-Medical Devices- Safe and Secure Procurement

©2014 MFMER | slide-1

-Medical Devices- Safe and Secure Procurement

Kevin McDonald, BSN, MEPD, CISSP Director, Clinical Information Security Mayo Clinic American Hospital Association, April 11 2017



Topics

•  Today’s Environment

•  Internet of Medical Things

•  State of Security

•  Common Security Issues

•  Reducing Risk

•  Medical Device Security Myths

•  FDA Guidance

•  Final Thoughts


Healthcare is Targeted

Computer Viruses Are "Rampant" on Medical Devices in Hospitals

More than 40 viruses hit devices including X-ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG .

FDA Safety Communication: Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System

Cyberattack at Appalachian Regional Healthcare keeping EHR down after six days

FBI Investigating: Hollywood hospital pays $17,000 in bitcoin to hackers the product with the most

vulnerabilities in the May-July period was healthcare software Philips Xper Connect, with 272 reported vulnerabilities.

Healthcare is being targeted


Today’s Hostile Environment

5

•  Threat actors have multiple levels of skills •  Insiders (Current & Ex) •  Script Kiddies •  Hacktivists •  Organized Crime •  Nation State

•  Active adversary must be assumed •  Unlimited time and resources

•  Skill level to cause harm is going down

•  Tools to compromise and harm systems are readily available and cheap (free)

•  Harm or disruption could be deliberate or collateral •  We are way past relying upon firewalls


Attack Motivations •  Revenge

•  Personal Gains

•  Bragging Rights / Status

•  Expression of Political or Social Views

•  Intellectual Property Theft

•  $$$$$ (ransomware, theft, etc.)

•  Identity Theft – Financial / Medical

-Health records sell for $50

-Can be used for billing fraud by fake clinics

-Used for prescription fraud to get and then sell

narcotics


“Internet of Medical Devices” •  United States healthcare is technology rich and diverse

•  $110 billion (++) spent each year on medical devices •  7,000 device manufacturers •  Between 1995 and 2010 there has been a 62% increase in the

number of devices per bed •  Mean number of devices per bed is 13


Medical Devices – Essential to Care Delivery •  Care is highly dependent upon technology

•  Demand for connectivity is growing •  HITECH Act and increasing use of EHRs are driving device

connectivity •  1 in 4 medical devices are network connected, with more every day

•  Healthcare is no longer possible without technology

•  Medical technology is used to: •  Improve patient outcomes

•  Diagnostic •  Treatment

•  Offset rising costs & decrease resource needs •  Decrease medical errors •  Improve access to care •  Deliver specialized knowledge


“Ripe for the picking” $$’s are tight &

resources are short

State of Healthcare Security •  Hospital Demographics

•  ~ 5,800 hospitals in the US •  “Average” US hospital

•  160 beds •  $10.7 million profit

•  Medical Devices •  Have publically known vulnerabilities •  Impacted by malware •  Warnings from FDA & ICS-CERT on vulnerable devices •  FBI issued public service announcement: isolate, patch/update, purchase from

security conscious vendors

•  Cybersecurity Preparations - Low •  Healthcare industry spends 4% to 6% of IT budget spent on security, Financial

industry is 12% to 15% •  94% of medical institutions say they have been victims of a cyber attack •  Security expert shared, cybercrime is now more lucrative than the illicit drug

trade (CBS News, Sept. 2016)


State of the Medical Device Vendor Security •  Security is often an “afterthought” (or not considered)

•  Little security “by design” •  Massive legacy device problems

•  Most vendors are trying to catch up •  Struggling to change internal culture and build security awareness •  Transitioning from device manufacturers to software companies •  Unable to find staff with proper skills and knowledge •  Struggling with diversity in their products and long lead times

•  Security has not been seen as a competitive advantage

•  Engineers & product designers really “love” their devices and are proud of it •  The don’t take well to calling their “baby ugly”

•  Interactions with sales, legal and product managers tend to be unproductive

•  Vendors are trying to build security on top of immature development processes

Vendors Naïve About Risks and the Security of Their Products


The Status Quo Continues…. •  Despite cyber threat data and growing awareness, healthcare remains

unprepared •  72% of healthcare providers have less than 200 beds and inadequate funds or

resources •  80% of device vendors have less than 50 employees and lack knowledge and

experience

•  Industry continues to be an “easy” target for cyber attack •  Medical devices still sold with Windows XP - unsupported since 2014 •  Healthcare providers cannot manage medical devices like other technology

•  Risks are attempted to be managed through “guidance”, collaboration, hand-crafted solutions and wishful thinking

•  There are currently little to no incentives to sell secure devices or consequences to selling poorly secured


Common Security Issues & Concerns

• Operational Security Gaps • Authentication Vulnerabilities • Application Vulnerabilities • Configuration Vulnerabilities • Unpatched Software • Lack of Encryption


Operational Security Gaps •  Customer support web sites

•  Poor identity proofing and authentication •  “Helpful” documentation & software

•  Publicly available: •  Technical documentation •  Hardcoded and default passwords •  Source code •  Exploits

•  Devices available for purchase •  Allows for reverse engineering •  Testing platform for exploits

•  Customer service social engineering

•  Internal intranet sites with information

•  Poor management of support accounts Up for auction is this used Hospira Abbott PLUM A+ IV Infusion Pump. This powers up and initiates. It passed the self test.


Authentication Vulnerabilities & Issues •  Poor or no authentication

•  No passwords or trivial and easily guessed passwords

•  Unable to use multi-factor authentication

•  Inability to use AD or LDAP

•  Multiple uses for single accounts •  Software installation •  Patching •  Work & service accounts

•  Use of single support account & password for ALL customers

•  Use of hardcoded passwords •  Available publically, in configuration files, manuals, source code

•  Local storage of accounts and passwords

•  Insecure remote support methods


Application Vulnerabilities & Issues •  Generally “fragile applications”

•  Susceptible to denial of service attacks (small & large scale)

•  Required to run with elevated privileges

•  Unable to run anti-virus or white listing •  Or folders excluded

•  Application impacts when using local security agents

•  Inability to scan devices with commercial vulnerability scanners

•  Vulnerable to a large number of known exploits

•  Open source and third party software vulnerabilities

•  Use of consumer grade technology


Configuration Vulnerabilities & Issues •  Unneeded high risk functionality left operational

•  FTP, Telenet, TFTP, etc.

•  Unneeded files and applications left on systems •  Install instructions •  Tools •  Etc.

•  Default users and passwords not removed or changed

•  Security software disabled

•  Default settings on software, hardware and security features


Unpatched Software Issues •  Running on older operating systems with no upgrade

paths •  Various versions of Windows (and DOS) •  Multiple versions of Linux •  Old proprietary systems

•  Unpatched software, commercial applications, open source with published exploits

•  No or resource intensive process for updates and patching

•  “Sneaker-net” upgrade processes

•  Immature patching processes •  “Patch and pray” •  Partial patching


Lack of Encryption •  PHI & PII stored unencrypted or weak encryption

•  Ability to read and change patient data •  DES, MD5, Base 64

•  Source code no obfuscated •  Easily reversed engineered

•  Communication is unencrypted •  “Man-In-The-Middle” attacks •  Emulation of monitoring devices •  Able to capture traffic and emulate devices

•  Weak wireless encryption •  WEP •  Pre-shared keys


Proactive Actions to Reduce the Risk

• Set standards • Set minimum requirements • Evaluate new purchases • Procurement and contracting requirements • Require remediation and mitigations • Comprehensive internal security program • Governance of risk

Push security to the front of the device decision making process


Security Standards • Use an industry standard that is applicable

•  IEC 800001- “Application of Risk Management for IT Networks Incorporating Medical Devices”

• The standard should: •  Have a capabilities description •  Be concise and risk based •  Be able to be used as a template for reviews, vendor

questions and risk determination •  From a standards body vendors are familiar with


Set Minimum Requirement

•  Minimum requirements – “bar of goodness” •  Runs supported OS •  Receives routine OS patches •  Has AV applied and updated •  Receives routine 3rd - party software patches •  Contains no default hardcoded passwords •  Complies with work Account standards

•  Below the bar - work with vendor & practice •  1st - Mitigate or remediate prior to purchase •  2nd - Commitment from vendor to address with set timeline •  3rd – Exception from Governance group (centralized risk acceptance)


New Purchase Evaluations •  Evaluate BEFORE the purchase is made

•  Engage with clinical areas during their budgeting process •  Include the evaluation as part of the purchase request •  Goal is to plan the evaluations a year before an anticipated purchase

•  Develop processes, questions, templates and checklists to make the evaluations a consistent repeatable process

•  Tailor your evaluations to the risks involved •  Do I care? •  How much do I care?

•  A significant amount of information can be found by asking the right questions, doing a walk through and looking at documentation

•  Assign dedicated staff to review documentation and do follow up


New Purchase Evaluations •  Focus on high priority devices

•  Greatest potential to cause patient harm •  Greatest potential to widely disrupt patient care processes •  Impact to network

•  Engage all stakeholders •  Clinical Users, biomed, IT, Facilities •  Vendor

•  Assess the whole “device family” •  Follow the data flow to include points of testing •  Workstations, servers, & endpoint •  Document demographic information, establish rules of engagement

•  Consistent, repeatable, efficiently, high quality process •  Documentation of workflow •  Standard processes, documentation, templates and checklists •  Testing standards


Procurement & Contracting •  Integrate into the budgeting and funding processes

•  Develop a medical device information security schedule •  Software security requirements •  Behavior expectations •  Timelines, penalties •  Right to require full testing

•  Split contracts into general security language and product specific requirements

•  Customize with commitments for future improvements

•  Incorporate an exception process for critical devices not meeting standards

•  Require a level of security for vendors to prevent supply chain compromises


Procurement & Contracting •  Information Security Schedule Contents

•  Meet FDA guidelines (i.e. fail safe features)

•  Testing and scanning requirements •  Include SANS CWE Top 25 and/or OWASP Top 10 •  Perform at Mayo request, by tester Mayo agrees to, or Mayo staff •  Meet Mayo testing methodology

•  Installation standards (i.e. document needed ports/service, remove unneeded ports/services)

•  Development standards •  Users and passwords (i.e. unique, no hardcoded, no persistent admin privilege)

•  Security issues and response (i.e. communicate Known Vulnerability or Exploit (KVE) within 20-days, identify timeline and plan to remediate/mitigate, warrant all open source software is actively maintained)

•  Penalty for failure to fix KVE •  Indemnification for cyber-security incidents caused by device


Remediation & Mitigations •  Pre-Purchase

•  Require testing of simple remediation's and mitigations •  Many times the use of AV, the impact of not using admin

privileges, etc. has never been tested by the vendor •  Implement process changes (e.g. only plug into network for

upgrades) •  Partial “fix” (i.e. Require changes of default passwords to at

least be unique for your institution) •  Require product changes for known vulnerabilities before use

or in near future •  Disable unused or unneeded parts of a product •  General system updates & clean up

•  Update to current versions of software •  Remove un-needed files, close ports, etc

80% of issues we have found are vendor

related and require a vendor fix


Governance of Risk •  Need to make sure that risk decisions are made at the right

level

•  Physician and leadership involvement is critical

•  Governance may take the form of: •  Security or safety committee •  “Office” organization to evaluate risk •  Escalation to a practice committee •  Etc.

•  Decisions might have to be made on clinical value vs. risk to the institution

•  Sometimes for good reasons, “bad devices” must be bought •  Your job is to minimize risk


FDA Guidance “While this is guidance on how, cybersecurity for medical devices is not optional” – Dr. Suzanne Schwartz, FDA •  Guidance for Industry – Cybersecurity for Networked Medical

Devices Containing Off-the-Self (OTS) Software

•  Content of Premarket Submission for Management of Cybersecurity in Medical Devices

•  Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication

•  Postmarket Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff

•  FDA Fact Sheet: The FDA’s Role in Medical Device Cybersecurity. Dispelling Myths and Understanding Facts


FDA Guidance •  Hold the vendor accountable to the FDA guidance

•  The vendor is responsible for ensuring the safety and effectiveness of their devices

•  Cybersecurity patches usually do not need another FDA review •  A vendor should maintain a robust software lifecycle process •  Have a process for intake and communicating vulnerabilities •  Deploy mitigations early and before exploitation •  Use a method to determine severity of vulnerabilities •  Vendors are responsible for validating all changes •  Implement compensating controls •  Provide a fix within 60 days for uncontrolled risk

Read and know the guidance!


Dispelling Urban Myths •  FDA needs to approve a cybersecurity patch or fix

•  Cybersecurity is not regulated by the FDA

•  Customers need to place devices on a “secure” network

•  It is the customers responsibility to verify patches

•  “No one else has EVER asked for this before”


Final Thoughts • The technology and knowledge exist to fix the

problem, but it’s not always a technology problem

• While vendors have a responsibility to fix equipment, we both have a responsibility to protect patients

• This is a journey ……… immediate attention is needed now with on-going, steady progress

31


References •  Content of Premarket Submission for Management of Cybersecurity in Medical

Devices - http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

•  Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Self (OTS) Softwarehttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm

•  Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communicationwww.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

•  Postmarket Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staffhttp://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

•  FDA Fact Sheet: The FDA’s Role in Medical Device Cybersecurity. Dispelling Myths and Understanding Facts https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf