Addressing New Threats: Medical Device and IoT Risk …...Aug 29, 2019 · The Challenges of Medical Devices • August 5, 2019 -Microsoft catches Russian state hackers using IoT

© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

August 29, 2019

CISO Virtual Cybersecurity SymposiumSession 5 | Module 9

Addressing New Threats: Medical Device and IoT Risk Management

Mark Sexton, MPA, CISSP, HCISPP, CISA, CCSKPrincipal Consultant

© Clearwater Compliance LLC | All Rights Reserved

2

1. Understanding the challenges of updating medical device software.

2. Identify medical devices which fall under the purview of a HIPAA Risk Analysis.

3. Establish practical compensating controls to protect against new threats or legacy devices.

4. Ensure that appropriate monitoring of both controls and medical devices is being conducted.

5. Describe new technologies to assist healthcare in medical device discovery and risk management.

Addressing New Threats: Medical Devices and IoT Risk Management

Module Duration = 50 Minutes

Learning Objectives Addressed in This Module:

Module 9 Overview


3

Today’s Module 9 Presenter

Mark SextonMPA, CISSP, HCISPP, CCSK, CISA

Principal Consultant, Clearwater

• 20+ years in Information Technology and Information Security• 11+ years with the University of Nevada School of Medicine• Information Security specialist, entrepreneur, and trainer• MPA, University of Idaho• Expertise in HIPAA, HITECH, FERPA, PCI-DSS, SOX, GLBA, policy, management,

training, risk management and implementation• Founding member and former Southwest chapter secretary, Cloud Security

Alliance (CSA)• Member: ISC2, CSA, ISSA, ISACA and InfraGard


4

The Challenges of Medical Devices

• August 5, 2019 - Microsoft catches Russian state hackers using IoT devices to breach networks. Fancy Bear servers are communicating with compromised devices inside corporate networks.https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/

• January 30, 2019 - DHS Alerts to Vulnerabilities in Stryker and BD Medical Devices – Smart medical beds subject to wireless attacks that can lead to compromise of administrator accounts

https://healthitsecurity.com/news/dhs-alerts-to-vulnerabilities-in-stryker-and-bd-medical-devices

• August 31, 2018 - Nine cybersecurity vulnerabilities have been found in the Philips e-Alert Unit, a tool that monitors MRI system performance, according to an Aug. 30 ICS-CERT advisory.

https://healthitsecurity.com/news/9-cybersecurity-vulnerabilities-found-in-philips-e-alert-tool

• October 15, 2018 - The FDA issued a medical device safety alert about cybersecurity vulnerabilities in Medtronic’s CareLink, programmers that could enable an attacker to change the functionality of the programmer or the implanted pacemaker it controls.

https://healthitsecurity.com/news/fda-warns-of-cybersecurity-vulnerabilities-in-carelink-programmers

• November 7, 2018 - ICS-CERT is warning about cybersecurity vulnerabilities in Roche point-of-care handheld medical devices. https://healthitsecurity.com/tag/medical-device-security

• About 18% of provider organizations surveyed by KLAS experienced malware attacks on medical devices in the past 18 months. https://www.modernhealthcare.com/article/20181005/NEWS/181009942

WHY IS PROTECTING MEDICAL DEVICES IMPORTANT?


5


https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#727f3ccc425c

This is real


6


“The Internet of Things (IoT) Healthcare Market size was evaluated worth $60 billion in 2014, and is estimated to reach net worth $136 billion by 2021. The market growth is expected to register a CAGR of 12.5% over the forecast period.

Internet of things (IoT), comprising of intermediary components, such as devices, network connectivity, electronics system, and software, is basically the networking of smart electronic devices or things to transmit data signals between them in the absence of human intervention.

In the healthcare segment, this technology can be implemented to manage and scrutinize available patient data as well as resources with great ease.”

https://www.alliedmarketresearch.com/iot-healthcare-market

Just How Big is this Problem?

https://www.alliedmarketresearch.com/press-release/internet-of-things-iot-healthcare-market.html


7


Just How Big is this Problem?


8


• They tend to have dated, unpatched operating systems, making them the “low hanging” fruit on the network.

• The devices themselves are usually not monitored directly since modifying FDA certified systems is generally frowned upon.

• Many devices tend to have minimal account management capability, if at all.• They seldom integrate into Active Directory or LDAP services.• Some have no user interface such as a keyboard.• They are easy pivot points to more lucrative targets on the network.

Why Attack Medical Devices?


9

The Challenges of Medical DevicesThe growth of IoMT (Internet of Medical Things) has increased both the types and volumes of data that can be compromised.

This includes: • Drug types and dosages • Control information for devices – anesthesia or drug delivery • Diagnostic images • Lab results • Vital signs of all types • Continuous output from EKG and EEG and similar systems• Data from implanted, connected medical devices • Data from medical and consumer wearables


10


The growth of IoMT (Internet of Medical Things), bad actors and data integrity.

• The end result is that patient safety can be affected.

• Clinicians can be led to an inaccurate diagnosis due to incorrect

data from a compromised device.

• Even if the external actors have no malicious intent, modifying a

medical device by installing malware, they may cause harm.


11

What is a Medical Device?


12


• The IoMT has changed what constitutes a medical device.• The FDA has not kept up in that regard, with IoMT devices appearing everywhere.• You must look at the device “ecosystem” to ensure you address all the risks and vulnerabilities

that these devices and associated elements present.


13


A medical device is defined within the Food Drug & Cosmetic Act as "...an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis ofdisease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of it's primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes."

Medical devices distributed in the United Sates are subject to General Controls, pre-marketing and post marketing regulatory controls.

General Controls include:• Establishment Registration by manufacturers, distributors, repackages and re-labelers,• Medical Device Listing with FDA of devices to be marketed,• Manufacturing the devices in accordance with Good Manufacturing Practices,• Labeling medical devices in accordance with the labeling regulations, 21 CFR 801 or 21 CFR 809,• Medical Device Reporting of adverse events as identified by the user, manufacturer and/or distributor of the medical

device.• Pre-marketing controls are device and device classification specific. Pre-marketing controls for a medical device may

include: clearance to market by 510(k) or approval to market by Pre-Market Approval (PMA). • Post marketing controls include Device Listing, Medical Device Reporting (MDR), Establishment Registration and Quality

System Compliance Inspection.

FDA Definition of a Medical Device


14


Device Classification

There are 3 FDA regulatory classifications of medical devices: Class I, Class II and Class III. The classifications are assigned by the risk the medical device presents to the patient and the level of regulatory control the FDA determines is needed to legally market the device. As the classification level increases, the risk to the patient and FDA regulatory control increase. Accessories to medical devices, devices used with a medical device to support use of the device, are considered the same classification as the medical device.

The FDA classification of medical devices is based upon classifications for devices currently legally marketed in the United States. The FDA determines the device classification by the device intended use and risk the device presents to the patient. New medical devices are compared to legally marketed medical device classifications with the same intended use and technological characteristics to determine the device classification.

Class I medical devices have the least amount of regulatory control. Class I devices present minimal potential harm to the user. Class I devices are typically simple in design, manufacture and have a history of safe use. Examples of Class I devices include tongue depressors, arm slings, and hand-held surgical instruments. Most Class I devices are exempt from the premarket notification and may be exempt from compliance with the good manufacturing practices regulation.

Class II medical devices are devices where General Controls are not sufficient to assure safety and effectiveness and existing methods/standards/guidance documents are available to provide assurances of safety and effectiveness. In addition to compliance with General Controls, Class II devices are required to comply with Special Controls. Special Controls include:

• Special labeling requirements,• Mandatory performance standards, both International and United States• Postmarket surveillance• FDA medical device specific guidance

Class III medical devices have the most stringent regulatory controls. For Class III medical devices, sufficient information is not available to assure safety and effectiveness through the application of General Controls and Special Controls. Class III devices usually support or sustain human life, are of substantial importance in preventing impairment of human health or present a potential unreasonable risk of illness or injury to the patient.

FDA Definition of a Medical Device cont…


15


Why is this definition problematic?

In the broadest terms, anything not a drug is a device. Thus medical “devices” can be:

• Software• Hardware• Algorithms• Biologics• And…?

From compliance, safety and device management perspectives, the scope of this definition is so broad as to be almost meaningless. Particularly for Class 1 medical devices.


16


There are 4 categories of networked medical devices recognized by the FDA:

• Consumer products (Apple Watch, FitBit etc…)

• Wearable, external devices (insulin pumps etc…)

• Internally embedded medical devices (pacemakers

etc…)

• Stationary medical devices (Monitoring, imaging,

chemotherapy etc…)


17


Device Components• Device software• Firmware• Removeable media• Device hardware• Network access/firewall• Operating system• Ports/interface• Remote support/maintenance• Physical access• Database and/or storage• Clinical applications• Mobile devices


18

What is a Medical Device?Medical devices can also be viewed as an ecosystem of interconnectivity. That is defined as the Internet of Medical Things (IoMT).

• Sensors

• Healthcare Information Technology

• Capital equipment

• Diagnostic devices

• Cloud

• Implantable devices

• Remote monitoring

• Medical/mobile applications

• Wearables


19


Common Attack Vectors• Targeted attacks – Seeking specific devices, platforms, applications

or people• Malware infections - Ransomware• Physical theft of devices• User or Administrator account vulnerabilities• IT network infrastructure vulnerabilities• Improper third-party vendor connections• Vulnerabilities in systems, networks or devices that are connected

to the smart medical device


20


What is the FDA’s Guidance?Security for Networked Medical Devices Containing Off-the-Shelf Software

• Includes recommendations for medical device manufacturers that incorporate off-the-shelf

software and that can be intranet or internet connected

• The device manufacturer bear responsibility for the continued safe performance of the

medical device

• FDA recommends users of medical devices potentially subject to vulnerability contact the

OEM

• FDA recognizes medical device security is shared responsibility between stakeholders


21


Consumer devices:• They gather data – steps, heart rate, blood pressure, sleep and weight etc…);• Who owns the data (Fitbit, Patient or Medical provider)?• Devices are not under any health system control;• Everything from detailed records of dietary intake to spreadsheets of multiple activity tracker

variables;• Who is wearing the device?• How will it integrate with EHR?• Where are they stored?• Who is responsible (who owns the device)?• How is it and its data secured?


22

9.1 How many FDA classifications are there for medical devices?

One ThreeTwoDoesn’t Apply

Pause and Quick Poll


23

Securing Medical Devices


24

Securing Medical DevicesDevelop and implement a medical device lifecycle approach that incorporates the following elements:

You can’t manage and protect what you don’t know!


25

Securing Medical DevicesStep 1Discovery - Identifying and obtaining an accurate inventory of medical devices and their locations – creating an accurate inventory and risk register


26


Approaches to medical device discovery


27

Securing Medical DevicesStep 2Device Groupings - Once device discovery and inventory is complete, grouping devices by a comprehensive model allows risks to be managed by device category or grouping rather than by individual devices.

• In a typical hospital there can easily be over 10,000 “network medical devices” as defined by the

FDA.

• Those networked devices that can affect patient safety and outcomes run the gamut from

wireless blood pressure cuffs to CT Scanners to infusion pumps.

• There will be thousands of devices that are network enabled and at risk.

• Assessing risks for each of these devices would be a monumental task, so placing devices into

groups where the risks, functionality and controls are similar allows you to manage risk at an

aggregate level instead of the individual level.


28


Classification/grouping systems for medical devices that are widely used.

• Controls Based – Grouping devices based upon shared controls needed to secure the devices

• Patient Safety Based – Groups are established by impact to patient safety and care rather than controls.


29


Controls based approach:o Allows for flexibility by identifying and grouping devices by different control sets

needed to secure them.o Makes individual device configuration less critical than the controls needed to

secure them.o Able to address device security broadly across the network due to applied control

sets.

Developing a Classification Scheme for Medical Devices

Risk v. Controls v. Patient Safety

How to classify and manage medical devices


30


Patient safety approach:o Security level is based upon the outcome of a compromise in terms of patient safety.o Devices are organized into safety tiers to indicate potential severity of outcomeso Consolidates the massive device list in to 4 categories or tiers that indicate patient safety

impact if the device were compromised.

Tier 1 Patient death

Tier 2 Patient or Operator injury

Tier 3 Inappropriate therapy, misdiagnosis or loss of critical materials

Tier 4 Other clinical devices that pose risks and are networked

Developing a Classification Scheme for Medical DevicesRisk v. Controls

v. Patient SafetyHow to classify and manage

medical devices


31


Step 3 Conduct a comprehensive risk analysis of the medical devices and their environment.

• NIST SP 800-30 provides a methodology for conducting a bona fide risk analysis.• NIST SP 800-53 identifies the security controls that should be reflected in the risk analysis.

Using NIST, the Risk Analysis workflow looks like this:1. The analysis should conduct a discovery process to identify every device and place them into a

category or grouping of medical devices.2. The controls present in the environment protecting those medial devices should be assessed.


32

Securing Medical DevicesStep 3Conduct a comprehensive risk analysis of the medical devices and their environment cont…

Using NIST SP 800-30, the Risk Analysis workflow looks like this:

3. Based upon various threat scenarios and controls currently in place, assess the likelihood of a threat event occurring (e.g. ransomware)

4. Once likelihood has been determined, the impact of such a threat event should then be assessed.5. Once likelihood and impact have been determined, you will then have a risk rating for each category or

group of devices.


33


01 Risk AcceptanceRisk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. NIST SP 800-39, pg. 42

04 Risk AvoidanceRisk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk … to avoid the potential for unacceptable risk. NIST SP 800-39, pg. 42

02 Risk MitigationRisk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. [Adding or enhancing controls or safeguards] NIST SP 800-39, pg. 42

03 Risk TransferRisk transfer shifts the risk liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies). NIST SP 800-39, pg. 43

Understanding Risk: Risk Treatment


34

NIST SP 800-39, pg. 43

NIST SP 800-39, pg. 42

NIST SP 800-39, pg. 43

NIST SP 800-39, pg. 44


Risk Response Identification

Risk Response Implementation

Risk Response Decision

Evaluate Alternatives

The NIST Risk Process - NIST SP 800-39 pg. 2

01

02

03

04


35

Securing Medical DevicesStep 4Risk Response and Remediation:

• Once the discovery, grouping and risk analysis of the medical devices have been conducted, the next step is risk response/remediation.

• From the risk analysis there should be a top tier of device categories that have identified vulnerabilities.

• Identify what controls, either direct or compensating, that can be applied to the device groupings that would mitigate the known risks/vulnerabilities.

• Once the controls have been updated, calculate the residual risk for each category that reflects the changes in the environment.

• Lather, rinse, repeat….


36

How to Manage Medical Devices

Question to consider when conducting a risk analysis:• Does the device(s) need to be on the network?

• Can it be isolated on the network?

• Can the device be accessed remotely?

• How are user accounts provisioned and managed if not integrated into Active Directory (and most devices do not integrate)?• Are there policies and procedures that address user management?

• Assess the criticality of device in terms of patient safety or control groups

• Ensure that the appropriate people/groups are involved

• Monitor, monitor, monitor…..

Step 4Risk Response and Remediation (Continued):


37


• Know your environment – what known vulnerabilities are present?• Have you previously done a complete and thorough Risk Analysis?• Have you remediated any findings from the Risk Analysis?

• Assess the criticality of devices in terms of patient safety or device controls.

• What administrative, technical and physical controls are in place to protect networked and non-networked medical devices?• Are these controls documented and represented in the Risk Analysis?

• Are additional controls, policies or procedures necessary to document compliance?



38


Risk Analysis and Remediation Questions:

Q: How often should you conduct a risk analysis once the initial analysis has been conducted and responded to?

A: HHS doesn’t specify a timeframe, rather the decision point is when there has been a material change to operations. For larger organizations this should be done annually.

Q: Is it a requirement to remediate all known risks?

A: No, an organization can accept any risk. However, what you should have in place is a roadmap for remediating the highest rated risks. Have a plan, establish metrics and stick to it.



39


Medical Device Patching and other Medical Device Misnomers:

• Can medical devices be patched?Yes, the patches must be vendor supplied and approved. There is a widespread belief that these devices can’t be patched. If there is a vendor provided security patch, you should install it.

• Stationary Medical Devices (MRI, CT etc…) are more secure than other types of networked medical devices.

Not true. These systems are just as exposed on a network as any other device.


40

How to Manage Medical DevicesWhat type of controls need to be implemented to protect medical devices?


41

How to Manage Medical DevicesStep 5Monitoring and Managing the Medical Device Lifecycle

• Is there adequate monitoring of user and device activity?• Are network logs reviewed?• If using a SIEM, are access and device logs ingested in to the SIEM?

• Are there formal procedures for retiring or returning devices?• Is network configuration data scrubbed from devices?• Is ePHI scrubbed?

• How is the medical device lifecycle documented?

• Who is the responsible party for managing this process?

• Monitor, monitor, monitor….. Document, document, document


42

How to Manage Medical DevicesHave a complete medical devices lifecycle management program:

• Security & Compliance should be involved in the pre-purchase, due diligence phase;

• Current vulnerabilities to medical devices should be known;

• Responsibility for managing the medical device lifecycle should be established;

• Policies and procedure for purchasing, managing and disposing of medical devices should be formulated;

• A thorough Risk Analysis should be conducted;

• Risk mitigation should be conducted on the Risk Analysis findings;

• Do not overlook technical testing and vulnerability scans of your network (and to remediate any findings);

• Document, document, document

• Lather, rinse repeat….All of these activities will contribute to both patient safety and compliance


43

Summary

The Future:

• There are now vendors like CyberMDX and ZingBox that can conduct network scans to identify and categorize medical devices.

• The number of IoMT devices will continue to grow, providing ongoing challenges to secure patient data and ensure patient safety as well.

• The risk analysis and risk response process are ongoing, this is not a one and done process!

• Device vendors are coming around to the notion that they must also manage the security of the devices they produce.

• One certainty is that change will happen, so plan for it!


44

SummaryAs an FBI agent once told me, don’t be the low hanging fruit:


45

Module 9 Supplemental Resources

• AAMI TIR57, Principles for medical device security – risk management• Guidance on Risk Analysis Requirements under the HIPAA Security Rule• IEC 80001-1:2010 Application of risk management for IT-networks incorporating medical devices - Part 1:

Roles, responsibilities and activities• ISO 14971 Medical devices — Application of risk management to medical devices • FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance• FDA Postmarket Management of Cybersecurity in Medical Devices• Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework)• FDA – Medical Devices• THE FDA’S ROLE IN MEDICAL DEVICE CYBERSECURITY• NIST SP1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations - DRAFT• NIST SP 800-30 Rev 1, Guide for Conducting Risk Assessments• NIST SP 800-37 Rev1, Guide for Applying the Risk Management Framework to Federal Information

Systems: A Security Life Cycle Approach • NIST SP 800-39, Managing Information Security Risk Organization, Mission, and Information System

View 2018_A

https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

https://infostore.saiglobal.com/en-us/Standards/-245257/

https://www.fda.gov/downloads/medicaldevices/deviceregula-tionandguidance/guidancedocuments/ucm356190.pdf

https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf

http://www.nist.gov/cyberframework

https://www.fda.gov/Medical-Devices

https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf

https://nccoe.nist.gov/sites/default/files/library/sp1800/hit-infusion-pump-nist-sp1800-8-draft.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf


46

Thank You & Questions

Mark Sexton, MPA, CISSP, HCISPP, CISA, [email protected]

mailto:[email protected]

© Clearwater Compliance | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1

Documents

Addressing New Threats: Medical Device and IoT Risk …...Aug 29, 2019 · The Challenges of Medical Devices • August 5, 2019 -Microsoft catches Russian state hackers using IoT