Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
1
Secure Medical Device ProcurementSession 223, February 14, 2019
Nick Sikorski, Manager, Deloitte & Touche LLP
2
Nick Sikorski, CISSP CSSLP
Manager
Cyber Risk Services
Deloitte & Touche LLP
• Has no real or apparent conflicts of interest to report.
Conflict of Interest
Copyright © 2019 Deloitte Development LLC. All rights reserved.
3
I understand that any data or information provided by me as part of this poll may be used by Deloitte in
connection with this poll, other studies, or analyses performed by Deloitte or in connection with
services provided by Deloitte or otherwise.
I understand that any such data or information may be disclosed by Deloitte to related entities or other
third parties, including, without limitation, in publications, in connection with this poll or such studies,
analyses, or services, provided that such data or information does not contain any information that
identifies me or associates me with the responses I have provided to this survey.
I understand disclosure of such data or information may be required by law, in which case, Deloitte will
endeavor to notify me.
I understand that this poll and the poll results are the proprietary property of Deloitte, and I will keep
the poll results confidential, except as may be required by law.
Deloitte is not responsible for any loss sustained by any person who relies on the poll results.
I am permitted to respond to the polling questions pertaining to my company, including, without
limitation, in accordance with the policies of my company and its board of directors (or similar
governing body).
Release for answers to polling questions
Copyright © 2019 Deloitte Development LLC. All rights reserved.
4
• Industry landscape
• Foundational concepts to understand
• Secure connected medical device procurement
• Use case
• Key takeaways
• Q&A
Agenda
Copyright © 2019 Deloitte Development LLC. All rights reserved.
5
• Analyze the connected medical device cybersecurity landscape and trends
• Discuss the lack of security practices built into connected medical device
procurement
• Discuss the steps involved in procuring a connected medical device
• Define an approach to consider for reducing risk to patient safety and information
security
Learning objectives
Copyright © 2019 Deloitte Development LLC. All rights reserved.
6
Industry Landscape
Copyright © 2019 Deloitte Development LLC. All rights reserved.
7
Medical device ecosystem A connected medical device, as defined by the FDA, communicates via a private network, public Internet, or point-to-point connection or can be accessed in standalone mode via a user or machine interface. Today, connected medical devices can be viewed as an ecosystem of interconnectivity.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
8
The rise of cyber risk in medical devicesA combination of environmental and industry factors reflect the changes seen in the industry and factors that lead to security weakness reflect the changes seen in organizations today contribute to increased cyber risk.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
9
Medical device manufacturer update
Maturation
• Understanding the need to secure devices
prior to fielding (e.g., technical security
testing, security risk assessment, etc.)
• Exploring or implementing coordinated
vulnerability disclosure programs as a
result of working with security researchers
• Establishing relationships with customers
and providing information in a standardized
format (i.e., Manufacturer Disclosure
Statement for Medical Device Security -
MDS2)
Areas for opportunity
• Lacking postmarket security risk
management to identify and treat the risks of
fielded and legacy devices
• Insufficient monitoring and responding to
security events proactively
• Insufficient product security awareness and
training for product engineers and architects
designing medical devices
Device manufacturers have collectively come a long way over the past decade
to secure devices prior to fielding.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
10
Healthcare delivery organization update
Maturation
• Holding manufacturers accountable for
medical device security prior to procurement
• Including and/or requesting security
questionnaires to be completed by device
manufacturers during procurement
• While this is positive for each
individual hospital, device
manufacturers have the task of
populating each of these unique
questionnaires versus sending a
standardized questionnaire such as
the MDS2 form
Areas for opportunity
• Lacking postmarket security risk management to
identify and treat risks
• Insufficient monitoring and responding to security
events
• Insufficient product security awareness and training
for security and clinical engineers
• Inadequate headcount to address the scope of the
organization’s medical device portfolio
• Lacking ownership of the security of connected
medical devices from acquisition through disposition
Healthcare delivery organizations (HDOs) understand the risk around medical
devices and many are starting down the road to secure devices procured.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
11
Polling question #1
Q1. Who is accountable for securing of medical devices in your organization?
A. Clinical Engineering
B. Information Security
C. Nobody
D. Do not know
Source: https://healthitsecurity.com/news/4.4m-records-exposed-in-117-health-data-breaches-in-q3-2018
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5151
12
Foundational concepts to understand
Copyright © 2019 Deloitte Development LLC. All rights reserved.
13
Security and safety risk management relationshipA bi-directional relationship exists between security and safety risk and a process should be in place detailing the procedure for separating but linking the two processes.
Source: The above figure and text have been extracted from AAMI TIR57: Principles for Medical Device Security—Risk Management
• When a risk control measure is introduced to a design, the design must be reassessed to determine if the control measure introduces a new form of risk.
• It should be recognized that there is a coupling between safety and security risk assessment processes, so when control measures are introduced for one type of risk (e.g., safety), the manufacturer needs to assess the impact on the other type of risk (e.g., security) and vice versa:
– For example, the decision to add risk control measures for authentication might introduce risks that the device cannot be accessed in an emergency.
• The overall risk management process should identify those points of coupling and facilitate the assessment of any newly identified source of risk is performed in both domains.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
14
Pre-market medical device risk managementSecurity-by-design and privacy-by-design are fundamental to a mature Product Security and Privacy Program™ as it is within these operational areas that security and privacy are incorporated by default into device design and acquisition.
02
01
03
04
Integrate product security and privacy requirements
into device design (e.g., security-by-design, privacy-by-
design)
Conduct product security risk assessments and
privacy impact assessments to identify and treat risks
Perform robust product technical security testing
Apply product security and privacy processes to third-
party products, components, and service during
procurement
Perform security and privacy threat modeling (and
data flow diagraming) to understand risk within the larger
device ecosystem
05
Copyright © 2019 Deloitte Development LLC. All rights reserved.
15
Post-market medical device risk managementSecurity and privacy event handling is critically important to securely maintaining fielded IoT products. Since cybersecurity and privacy are continuously evolving, new threats, vulnerabilities, and knowledge should be collected and detected from a number of sources.
02
01
03
04
Conduct active product security threat intelligence
Effectively perform ongoing, proactive product patch
management
Consistently handle product security and
privacy incidents
Proactively monitor for product vulnerabilities and manage
risks accordingly
Copyright © 2019 Deloitte Development LLC. All rights reserved.
16
External communications in the device lifecycleConsistently and efficiently delivering and handling external medical device security and privacy communications, including being actively engaged within the industry, is essential to establishing and operating a mature Product Security and Privacy Program™.
02
01
03
04
Document and communicate product security
and privacy attributes such as cybersecurity bill
of materials
Consistently intake and respond to security and
privacy inquiries
Establish a mechanism for coordinated
vulnerability disclosure
Adhere to security and privacy package
requirements for regulatory bodies and
customers
Actively participate in information sharing
05
Copyright © 2019 Deloitte Development LLC. All rights reserved.
17
Medical Device Manufacturer: Product Security and Privacy Program™
Copyright © 2019 Deloitte Development LLC. All rights reserved.
18
Polling question #2
Q1. How often does your organization include a medical device cybersecurity evaluation during the selection decision phase of the procurement process?
A. < 25% of the time
B. 25% to 50% of the time
C. 50% to 75% of the time
D. 75% to 100% of the time
Source: https://healthitsecurity.com/news/4.4m-records-exposed-in-117-health-data-breaches-in-q3-2018
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5152
19
Secure connected medical device procurement
Copyright © 2019 Deloitte Development LLC. All rights reserved.
20
Understanding the issuesIncreasingly sophisticated connected medical devices can have major security, privacy, and safety implications, which may result in significant impact to patients.
What proactive steps can HDOs take to secure the connected medical
devices they procure?
Why is security commonly overlooked when procuring medical devices?
• Clinical requirements often precede and out weight security considerations
• Complex procurement lifecycle involving multiple stakeholders and departments,
both internally and externally, thwart coordination and challenge timelines
• Lack of awareness of medical device security practices as compared to traditional
information technology (IT) security
• Increased level of effort required due to inconsistent traditional security controls
• Shadow IT across the HDO with devices not funneled through procurement
?
Copyright © 2019 Deloitte Development LLC. All rights reserved.
21
Polling question #3
Q3. Do you think the FDA pre-market and post-market guidance will result in more secure medical devices?
A. No - It will take more than guidelines
B. Maybe – but will need buyers to demand compliance
C. Yes – the guidelines are the right approach
D. Do not know
Source: Deloitte: Preparing for the inevitable: Bringing tools and process improvements to data breach notification
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5153
22
Understanding the procurement process Below is an example of the management process of vendor medical device safety and security across typical stakeholders.
Typical involved stakeholders:
Supply Chain, Legal, Information Security, Clinical Engineering
Conduct vendor-level
assessment
Phase 01 02
Conduct device-level
assessment
Phase 02 02
Integrate device security into
contracting
Phase 03
Key activities• Vendor security
questionnaire
• Review and interviews
Key activities• Device security
questionnaire
• Review and interviews
• Security risk assessment
• Security testing
Key activities• Contractual language
(e.g., Terms & Conditions)
Copyright © 2019 Deloitte Development LLC. All rights reserved.
23
Phase 1: Vendor security questionnaire Leveraging a vendor questionnaire is critical to understand how the vendor views medical device security and the processes in place to keep devices secure once fielded.
• Gain a deeper understanding
of the following:
• How the vendor views
medical device security (e.g.,
program vs. product)
• How prepared the vendor is
to keep their medical device
secure once fielded
• The maturity of security
processes applied to secure
the vendor’s medical devices
throughout their lifecycle
Importance
• First and foremost, identify if vendor has an established
medical device security organization
• If so, assess the organization against a leading practice
product security framework
• Sample medical device security questions:
• Does a product security policy exist?
• Are product security design requirements established and integrated
into product design?
• Are product security risk assessments and technical security testing
completed on products prior to fielding?
• Are patch and vulnerability monitoring and management processes in
place to keep products secure once fielded?
• Are formalized processes in place to intake inquires from external
parties and respond accordingly?
• Do product engineers receive in-depth training to develop secure
products (e.g., secure coding)?
Sample high-level questions
Copyright © 2019 Deloitte Development LLC. All rights reserved.
24
Phase 1: Review and interviews The remaining activities involved in the vendor-level assessment includes conducting reviews of the questionnaire responses and interviews with stakeholders.
Review the responses of the vendor security questionnaire
• Identify gaps against the identified security framework and the
associated level of risk
• As appropriate, escalate risk to leadership for approval
Conduct vendor interviews
• Gain greater insight and understanding into questionnaire responses
through follow-up discussions with the vendor as appropriate
(requesting evidence as needed)
Other activities
!
02
01
If the HDO concludes they would like to proceed with procurement, proceed
to Procurement Phase 2: Device Level Assessment
Copyright © 2019 Deloitte Development LLC. All rights reserved.
25
Phase 2: Device security questionnaire (Tier 1) A vendor questionnaire should be used understand the security features included into the device design and configured upon fielding.
• Gain a deeper
understanding of the
following:
• The security features and
deficiencies of the
connected devices and
services being procured
Importance Publicly-available questionnaire
Source: https://www.himss.org/resourcelibrary/MDS2
Copyright © 2019 Deloitte Development LLC. All rights reserved.
26
Phase 2: Security risk assessment (Tier 2) For devices deemed greater than (>) low risk, a security risk assessment should be considered to better under the risk posed by the medical device to the HDO environment and patients.
High-level overview of steps
Review the provided product security questionnaire and use the provided information as intake
to the device security risk assessment01
HDO requests vendor to provide device documentation including, but not limited to: 02
Overview of the system
Hardware components
Architectural, network,
and data flow diagrams
Network information
Software components
Data assets and usage
Conduct follow-up interviews with the product development team (and product security team)
to answer any open questions following review of the device security questionnaire and
provided device documentation03
Based off of information obtained from the vendor, document device security vulnerabilties and
conduct risk rating accordingly04
Copyright © 2019 Deloitte Development LLC. All rights reserved.
27
Phase 2: Security testing (Tier 3) The below graphic illustrates a methodology for conducting technical security testing of connected medical devices as part of Phase 2. For devices deemed high risk, testing should be considered.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
28
Overview
• The UL 2900 series of standards under the Cybersecurity
Assurance Program (CAP) provide a minimum set of security
requirements that developers of network connectable products
can adopt to establish a baseline of protection.
• Many companies are now seeking CAP certification of their
products to demonstrate that they have consistently
implemented the minimum set of security controls required
Solving Industry Challenges
• As part of the CAP certification process, UL performs both a
product level and organizational assessment for cybersecurity
controls.
• Often times, companies find that their existing processes do
not meet the leading practice standards set by UL, causing
unforeseen delays in the certification process.
About UL
01
02
Phase 2: Security testing (Tier 3) (cont’d)Underwriters Laboratories (UL) Cybersecurity Assurance Program (CAP) Certification Readiness Program
Source: Underwriters Laboratories (UL)
29
Phase 3: Contract and on-board
Vendor hereby acknowledges that the product being procured
• conforms to product security and privacy regulatory
requirements and industry leading practices; and
• is up-to-date on the latest available security patches and
free from malware.
Vendor hereby acknowledges that they will
• manage product security and privacy risk of the product
being procured to identify and detect cyber security
threats and vulnerabilities, protect users from risk (e.g.,
harm), and respond and recover from security and privacy
events and incidents as they arise;
• monitor the procured product through the performance of
post-market surveillance in alignment with regulatory
requirements and industry leading practices; and
• perform good cyber hygiene of the procured product to
keep it up-to-date on the latest available security patches.
Contract language to consider
01
02
Develop contract language with security incorporated with input from various appropriate stakeholders and include vendor remediation plans for known vulnerabilities.
Copyright © 2019 Deloitte Development LLC. All rights reserved.
30
Polling question #4
Q4. Would you be open to adopting the Manufacturer Disclosure Statement for Medical Device Security (MDS2) as your product level procurement questionnaire?
A. No - It does not meet the needs we have as an organization
B. Maybe – It could solve the problem but is not mature enough yet
C. Yes – a completed MDS2 form would provide us with the information we need to make an informed decision
Source: Deloitte: Preparing for the inevitable: Bringing tools and process improvements to data breach notification
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5154
31
Key takeaways
Copyright © 2019 Deloitte Development LLC. All rights reserved.
32
Key takeaways and lessons learned
Ensure the right people are engaged and have ownership of the process
The relevant medical device subject matter experts from the vendor’s product teams need to
be engaged to provide the requested information.
Leverage the procurement team to open dialogue with the vendor
Medical device manufacturers are more likely to fully engage in assessment collaboration
when procurement is involved in initiating the conversation.
Establish medical device secure procurement practices
Establish a process to integrate medical device security into the device procurement process,
including cooperation between key stakeholders across the organization.
Leverage industry available resources
Rather than developing and providing unique questionnaires to your device vendors, use
publicly-available industry resources (e.g., Manufacturer Disclosure Statement for Medical
Device Security – MDS2).
Copyright © 2019 Deloitte Development LLC. All rights reserved.
33
Questions & Answers (Q&A)
Nick Sikorski, CISSP CSSLP
Manager
Cyber Risk Services
Deloitte & Touche LLP
• Reminder to please complete online session evaluation!
Copyright © 2019 Deloitte Development LLC. All rights reserved.
34
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This
presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or taking any action that may
affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see
www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be
available to attest clients under the rules and regulations of public accounting
Copyright © 2019 Deloitte Development LLC. All rights reserved.