Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
Incoming! Medical Device Cybersecurity Alerts on the Rise
Session 291, February 14, 2019
Juuso Leinonen, Senior Project Engineer, ECRI Institute
Chad Waters, Senior Cybersecurity Engineer, ECRI Institute
2
Juuso Leinonen
Has no real or apparent conflicts of interest to report.
Chad Waters
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
• ECRI Institute – Medical device cybersecurity overview
• Rising number of medical device security alerts
• Challenges in responding to security alerts
• Methods to prioritize medical device alerts
• Recommendations
Agenda
4
1. Identify measurable changes in vendor reporting
of software and cybersecurity recalls and field
correction notices
2. Define key challenges faced by healthcare IT
and clinical engineering departments in
responding to cybersecurity recalls and notices
3. Formulate practical approaches to enable
facilities to effectively address threats and
vulnerabilities with medical devices
Learning Objectives
5
• Independent, not-for-
profit research institute
• Mission:
– Improve patient safety,
cost effectiveness, and
quality of healthcare
ECRI Institute
7
ECRI’s Top Ten Health Technology Hazards
8
2019 - #1. Hackers Can Exploit, Remote Access to Systems, Disrupting
Healthcare delivery
2018 - #1. Ransomware and Other Cybersecurity Threats
2017 - #6. Software Management Gaps Put Patients, and Patient
Data, at Risk
2016 - #10. Misuse of USB Ports Can Cause Medical Devices to
Malfunction
2015 - #9. Cybersecurity: Insufficient Protections for Medical Devices
and Systems
9
#1 Ransomware and Other Cybersecurity Threats to Healthcare Delivery Can Endanger Patients
10
Top 10 Health Technology Hazards 2019
10
11
ECRI – Medical Device Cybersecurity
• Increased member interest in cybersecurity
• Increase in problem reports related to cybersecurity
• Increase in vendor notifications about cybersecurity
12
Alerts Tracker - Recall Management System
13
050
100150200250300350400450
Medical Device IT Alerts
ECRI AlertsTracker Database
14
0
10
20
30
40
2014 2015 2016 2017 2018
Medical Device Cybersecurity Alerts
ECRI AlertsTracker Database
15
Cybersecurity Alerts Process
• Triage incoming security notifications
– ICS-CERT
– Vendor Security Bulletins
– ECRI member hospitals
– Security researchers
• ECRI Medical Device Security Team determines whether additional clarification or guidance is needed
– No- Publish as it is through ECRI Alerts Tracker
– Yes- Initiate problem report investigation to determine additional useful context or practical recommendations
• Distribute security notifications through ECRI Alerts Tracker
16
Challenges in responding to security alerts
• Difficult to identify medical devices that are impacted
– Incomplete inventory is common
• Insufficient details recorded in the asset management system about software versions, operating systems, and networking
• Inventory may be lacking standardized product and manufacturer names
– One alert can impact entire product lines of medical devices
17
• Who is responsible for implementing the remediation?
– Medical device vendor
– Clinical Engineering (CE)
– IT
• CE and IT collaboration continues to be a challenge
Challenges in responding to security alerts
18
• Is update / patch available to address the security concern?
– Yes, available
• Is vendor assistance required to apply the mitigation?
– Assistance from vendor field service technician often required
• What is the clinical workflow impact?
– Equipment downtime estimate
– Alternative device availability can reduce impact
Challenges in responding to security alerts
19
• Is update available to address the security concern?
– Not available
• What is the vendor timeline for remediation?
– Sometimes included in the security notice
– Can be several months
• Is a temporary mitigation / compensating controls required?
– Scalability is an issue with custom compensating controls
Challenges in responding to security alerts
20
Challenges in responding to security alerts
• How to effectively categorize the impact and likelihood associated with an alert?
– Standard framework can aid in the assessment
21
How to prioritize medical device security alerts?
22
Common Vulnerability Scoring System (v3.0)• CVSS scores indicate the severity of a potential vulnerability
• Range from 0-10 in increasing severity, scored based on the following attributes
Rating CVSS Score
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0 - 10.0
23
• 2018 analysis
– 30 medical device related advisories
– 14 different medical device vendors
– 130 different CVEs
• Some vulnerabilities with only CVSS 2.0 score
– 34 CVEs in a single advisory
– Some advisories contained groups of devices / product lines
ICS–CERT Analysis
24
0
10
20
30
40
50
Low Medium High Critical
Vulnerability Severity (CVSS)
25
0
20
40
60
80
100
Adjacent Local Network Physical
Attack Vector
26
0
20
40
60
80
100
120
Confidentiality Integrity Availability
Classification of Vulnerabilities
High Low None
27
47
81
Attack Complexity
High Low
28
Assess the Risk - Likelihood
• Very high— Threat is almost certain, or more than 100 events occur per year
• High— Threat is highly likely, or 10 to 100 events occur per year
• Moderate— Threat is somewhat likely, or 1 to 10 events occur per year
• Low— Threat is unlikely, or an event occurs once every 1-10 years
• Very low— Threat is highly unlikely, or an event occurs less than once every 10 years
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
29
Assess the Risk - Impact
• Very high — Multiple severe or catastrophic effects
• High — Severe or catastrophic:
– severe degradation of organization mission capability, loss of ability to perform a core function, major damage to assets, major financial loss, significant harm to individuals involving death or threat to life
• Moderate — Serious adverse effect:
– significant degradation in mission capability, without loss of ability to perform core functions; significant damage to assets; significant financial loss; significant but non-life-threatening harm to individuals
• Low — Limited adverse effect:
– degradation in mission capability such that the organization can perform core functions, but the effectiveness of those functions is reduced; minor damage; financial loss; minor harm to individuals
• Very low — Negligible
30
Healthcare Specific Impacts
• Patient safety risks
– Delay to patient care, can result in patient harm
• PHI / sensitive information breaches
• Financial risks
• Risks to reputation
Impact Environment of Use
Device
Criticality
Available Alternative
Devices
Amount of PHI
on Device (no.
of records)
High
High risk, including OR,
ICU, trauma Life-sustaining
No clinically viable
alternative 5,000+
Moderate
Medical/surgical floors, ED,
labor and delivery,
radiotherapy , oncology Therapeutic
Available alternative
devices have significant
drawbacks 500-4,999
Low Physical therapy, radiology Diagnostic
Available alternative
devices are largely
equivalent 1-499
Very low
Physician office, long-term
care Elective Readily available 0
Impact Factors for Medical Devices
Overall Likelihood Impact
Very Low Low Moderate High Very High
Very high Very low risk Low risk Moderate risk High risk Very high risk
High Very low risk Low risk Moderate risk High risk Very high risk
Moderate Very low risk Low risk Moderate risk Moderate risk High risk
Low Very low risk Low risk Low risk Low risk Moderate risk
Very low Very low risk Very low risk Very low risk Low risk Low risk
Source: National Institute of Standards and Technology (NIST). Guide for conducting risk assessments. NIST
Special Publication 800-30, Rev 1. 2012 Sep. Available from:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.
Risk Matrix
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
33
Recommendations
• Ensure complete inventory of medical devices and related systems
– Leverage a standard acceptance inspection for medical devices for the initial record
– Conduct review of records during periodic preventive maintenance
– Review accurate records during any repair
34
• Software/firmware versions
• Operating system
• IP address
• MAC address
• Network configuration such as DHCP (Dynamic Host Configuration Protocol)/static wireless configuration
• Nature of data stored or transmitted (and magnitude of that data)
• Authentication, authorization, and auditing methods
• System owner
• Criticality of care (life supporting, therapy delivery, diagnostic)
• Age (product life cycle)
Recommended Inventory Data Points
35
Recommendations
• Designate a project owner/champion for medical device security alerts
– May be in Clinical Engineering and/or IT
– Emerging role of Medical Device Security Specialist
• Establish a process to review and respond to medical device security alerts
– Where to get the alerts?
• ICS-CERT, Vendor, ISAOs, ECRI
– Who to contact with the manufacturer?
• Establish a list of medical device security contacts
36
• Assess impact and likelihood to aid in prioritization of security alerts
• Characterize downtime impact to clinical workflow
• Establish standardized scalable compensating controls when e.g., update is not available
• Consider running table-top and hands-on training exercises with scenarios that include unavailable network-connected medical devices or systems
Recommendations
37
Summary
• Medical device cybersecurity was ranked as #1 Health Technology Hazard by ECRI for 2019
• Medical device cybersecurity alerts are on the rise
• Paramount to allocate sufficient resources and establish processes to manage the rising medical device security alerts
38
Questions?
Chad WatersSenior Cybersecurity Engineer / Senior Project OfficerECRI Institute [email protected]
Juuso LeinonenSenior Project EngineerECRI Institute [email protected]
mailto:[email protected]:[email protected]