus or white listing • Or folders excluded
• Application impacts when using local security agents
• Inability to scan devices with commercial vulnerability scanners
• Vulnerable to a large number of known exploits
• Open source and third party software vulnerabilities
• Use of consumer grade technology
©2014 MFMER | slide-16
Configuration Vulnerabilities & Issues • Unneeded high risk functionality left operational
• FTP, Telenet, TFTP, etc.
• Unneeded files and applications left on systems • Install instructions • Tools • Etc.
• Default users and passwords not removed or changed
• Security software disabled
• Default settings on software, hardware and security features
©2014 MFMER | slide-17
Unpatched Software Issues • Running on older operating systems with no upgrade
paths • Various versions of Windows (and DOS) • Multiple versions of Linux • Old proprietary systems
• Unpatched software, commercial applications, open source with published exploits
• No or resource intensive process for updates and patching
• “Sneaker-net” upgrade processes
• Immature patching processes • “Patch and pray” • Partial patching
©2014 MFMER | slide-18
Lack of Encryption • PHI & PII stored unencrypted or weak encryption
• Ability to read and change patient data • DES, MD5, Base 64
• Source code no obfuscated • Easily reversed engineered
• Communication is unencrypted • “Man-In-The-Middle” attacks • Emulation of monitoring devices • Able to capture traffic and emulate devices
• Weak wireless encryption • WEP • Pre-shared keys
©2014 MFMER | slide-19
Proactive Actions to Reduce the Risk
• Set standards • Set minimum requirements • Evaluate new purchases • Procurement and contracting requirements • Require remediation and mitigations • Comprehensive internal security program • Governance of risk
Push security to the front of the device decision making process
©2014 MFMER | slide-20
Security Standards • Use an industry standard that is applicable
• IEC 800001- “Application of Risk Management for IT Networks Incorporating Medical Devices”
• The standard should: • Have a capabilities description • Be concise and risk based • Be able to be used as a template for reviews, vendor
questions and risk determination • From a standards body vendors are familiar with
©2014 MFMER | slide-21
Set Minimum Requirement
• Minimum requirements – “bar of goodness” • Runs supported OS • Receives routine OS patches • Has AV applied and updated • Receives routine 3rd - party software patches • Contains no default hardcoded passwords • Complies with work Account standards
• Below the bar - work with vendor & practice • 1st - Mitigate or remediate prior to purchase • 2nd - Commitment from vendor to address with set timeline • 3rd – Exception from Governance group (centralized risk acceptance)
©2014 MFMER | slide-22
New Purchase Evaluations • Evaluate BEFORE the purchase is made
• Engage with clinical areas during their budgeting process • Include the evaluation as part of the purchase request • Goal is to plan the evaluations a year before an anticipated purchase
• Develop processes, questions, templates and checklists to make the evaluations a consistent repeatable process
• Tailor your evaluations to the risks involved • Do I care? • How much do I care?
• A significant amount of information can be found by asking the right questions, doing a walk through and looking at documentation
• Assign dedicated staff to review documentation and do follow up
©2014 MFMER | slide-23
New Purchase Evaluations • Focus on high priority devices
• Greatest potential to cause patient harm • Greatest potential to widely disrupt patient care processes • Impact to network
• Engage all stakeholders • Clinical Users, biomed, IT, Facilities • Vendor
• Assess the whole “device family” • Follow the data flow to include points of testing • Workstations, servers, & endpoint • Document demographic information, establish rules of engagement
• Consistent, repeatable, efficiently, high quality process • Documentation of workflow • Standard processes, documentation, templates and checklists • Testing standards
©2014 MFMER | slide-24
Procurement & Contracting • Integrate into the budgeting and funding processes
• Develop a medical device information security schedule • Software security requirements • Behavior expectations • Timelines, penalties • Right to require full testing
• Split contracts into general security language and product specific requirements
• Customize with commitments for future improvements
• Incorporate an exception process for critical devices not meeting standards
• Require a level of security for vendors to prevent supply chain compromises
©2014 MFMER | slide-25
Procurement & Contracting • Information Security Schedule Contents
• Meet FDA guidelines (i.e. fail safe features)
• Testing and scanning requirements • Include SANS CWE Top 25 and/or OWASP Top 10 • Perform at Mayo request, by tester Mayo agrees to, or Mayo staff • Meet Mayo testing methodology
• Installation standards (i.e. document needed ports/service, remove unneeded ports/services)
• Development standards • Users and passwords (i.e. unique, no hardcoded, no persistent admin privilege)
• Security issues and response (i.e. communicate Known Vulnerability or Exploit (KVE) within 20-days, identify timeline and plan to remediate/mitigate, warrant all open source software is actively maintained)
• Penalty for failure to fix KVE • Indemnification for cyber-security incidents caused by device
©2014 MFMER | slide-26
Remediation & Mitigations • Pre-Purchase
• Require testing of simple remediation's and mitigations • Many times the use of AV, the impact of not using admin
privileges, etc. has never been tested by the vendor • Implement process changes (e.g. only plug into network for
upgrades) • Partial “fix” (i.e. Require changes of default passwords to at
least be unique for your institution) • Require product changes for known vulnerabilities before use
or in near future • Disable unused or unneeded parts of a product • General system updates & clean up
• Update to current versions of software • Remove un-needed files, close ports, etc
80% of issues we have found are vendor
related and require a vendor fix
©2014 MFMER | slide-27
Governance of Risk • Need to make sure that risk decisions are made at the right
level
• Physician and leadership involvement is critical
• Governance may take the form of: • Security or safety committee • “Office” organization to evaluate risk • Escalation to a practice committee • Etc.
• Decisions might have to be made on clinical value vs. risk to the institution
• Sometimes for good reasons, “bad devices” must be bought • Your job is to minimize risk
©2014 MFMER | slide-28
FDA Guidance “While this is guidance on how, cybersecurity for medical devices is not optional” – Dr. Suzanne Schwartz, FDA • Guidance for Industry – Cybersecurity for Networked Medical
Devices Containing Off-the-Self (OTS) Software
• Content of Premarket Submission for Management of Cybersecurity in Medical Devices
• Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication
• Postmarket Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff
• FDA Fact Sheet: The FDA’s Role in Medical Device Cybersecurity. Dispelling Myths and Understanding Facts
©2014 MFMER | slide-29
FDA Guidance • Hold the vendor accountable to the FDA guidance
• The vendor is responsible for ensuring the safety and effectiveness of their devices
• Cybersecurity patches usually do not need another FDA review • A vendor should maintain a robust software lifecycle process • Have a process for intake and communicating vulnerabilities • Deploy mitigations early and before exploitation • Use a method to determine severity of vulnerabilities • Vendors are responsible for validating all changes • Implement compensating controls • Provide a fix within 60 days for uncontrolled risk
Read and know the guidance!
©2014 MFMER | slide-30
Dispelling Urban Myths • FDA needs to approve a cybersecurity patch or fix
• Cybersecurity is not regulated by the FDA
• Customers need to place devices on a “secure” network
• It is the customers responsibility to verify patches
• “No one else has EVER asked for this before”
©2014 MFMER | slide-31
Final Thoughts • The technology and knowledge exist to fix the
problem, but it’s not always a technology problem
• While vendors have a responsibility to fix equipment, we both have a responsibility to protect patients
• This is a journey ……… immediate attention is needed now with on-going, steady progress
31
©2014 MFMER | slide-32
References • Content of Premarket Submission for Management of Cybersecurity in Medical
Devices - http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
• Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Self (OTS) Softwarehttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm
• Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communicationwww.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm
• Postmarket Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staffhttp://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
• FDA Fact Sheet: The FDA’s Role in Medical Device Cybersecurity. Dispelling Myths and Understanding Facts https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf
Top Related