Secure Medical Device Procurement - HIMSS365 · Secure Medical Device Procurement Session 223, February 14, 2019 Nick Sikorski, Manager, Deloitte & Touche LLP . 2 Nick Sikorski, CISSP

1

Secure Medical Device ProcurementSession 223, February 14, 2019

Nick Sikorski, Manager, Deloitte & Touche LLP

2

Nick Sikorski, CISSP CSSLP

Manager

Cyber Risk Services

Deloitte & Touche LLP

• Has no real or apparent conflicts of interest to report.

Conflict of Interest

Copyright © 2019 Deloitte Development LLC. All rights reserved.

3

I understand that any data or information provided by me as part of this poll may be used by Deloitte in

connection with this poll, other studies, or analyses performed by Deloitte or in connection with

services provided by Deloitte or otherwise.

I understand that any such data or information may be disclosed by Deloitte to related entities or other

third parties, including, without limitation, in publications, in connection with this poll or such studies,

analyses, or services, provided that such data or information does not contain any information that

identifies me or associates me with the responses I have provided to this survey.

I understand disclosure of such data or information may be required by law, in which case, Deloitte will

endeavor to notify me.

I understand that this poll and the poll results are the proprietary property of Deloitte, and I will keep

the poll results confidential, except as may be required by law.

Deloitte is not responsible for any loss sustained by any person who relies on the poll results.

I am permitted to respond to the polling questions pertaining to my company, including, without

limitation, in accordance with the policies of my company and its board of directors (or similar

governing body).

Release for answers to polling questions


4

• Industry landscape

• Foundational concepts to understand

• Secure connected medical device procurement

• Use case

• Key takeaways

• Q&A

Agenda


5

• Analyze the connected medical device cybersecurity landscape and trends

• Discuss the lack of security practices built into connected medical device

procurement

• Discuss the steps involved in procuring a connected medical device

• Define an approach to consider for reducing risk to patient safety and information

security

Learning objectives


6

Industry Landscape


7

Medical device ecosystem A connected medical device, as defined by the FDA, communicates via a private network, public Internet, or point-to-point connection or can be accessed in standalone mode via a user or machine interface. Today, connected medical devices can be viewed as an ecosystem of interconnectivity.


8

The rise of cyber risk in medical devicesA combination of environmental and industry factors reflect the changes seen in the industry and factors that lead to security weakness reflect the changes seen in organizations today contribute to increased cyber risk.


9

Medical device manufacturer update

Maturation

• Understanding the need to secure devices

prior to fielding (e.g., technical security

testing, security risk assessment, etc.)

• Exploring or implementing coordinated

vulnerability disclosure programs as a

result of working with security researchers

• Establishing relationships with customers

and providing information in a standardized

format (i.e., Manufacturer Disclosure

Statement for Medical Device Security -

MDS2)

Areas for opportunity

• Lacking postmarket security risk

management to identify and treat the risks of

fielded and legacy devices

• Insufficient monitoring and responding to

security events proactively

• Insufficient product security awareness and

training for product engineers and architects

designing medical devices

Device manufacturers have collectively come a long way over the past decade

to secure devices prior to fielding.


10

Healthcare delivery organization update

Maturation

• Holding manufacturers accountable for

medical device security prior to procurement

• Including and/or requesting security

questionnaires to be completed by device

manufacturers during procurement

• While this is positive for each

individual hospital, device

manufacturers have the task of

populating each of these unique

questionnaires versus sending a

standardized questionnaire such as

the MDS2 form

Areas for opportunity

• Lacking postmarket security risk management to

identify and treat risks

• Insufficient monitoring and responding to security

events

• Insufficient product security awareness and training

for security and clinical engineers

• Inadequate headcount to address the scope of the

organization’s medical device portfolio

• Lacking ownership of the security of connected

medical devices from acquisition through disposition

Healthcare delivery organizations (HDOs) understand the risk around medical

devices and many are starting down the road to secure devices procured.


11

Polling question #1

Q1. Who is accountable for securing of medical devices in your organization?

A. Clinical Engineering

B. Information Security

C. Nobody

D. Do not know

Source: https://healthitsecurity.com/news/4.4m-records-exposed-in-117-health-data-breaches-in-q3-2018


Polling Results: https://live.eventbase.com/polls?event=himss19&polls=5151

https://live.eventbase.com/polls?event=himss19&polls=5151

12

Foundational concepts to understand


13

Security and safety risk management relationshipA bi-directional relationship exists between security and safety risk and a process should be in place detailing the procedure for separating but linking the two processes.

Source: The above figure and text have been extracted from AAMI TIR57: Principles for Medical Device Security—Risk Management

• When a risk control measure is introduced to a design, the design must be reassessed to determine if the control measure introduces a new form of risk.

• It should be recognized that there is a coupling between safety and security risk assessment processes, so when control measures are introduced for one type of risk (e.g., safety), the manufacturer needs to assess the impact on the other type of risk (e.g., security) and vice versa:

– For example, the decision to add risk control measures for authentication might introduce risks that the device cannot be accessed in an emergency.

• The overall risk management process should identify those points of coupling and facilitate the assessment of any newly identified source of risk is performed in both domains.


14

Pre-market medical device risk managementSecurity-by-design and privacy-by-design are fundamental to a mature Product Security and Privacy Program™ as it is within these operational areas that security and privacy are incorporated by default into device design and acquisition.

02

01

03

04

Integrate product security and privacy requirements

into device design (e.g., security-by-design, privacy-by-

design)

Conduct product security risk assessments and

privacy impact assessments to identify and treat risks

Perform robust product technical security testing

Apply product security and privacy processes to third-

party products, components, and service during

procurement

Perform security and privacy threat modeling (and

data flow diagraming) to understand risk within the larger

device ecosystem

05


15

Post-market medical device risk managementSecurity and privacy event handling is critically important to securely maintaining fielded IoT products. Since cybersecurity and privacy are continuously evolving, new threats, vulnerabilities, and knowledge should be collected and detected from a number of sources.

02

01

03

04

Conduct active product security threat intelligence

Effectively perform ongoing, proactive product patch

management

Consistently handle product security and

privacy incidents

Proactively monitor for product vulnerabilities and manage

risks accordingly


16

External communications in the device lifecycleConsistently and efficiently delivering and handling external medical device security and privacy communications, including being actively engaged within the industry, is essential to establishing and operating a mature Product Security and Privacy Program™.

02

01

03

04

Document and communicate product security

and privacy attributes such as cybersecurity bill

of materials

Consistently intake and respond to security and

privacy inquiries

Establish a mechanism for coordinated

vulnerability disclosure

Adhere to security and privacy package

requirements for regulatory bodies and

customers

Actively participate in information sharing

05


17

Medical Device Manufacturer: Product Security and Privacy Program™


18

Polling question #2

Q1. How often does your organization include a medical device cybersecurity evaluation during the selection decision phase of the procurement process?

A. < 25% of the time

B. 25% to 50% of the time

C. 50% to 75% of the time

D. 75% to 100% of the time

Source: https://healthitsecurity.com/news/4.4m-records-exposed-in-117-health-data-breaches-in-q3-2018



https://secure-web.cisco.com/1nANn8TRljdsWaItXf-CYwXGXpCxkjsV8Y-JHJ_Agf2XfwuXuDBYp_aA6laH93mly22d2FelrwQfNiCCJvZvmmkm-zdf6a6DGnzYqZOqIDo1r-LycnTk4ZE5hD8jtzmog2iGNaVdzDsmAcBeF1qCDcWtvR-t7RGykKAtrkwyG4hHSYXbXnmF9nNV0uG70LtUYQIACbYsbJ-ZqmpobUbHFfu2CtQlhV8A-x1Yre45mRnxo-aculjTGCEam9zhZzzuF59_LJAodzMH1LFn05SSAnKoe7Mv8ewt8bjvntnp0DW3mUoMGsdDZIGo9Lo9_FEZhNS3SPE-rke7P_4qngcoj0jGAhUXmA4AlCQ6oNHvx5Vw7PAiUlo6u7KvT19YzxPufE2PIvJ59vbhoLHsfm8aa1-M8GSevpssWT4F4OdDLHS-unkFjhQFh3RTo46VAIklXwW0pt8DjWvaFqYVgTDaabigM9Hwqhu-nzJi5ruB9NNJ3Hipug7KOSBIcWjOhviks/https:/live.eventbase.com/polls?event=himss19&polls=5152

19

Secure connected medical device procurement


20

Understanding the issuesIncreasingly sophisticated connected medical devices can have major security, privacy, and safety implications, which may result in significant impact to patients.

What proactive steps can HDOs take to secure the connected medical

devices they procure?

Why is security commonly overlooked when procuring medical devices?

• Clinical requirements often precede and out weight security considerations

• Complex procurement lifecycle involving multiple stakeholders and departments,

both internally and externally, thwart coordination and challenge timelines

• Lack of awareness of medical device security practices as compared to traditional

information technology (IT) security

• Increased level of effort required due to inconsistent traditional security controls

• Shadow IT across the HDO with devices not funneled through procurement

?


21

Polling question #3

Q3. Do you think the FDA pre-market and post-market guidance will result in more secure medical devices?

A. No - It will take more than guidelines

B. Maybe – but will need buyers to demand compliance

C. Yes – the guidelines are the right approach

D. Do not know

Source: Deloitte: Preparing for the inevitable: Bringing tools and process improvements to data breach notification



https://live.eventbase.com/polls?event=himss19&polls=5153

22

Understanding the procurement process Below is an example of the management process of vendor medical device safety and security across typical stakeholders.

Typical involved stakeholders:

Supply Chain, Legal, Information Security, Clinical Engineering

Conduct vendor-level

assessment

Phase 01 02

Conduct device-level

assessment

Phase 02 02

Integrate device security into

contracting

Phase 03

Key activities• Vendor security

questionnaire

• Review and interviews

Key activities• Device security

questionnaire

• Review and interviews

• Security risk assessment

• Security testing

Key activities• Contractual language

(e.g., Terms & Conditions)


23

Phase 1: Vendor security questionnaire Leveraging a vendor questionnaire is critical to understand how the vendor views medical device security and the processes in place to keep devices secure once fielded.

• Gain a deeper understanding

of the following:

• How the vendor views

medical device security (e.g.,

program vs. product)

• How prepared the vendor is

to keep their medical device

secure once fielded

• The maturity of security

processes applied to secure

the vendor’s medical devices

throughout their lifecycle

Importance

• First and foremost, identify if vendor has an established

medical device security organization

• If so, assess the organization against a leading practice

product security framework

• Sample medical device security questions:

• Does a product security policy exist?

• Are product security design requirements established and integrated

into product design?

• Are product security risk assessments and technical security testing

completed on products prior to fielding?

• Are patch and vulnerability monitoring and management processes in

place to keep products secure once fielded?

• Are formalized processes in place to intake inquires from external

parties and respond accordingly?

• Do product engineers receive in-depth training to develop secure

products (e.g., secure coding)?

Sample high-level questions


24

Phase 1: Review and interviews The remaining activities involved in the vendor-level assessment includes conducting reviews of the questionnaire responses and interviews with stakeholders.

Review the responses of the vendor security questionnaire

• Identify gaps against the identified security framework and the

associated level of risk

• As appropriate, escalate risk to leadership for approval

Conduct vendor interviews

• Gain greater insight and understanding into questionnaire responses

through follow-up discussions with the vendor as appropriate

(requesting evidence as needed)

Other activities

!

02

01

If the HDO concludes they would like to proceed with procurement, proceed

to Procurement Phase 2: Device Level Assessment


25

Phase 2: Device security questionnaire (Tier 1) A vendor questionnaire should be used understand the security features included into the device design and configured upon fielding.

• Gain a deeper

understanding of the

following:

• The security features and

deficiencies of the

connected devices and

services being procured

Importance Publicly-available questionnaire

Source: https://www.himss.org/resourcelibrary/MDS2


26

Phase 2: Security risk assessment (Tier 2) For devices deemed greater than (>) low risk, a security risk assessment should be considered to better under the risk posed by the medical device to the HDO environment and patients.

High-level overview of steps

Review the provided product security questionnaire and use the provided information as intake

to the device security risk assessment01

HDO requests vendor to provide device documentation including, but not limited to: 02

Overview of the system

Hardware components

Architectural, network,

and data flow diagrams

Network information

Software components

Data assets and usage

Conduct follow-up interviews with the product development team (and product security team)

to answer any open questions following review of the device security questionnaire and

provided device documentation03

Based off of information obtained from the vendor, document device security vulnerabilties and

conduct risk rating accordingly04


27

Phase 2: Security testing (Tier 3) The below graphic illustrates a methodology for conducting technical security testing of connected medical devices as part of Phase 2. For devices deemed high risk, testing should be considered.


28

Overview

• The UL 2900 series of standards under the Cybersecurity

Assurance Program (CAP) provide a minimum set of security

requirements that developers of network connectable products

can adopt to establish a baseline of protection.

• Many companies are now seeking CAP certification of their

products to demonstrate that they have consistently

implemented the minimum set of security controls required

Solving Industry Challenges

• As part of the CAP certification process, UL performs both a

product level and organizational assessment for cybersecurity

controls.

• Often times, companies find that their existing processes do

not meet the leading practice standards set by UL, causing

unforeseen delays in the certification process.

About UL

01

02

Phase 2: Security testing (Tier 3) (cont’d)Underwriters Laboratories (UL) Cybersecurity Assurance Program (CAP) Certification Readiness Program

Source: Underwriters Laboratories (UL)

29

Phase 3: Contract and on-board

Vendor hereby acknowledges that the product being procured

• conforms to product security and privacy regulatory

requirements and industry leading practices; and

• is up-to-date on the latest available security patches and

free from malware.

Vendor hereby acknowledges that they will

• manage product security and privacy risk of the product

being procured to identify and detect cyber security

threats and vulnerabilities, protect users from risk (e.g.,

harm), and respond and recover from security and privacy

events and incidents as they arise;

• monitor the procured product through the performance of

post-market surveillance in alignment with regulatory

requirements and industry leading practices; and

• perform good cyber hygiene of the procured product to

keep it up-to-date on the latest available security patches.

Contract language to consider

01

02

Develop contract language with security incorporated with input from various appropriate stakeholders and include vendor remediation plans for known vulnerabilities.


30

Polling question #4

Q4. Would you be open to adopting the Manufacturer Disclosure Statement for Medical Device Security (MDS2) as your product level procurement questionnaire?

A. No - It does not meet the needs we have as an organization

B. Maybe – It could solve the problem but is not mature enough yet

C. Yes – a completed MDS2 form would provide us with the information we need to make an informed decision

Source: Deloitte: Preparing for the inevitable: Bringing tools and process improvements to data breach notification



https://secure-web.cisco.com/1me1qqvGS028G1eZ11PDL0u62tkcja5aIcY1ri7b7VR6wyTpdduM7Mtzgv4gyuHAUPeRJX2CNhwL-8qh4AHhTiGFGiTY64Wtt3alvfraMM-cAU6hY5MERxvqJj-QcpYydj5symSoJixxQyIo6E9PD-Odn412vVEUCp4IKMSa7GdD4ln3P-k2jv0mPth3A_VjpFZxmamkStUxL3sY2MANt_nGhPjM4CFBfogL43sUdj82nYIK853A9bPZhzpRZCEtngLZDB9qkeE0eC6EmN2G4JNdYtMlISSWFMyWlRhfiCj9MmKxyNeG_WCq2-zA2v_99dAtmVkgjRT9euiYUlgxyTQ0cf3cWvDD7SbKxlOUukytcICM1RZLoXdeGm2s4L5pmT_TBiEo5K7gDzQSQwBYwZS0LsFWLJiJUWfoztsx6aFoZUe7DXfSI8Ak4qLUA3gRJznyo8_dWAkJtRNvW558nXyvgOUYwHI9KcE3AXWZ_kXz2ImCh14R6PLBDdpfhx7tJ/https:/live.eventbase.com/polls?event=himss19&polls=5154

31

Key takeaways


32

Key takeaways and lessons learned

Ensure the right people are engaged and have ownership of the process

The relevant medical device subject matter experts from the vendor’s product teams need to

be engaged to provide the requested information.

Leverage the procurement team to open dialogue with the vendor

Medical device manufacturers are more likely to fully engage in assessment collaboration

when procurement is involved in initiating the conversation.

Establish medical device secure procurement practices

Establish a process to integrate medical device security into the device procurement process,

including cooperation between key stakeholders across the organization.

Leverage industry available resources

Rather than developing and providing unique questionnaires to your device vendors, use

publicly-available industry resources (e.g., Manufacturer Disclosure Statement for Medical

Device Security – MDS2).


33

Questions & Answers (Q&A)

Nick Sikorski, CISSP CSSLP

Manager

Cyber Risk Services

Deloitte & Touche LLP

• Reminder to please complete online session evaluation!


34

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering

accounting, business, financial, investment, legal, tax, or other professional advice or services. This

presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any

decision or action that may affect your business. Before making any decision or taking any action that may

affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see

www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be

available to attest clients under the rules and regulations of public accounting


Documents

Secure Medical Device Procurement - HIMSS365 · Secure Medical Device Procurement Session 223, February 14, 2019 Nick Sikorski, Manager, Deloitte & Touche LLP . 2 Nick Sikorski, CISSP