Download to read offline
Uploaded byBarry Caplin
Dreaded Embedded sec360 5-17-16
The document discusses the security challenges and solutions regarding embedded medical devices within the Fairview Health Services system. It highlights concerns such as data exposure, poor design, and the need for better security measures, as well as ongoing efforts by organizations like the FDA and NIST to address these issues. There is an emphasis on collaboration between industry stakeholders to improve medical device safety and security through better protocols, lifecycle management, and mandatory frameworks.
More Related Content
Similar to Dreaded Embedded sec360 5-17-16
![[Wroclaw #6] Medical device security](https://cdn.slidesharecdn.com/ss_thumbnails/medicaldevicesecurityowaspnopictures-170531065557-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![The fda and byod mobile and fixed medical device cybersecurity[1]](https://cdn.slidesharecdn.com/ss_thumbnails/thefdaandbyodmobileandfixedmedicaldevicecybersecurity1-131004064722-phpapp01-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Dreaded Embedded sec360 5-17-16
- 1. The Dreaded Embedded BarryCaplin VP & CISO Fairview Health Services bcaplin1@fairview.org bc@bjb.org @bcaplin securityandcoffee.blogspot.com Secure 360 Tues. May 17, 2016 Tweet along: #Sec360
- 2.
- 3. o Not-for-profit establishedin 1906 o Academic Health System since 1997 partnership with University of Minnesota o >22K employees o >3,300 aligned physicians o Employed, faculty, independent o 7 hospitals/medical centers (>2,500 staffed beds) o 40-plus primary care clinics o 55-plus specialty clinics o 47 senior housing locations o 30-plus retail pharmacies 2014 volumes o 6.39M outpatient encounters o 1.4M clinic visits o 71,049 inpatient admissions o 76,595 surgeries o 9,298 births o 282 blood and marrow transplants o 340 organ transplants o >$4 billion total revenue
- 4. Who is Fairview? Apartnership of North Memorial and Fairview
- 5. • For Reals? •What’s a “Thing” and why is it on the Internet? • Put a Chip In It • Are Medical Devices “Things”? • You’re doing what with my data? • Security Concerns • Solutions? Agenda Tweet along: #Sec360
- 6. CSI:Cyber 11/1/15 s2/ep5“hack E.R.” • “Hacker group” takes over hospital • Kills via infusion pump • Ransom • Weak/no auth and encryption in med devices • Smart TV • Hardware Poisoning • Flat Network • Medical Record Integrity • Physical Access to Network • Financial v Hacktivism What’s Real?
- 8. “I asked younot to tell me that!” Who’s got?...
- 9. Apr. 3, 2010 300Kipads 1M apps 250K ebooks … day 1!
- 10. 2011 – tablet/smartphonesales exceeded PCs
- 11. Apr. 24, 2015 1Morders 2500 apps available … day 1!
- 12. 2016 – IOTsales exceed smartphone + tablet
- 13.
- 14.
- 15.
- 16.
- 17.
- 18. “Embedded” • Quantified Self •Insulin pumps, pace- makers, ICD, etc. FDA requirements Device manufacturers Ease of connection • Jay Radcliffe, BlackHat 2011 Barnaby Jack, HackerHalted 2012 • Homeland attack (Broken Hearts, s2/ep10 12/2/12) Wireless attack via pacemaker id/sn Dick Cheney ICD, 2007 • MITM or snooping • Integrity • Availability
- 19. Security Challenges Exposure/Leakageof data – including repairs Poor Design/Protocols Ownership Malware Direct Attack Integrity Availability But don’t we have all this now???
- 20. • Primary mechanismis… Obscurity • Focus is on Function Aesthetics Communication Cost Speed to Market • Testing? • Patching? • Design? Security
- 21. • Sneakernet – USBupdates or data movement • Data Exfiltration – aka Breach! • Integrity – Alter Capability – Alter Data/Reporting • Availability • Medjacking – Attack – Infiltrate – Pivot Attack Vectors https://securityledger.com/wp- content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-0_6-3-2015-1.pdf
- 22. • FDA certificationprocess – Complex, painful, long, expensive • Patching and FDA advice – Manufacturers responsible for patches – Premarket review not required for security patch FDA Reality http://www.fda.gov/MedicalDevices/DeviceRegulationand Guidance/GuidanceDocuments/ucm077812.htm http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ ucm356423.htm
- 23. • Retail • Manufacturing •Energy We Are Not Alone
- 24.
- 25. • FDA, NISTand others in progress • NCCoE/NIST/UMN TLI infusion pump security study https://nccoe.nist.gov/sites/default/files/nccoe/NCCOE_HIT-Medical-Device- Use-Case.pdf https://nccoe.nist.gov/projects/use_cases/medical_devices • Medical Device Innovation, Safety and Security Consortium (MDISS), International Society of Automation (ISA), HITRUST Alliance, NIST and others working with: • FDA, HHS, DOD, NHISAC, CIS (Center for Internet Security), AAMI (Association for Advancement of Medical Instrumentation), ACCE (American College of Clinical Engineering), SANS, and others • IHE/MDISS – Medical Device Software Patching white paper https://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.0 _PC_2015-07-01.pdf • MDS2 (Manufacturer Disclosure Statement for Medical Device Security) http://www.nema.org/Standards/Pages/Manufacturer-Disclosure- Statement-for-Medical-Device-Security.aspx • Archimedes http://www.secure-medicine.org/ • NIST SP-1800 Securing Electronic Health Records on Mobile Devices https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices Frameworks
- 26. • LifeCycle andRisk Management approach – CyberSecurity Insurance? • SLM – Security Lifecycle Management • Existing?: – NAC – Scanning – Communications – Threat/Vuln Intell – Patching? – Segmentation? – Segregation? Solutions? Intake Analysis Requirements DesignTest Deploy Maintain
- 27. • It willget worse before it gets better • Mandatory NIST CyberSecurity Framework? • FDA pre-market security accreditation? • Help Vendors – Ask – Assess – Push back • Help Universities – Connect – Advise • The First Rule of Security… We Talk About Security! – HSPIG Final Thoughts http://mnc3.org
- 28. Tweet along: #Sec360www.Secure360.org Barry Caplin Fairview Health Services bcaplin1@fairview.org bc@bjb.org @bcaplin securityandcoffee.blogspot.com
Editor's Notes
- #10 June 29, 2007 the first iPhone was released – tied to AT&T
- #14 http://weputachipinit.tumblr.com/
- #15 http://get-fun-here.blogspot.com/2014/04/22-strange-medical-instruments-from.html http://www.surgicaltechnologists.net/blog/20-scary-old-school-surgical-tools/ - arrow extractor, trephine drill
- #16 https://www.washingtonpost.com/news/the-switch/wp/2015/08/03/connected-medical-devices-the-internet-of-things-that-could-kill-you/
- #17 http://thedatamap.org/
- #18 http://thedatamap.org/
- #26 http://www.medicaldesignbriefs.com/component/content/article/mdb/features/22579 http://www.fda.gov/AboutFDA/PartnershipsCollaborations/MemorandaofUnderstandingMOUs/OtherMOUs/ucm412565.htm http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf https://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.0_PC_2015-07-01.pdf http://www.insidemedicaldevices.com/2015/08/11/cybersecurity-risks-with-connected-devices/