Transcript
2021 CE-IT Symposium
“Data Availability and Security
in the Clinical Environment”
12021 ACCE CE-IT Symposium 08/09/2021
ACCE – 2021 CE-IT Symposium
Opening remarks from Ilir Kullolli, ACCE President
Welcome to the 2021 ACCE CE-IT Symposium
2
ACCE would like to thank its co-sponsors
3
BOOTH #C301 BOOTH #C359
Today’s Program• ACCE President’s Message• Keynote• Discovering and Disclosing Vulnerabilities• Aligning NIST CSF with CE Operations• Balancing Priorities During and Following Cyber Attack• Overview of Medical Device Cybersecurity Resources• Getting Ahead of Cybersecurity Risks with Contract
Language• Closing
4
ACCE – 2021 CE-IT Symposium
Keynote“The importance of BCDR and
operational support, data impact on clinical with Data availability”
Bill HudsonSenior Vice President & CIO
John Muir Health
5ACCE – 2021 CE-IT Symposium
About the speaker
Bill Hudson is the SVP and CIO for John Muir Health, a community health system in the East Bay San Francisco He is responsible for partnering with hospital and physician network operations to drive digital transformation and the digital consumer experience – aligning JMH’s digital assets and enabling clinicians to support their community where they are in their individual care journeys.
ACCE – 2021 CE-IT Symposium6Bill.Hudson@JohnMuirHealth.com
• Introduction• The Evolving Risk Landscape• Managing Risk• Preparing for the Worst• The Work Ahead of Us
Agenda
If the Story of IT was a Children’s BookLessons Learned
• Cookies are awesome!
• More technology and integration increases failure points and risk.
• There is always an insatiable demand for more technology and integration
If the Story of IT was a Children’s Book Part 2
You are going to have a bad day.
You know that disaster planning is a team sport. HEICS
Is it disaster - fire or earthquake? Is it flood?
Is it significantly more nefarious?
Ransomware slides
Coordination.
Here’s a fable….
Deleting a drive, unplugging a server….
How it was dealt with. Communicated.
The after math….
Ugh
RCA process
Fair and Just Culture
Lessons learned
What this means for you.
You are going to have a bad day.
You are going to have a no good very bad horrible day
And there’s nothing that you can do to prevent that nothing.
Not all the planning in the world will forestall the inevitable.
What happens next is dependent on two things.
1. how you’ve prepared for it.2. How you’ve prepared the org.
Communication buys grace.
This is not a presentation about how you should categorize and prioritize your systems and applications into tiers
0 through 4
Establish your RPO RTO and balance that with your RTA
You know that.
ACCE – 2021 CE-IT Symposium11
The Evolving Risk Landscape
12ACCE – 2021 CE-IT Symposium
• Removing malware from infected systems.
• Increased alerts, guidance and information
• Direct attack on internet facing services
• Phishing to gain credentials or install malware
• Targeted attacks by human operators
• Multiple audits from payors• Vendor/Partner Privacy and
Security events.
Federal Engagement and Action Significantly Increased Cyber Criminal Activity
3rd Party Risk and Audit
Security News Themes
12
13ACCE – 2021 CE-IT Symposium
Changing Threat Landscape
Revealed Supply Chain Risks•Delays as vendors struggled to implement COVID-19 protocols and work from home. •Changes lead to breaches/compromise at vendors.
New Work From Home and Staff under incredible stress•The Emergency Reponses to COVID-19 has dramatically changed the way staff works. Not only do we need to provide support for folks working long shifts under very stressful conditions by providing ways for the them work securely, as well as other staff adjusting to working from.
•JMH implemented measures to protect JMH staff working from home using temporary extensions of existing controls.
Global Pandemic
US Cybersecurity and Infrastructure Agency Alert on Healthcare Hacking Attacks•Between March and November >560 HealthCare Provider Organizations were targeted or, compromised by ransomware•JMH InfoSec acted to implement a coordinated set of changes across the security toolset to block these attacks.•In late 2020 we performed the most difficult phishing test to date, and JMH staff rose to the challenge. We are leveraging existing tools to take a more industry standard educational approach to phishing.
Supply Chain attacks like SolarWinds and Microsoft Exchange•Parts of the Pentagon, Department of Homeland Security, State Department, Department of Energy, National Nuclear Security Administration and the Treasury as well as major corporations such as Microsoft, Cisco, Intel and Deloitte were impacted by software-related hacking.
•There are no indicators of compromise in JMH systems, and the coordinated set of changes would allow us to block and detect thisactivity.
Increased Aggressive Hacking activity
Microsoft March 2021: “This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organizations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.”
• 2020 was a transformative year as we think about how we work and where we work.
• JMH was well-positioned for the 2020 Covid-19 Pandemic response due to our long-standing use of virtual desktop technology, integrated security tools and change management practices
Information Security Trends
>1MM Minutes of Screen Sharing The shift from in-person meetings to virtual meetings was enabled by our collaboration tools.
>151K Tele-Health Video VisitsVideo visits became a core part of our care delivery model over the last 12 months.
Zoom: >14K Meetings and >6MM MinutesWorking and meeting virtually become best practice to maintain operations and to support the delivery of patient care.
>462K remote desktop sessions The shift to support administrative work from home and remote tele-work became the norm.
>678K Phishing Emails Received/Blocked Phishing continues to be the primary threat to JMH systems and data.
15ACCE – 2021 CE-IT Symposium
Who is Knocking on our Front Door?Scans of by Country
Security monitors internal traffic as well*RDP Blocks
*TB – Terabyte, 84MM pages of printed text.*PB – Petabyte, 500 billion pages of printed text.
16ACCE – 2021 CE-IT Symposium
The demand for skills in DR are on the rise.
ACCE – 2021 CE-IT Symposium
Managing Risk
17
18ACCE – 2021 CE-IT Symposium
19ACCE – 2021 CE-IT Symposium
20ACCE – 2021 CE-IT Symposium 20
Common Data Breach Sources / Causes * InherentLikelihood
InherentImpact
Existing Controls Residual Risk
Insider Threat (Malicious / Well-Intentioned but Careless Insiders) High High Strong Medium
Third-party / Business Associate Errors Medium High Very Strong Low
Malware / Ransomware Very High Very High Strong Medium
Vulnerabilities / Misconfigurations Medium Very High Strong Medium
Disaster Recovery Medium Very High Strong Medium
User Access / Excessive Permissions Medium Very High Strong Medium
Theft or Loss of Assets High High Very Strong Low
Regulatory Non-Compliance Medium High Strong Low
Social Engineering / Phishing Very High High Strong Medium
Weak / Shared / Stolen Credentials High High Strong Medium
In determining the risk consider the likelihood and impact of a threat occurring or a vulnerability being exploited, as well as the strength of existing preventative and detective controls implemented.
Risk Landscape in 2021
Increase from prior year (2019)
Decrease from prior year (2019)
ACCE – 2021 CE-IT Symposium
Preparing for the Worst
21
22ACCE – 2021 CE-IT Symposium
23
ACCE – 2021 CE-IT Symposium
• PACs Images
• Finance• HR
• Service Desk• Project
Management
• Email• Intranet• File Storage• Teams
Service AvailabilityDetails
• Primary Data Center• Secondary Data Center• Disaster Recovery Site• Patient data replication and backup• Images/studies are archived in real-time
Tier 0o Systems to enable secure access to
JMH systems:o Physical Infrastructureo Security Tools
Tier 1o Systems to provide patient care
including:o EHRo PACso Integration
• Limited physical access• Highly Available (2 On-line Copies)• Local Backups• Off-site DR• Daily Disconnected Cloud Backup
Best Practice:Data Protection
Cloud Platforms
What is the Future?o Leverage cloud services
over physical location
24ACCE – 2021 CE-IT Symposium
25ACCE – 2021 CE-IT Symposium
Change and Release Management
25
• Change Management Team reviews all software and hardware changes and ensures that every update is properly managed and tested.• Applications Coordinator• Infrastructure Coordinator• Testing Coordinator
• During targeted attacks against healthcare, like SolarWinds and Microsoft Exchange, a rapid but comprehensive series of emergency changes were approved for immediate deployment to ensure our systems remained secure.
• Vulnerability Management process to identify and address these environmental risks, including those as a result of our core software vendors not keeping their software stacks current.
ChangeSynergistically conducts change risk and business
impact assessments across the entire clinical/business application portfolio and
technical landscape
TestingConducts rigorous review of end-to-end and integrated testing for all applications
and technical changes incorporating HRO/Team
Checking principles during testing and validation
process
ReleaseEnforcement of standard
release cycle for all changes to drive quality assurance,
better communication/coordinatio
n and ensure a protected and stable environment
ACCE – 2021 CE-IT Symposium
The Work Ahead of Us
26
proprietary and confidential
Fair & Just Process Decision TreeAdapted from James Reason’s Decision Tree for Determining the Culpability of Unsafe Acts and
the Incident Decision Tree of the National Patient Safety Agency (United Kingdom National Health Service)
Yes
Yes
NoNoNo
Yes
Yes
Did the individual intend the act?
Would individuals in the same profession, with comparable knowledge, skills, and experience act the same under similar
circumstances?
Did the individual depart from policies,
procedures, protocols, or generally accepted
performance expectations?
Is there any suspicion of ill health,
a medical condition, or substance abuse?
Did the individual actwith malicious intent
(i.e., to cause physical/mental harm or
other damage)?
Were there any deficiencies in related training,
experience, or supervision?
Were the policies, procedures, protocols, or performance expectations available, understandable,
workable, and in routine use?
(If ill health ora medical condition):
Was the individual aware of the ill health or medical
condition?
Were there significant mitigating circumstances that
justify the act in this case?
Is there evidence thatthe individual chose to take an unacceptable risk OR has a trend in poor performance or
decision making?
Yes
Yes
Yes
No
INTENTION CAPACITY COMPLIANCE SUBSTITUTION
No
NoNo
Start
Yes
Yes
No
Yes
No No
HR Business Partner Consult
Suspected Medical Conditionor Ill health
Possible Reckless orNegligent Behavior
Possible Unintended Human Error
Possible System-Induced Error
Malevolent or Willful Misconduct. Substance Abuse
At Risk-Coaching
Reckless Behavior-Consequences
Reckless Behavior/At Risk-Consequences/Coaching
Human Error-Console/Coaching
Human Error-Console
27
28ACCE – 2021 CE-IT Symposium
Define Your Key Initiatives
Update controls library with lessons learned since over COVID-19 pandemic and align with standards: NIST CSF*, CIS Top 20*, Etc.
Framework and Controls Library Update
Define a process to assess the risk of individual initiatives, continue to update these processes to align with the updated Security Policies and the controls library, NIST CSF*, CIS Top 20*, Etc.
Data Release Form and Technical Risk Evaluation
Deploy software with the assumption that systems have vulnerabilities, no matter how you protect them. Develop a robust Vulnerability Management Program.
Vulnerability Management
Develop and deploy controls based on a common platform to allow and support a more permanent work from home environment and greater mobility, Bring Your Own Device and Telemedicine. This may include Self Service Password Reset, Expanding the Advanced Threat Detection for lateral movement and identity-based attacks inside the network and cloud.
Supporting Remote Work & Next Generation Endpoint Controls
Manage privileged access (administrator account) with a limited implementation of appropriate software to track account use and prevent misuse.
Privileged Access Management
*National Institute of Science and Technology Cyber Security Framework and The Center for Internet Security (CIS) Top 20 Critical Security Controls
29
ACCE – 2021 CE-IT Symposium
You are going to have a bad day…
and that’s OK.
Questions & Discussion
30
ACCE – 2021 CE-IT Symposium
Discovering and DisclosingVulnerabilities
31ACCE – 2021 CE-IT Symposium
Mike Powers, MBA, CHTM, CDP, CMDA Nader Hammoud, MBADirector, Clinical Engineering Biomedical Engineering Manager
Intermountain Healthcare John Muir Health
ACCE Education Committee Co-Chair
About the speaker
Mike Powers is a CE Director at Intermountain Healthcare, headquartered in Salt Lake City, Utah. Intermountain is a health network including 23 hospitals, a medical group, ambulatory surgery centers, instacare clinics, and imaging centers. He co-leads a task group for the Health Sector Coordinating Council on Legacy Medical Device Cybersecurity. He is a member of the AAMI Healthcare Technology Leadership Committee. Prior to Intermountain, he was the Clinical Engineering Quality Manager at Christiana Care Health System. He has an MBA in Healthcare Administration from Wilmington University and is a Certified Healthcare Technology Manager, Diversity Professional and Medical Device Auditor.
ACCE – 2021 CE-IT Symposium32
About the speaker
ACCE – 2021 CE-IT Symposium33
Nader Hammoud is currently the Biomedical
Engineering Manager, at John Muir Health.
• Biomedical Engineer with 3 degrees in Biomedical
Engineering and an MBA
• International Experience
• Active member of the HTM community
• Member of the Technology Management Council at AAMI
• ACCE Education Committee Co-Chair
• California HTM of the year for 2018
• Recognized by ECRI and FDA for efforts in the domain
Session Description
ACCE – 2021 CE-IT Symposium34
1. Inventory
2. CMDB vs CMMS
3. Discuss Mapping Device information
4. Discuss Passive Network Detection
5. Talk about CVE
6. MDS2
7. Talk about SBoM
8. VEX
Importance of Inventory
Having a comprehensive inventory is the key to timely discovery of vulnerable devices
35
ACCE – 2021 CE-IT Symposium
Record Keeping Comparison
CMDB
Configuration Management Database – Information Technology Database that Medical Equipment Managers may not use and usually does not interface with a CMMS
36
ACCE – 2021 CE-IT Symposium
CMMS
Computerized Maintenance Management System –Healthcare Technology Management Database that IT Managers may not use and usually does not interface with a CMDB
Mapping Device Information
At installation, or as a discovery process devices should have their relevant information captured and recorded. This may include but is not limited to:
• IP address • MAC address• Unique Software entity information – OS / Other Software Packages• Anti-Malware• Ports needed for communication
37
ACCE – 2021 CE-IT Symposium
Passive Network Detection – Mapping the Device
• Systems that analyze traffic passively on a network to assist in the security management of medical devices
• Identification/inventory of devices• Alerting to vulnerabilities and anomalies• Recommending risk mitigations• Managing policies
• ECRI nomenclature: IoMT Security Solutions
38
ACCE – 2021 CE-IT Symposium
Passive Network Detection – Cont’d• ECRI nomenclature: IoMT Security Solutions• IoMT security solutions are software or hardware IT systems that
aim to help providers improve the security posture of their medical device assets.
• Most products achieve this goal by monitoring network traffic within the healthcare provider's system and using the collected data to
• Infer the nature and identity of the device and • Establish baseline behaviors and detect unexpected actions, which may be
malicious. • Many of the solutions employ machine learning to aid in these
functions.
39
ACCE – 2021 CE-IT Symposium
National Vulnerability Database
40
ACCE – 2021 CE-IT Symposium
CVE - The Common Vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures.CVSS – Severity Scoring System for Critical Vulnerabilities. For Example, CVE-2017-0143
NVD - Home (nist.gov)
Example of WannaCry
41
ACCE – 2021 CE-IT Symposium
Clinical Considerations & Vulnerabilities
• Device use (diagnostic, life sustaining)• Clinical Impact (is this used in emergency situations) • Environment of use (ER, outpatient, etc.) • Available alternatives (what do you do when this device is
impacted)• Device portability/access (handheld vs MRI room)• Amount of PHI/sensitive information
42
ACCE – 2021 CE-IT Symposium
Tools available: Pre-Purchase
• MDS2 2019
• Manufacturer Disclosure Statement for Medical Device Security Manufacturer Disclosure Statement for Medical Device Security (nema.org)
43
ACCE – 2021 CE-IT Symposium
Tools available: Pre-Purchase
• SBOM
• Software Build of Materials https://ntia.gov/sbom• Additional information about SBoM and how they are cool and
used.
44
ACCE – 2021 CE-IT Symposium
The land of Tomorrow…
• Looking forward what is on the horizon to help with these tasks?
• VEX!
45
ACCE – 2021 CE-IT Symposium
VEX Double check with Alan before publishing one. VEX summary• VEX stands for “Vulnerability Exploitability eXchange”. It was developed by the Software Component
Transparency Initiative, which is sponsored by the National Technology and Information Administration (NTIA) of the US Department of Commerce. While the VEX concept was developed to fill a particular need regarding use of software bills of materials (SBOMs), it isn’t limited to use with SBOMs.
• The primary use cases for VEX are to help the consumer (e.g. operators, developers, and third-party services providers) understand whether a product is impacted by a specific vulnerability in a particular component and, if it is affected, whether there are actions to be taken. In fact, in a large percentage of cases, a vulnerability listed for a component will not be “exploitable” in the final product, for various reasons (e.g., the affected code is not loaded by the compiler, or some inline protections exist elsewhere in the software).
• To prevent software-using organizations from spending valuable time fruitlessly searching for non-exploitable vulnerabilities in software products they operate, the supplier can issue a VEX. This can attest to the following status types:
• Not affected - No remediation is required regarding this vulnerability.• Affected - Actions are recommended to remediate or address this vulnerability.• Fixed - Represents that these versions contain a fix for the vulnerability.• Under investigation - It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still
under investigation - the result will be provided in a later release of the document.
46
ACCE – 2021 CE-IT Symposium
Sample VEX
47
ACCE – 2021 CE-IT Symposium
"vulnerabilities": [ { "cve": "CVE-2018-8304", "discovery_date": "2019-10-01T17:00:00.000Z", "product_status": { "known_affected": [ "CSAFPID-0002" ] }, "scores": [ { "products": [ "MDM Product XYZ" "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" "cve": "CVE-2015-1637", "discovery_date": "2018-08-02T17:00:00.000Z", "product_status": { "known_affected": [ "MDM Product XYZ" ] }, "scores": [ { "products": [ "CSAFPID-0002" "cwe": { "id": "CWE-1320", "name": "Improper Protection for Out of Bounds Signal Level Alerts"
Questions
48
ACCE – 2021 CE-IT Symposium
Mike Powers, MBA, CHTM, CDP, CMDA Nader Hammoud, MBADirector, Clinical Engineering Biomedical Engineering Manager
Intermountain Healthcare John Muir Health
ACCE Education Committee Co-Chair
Coffee Break
please be back by 10:50 am
to join Matt Dimino for
49
ACCE – 2021 CE-IT Symposium
Aligning NIST Cybersecurity Framework with Clinical Engineering Operations
Aligning NIST Cybersecurity Framework with Clinical Engineering Operations
Matt Dimino, CISM, CRISC, CEH, HCISPP, CySA+Digital Asset Program Director
First Health Advisory
50ACCE – 2021 CE-IT Symposium
About the speaker • Based out of Indianapolis, IN
• 15 Years in Clinical Engineering, 6+ in IoMT Security
• Part of First Health’s Cyber Security Managed Services
• Specialized in risk management for IoMT devices
• Worked in the past for various consulting firms & HDO’s
• Associate faculty for IUPUI• CISM, CRISC, CEH, HCISPP, CySA+
ACCE – 2021 CE-IT Symposium51
Session Description
ACCE – 2021 CE-IT Symposium52
Aligning NIST Cybersecurity Framework with Clinical Engineering Operations:
• Background on the NIST CSF and the benefits of adoption• Defining the components of NIST CSF• Breaking down the Core, Profiles, and Tiers to CE operations• Determining current state, defining desired state, and measuring NIST
CSF maturity to CE operations
What is NIST Cybersecurity Framework (CSF)?
• National Institute for Standards and Technology (NIST) published version 1.0 of their Cybersecurity Framework (CSF) in February 2014
• In response to Executive Order 13636 as an effort to improve cybersecurity of critical infrastructure
• NIST released its most current version 1.1 of the Framework CSF in April 2018
53
ACCE – 2021 CE-IT SymposiumSource: https://www.cisa.gov/publication/eo-13636-ppd-21-fact-sheet
NIST CSF• Common language for addressing and understanding cybersecurity across
all industries• Establishes clear communication to upper management incorporating
cybersecurity into an organization’s overall mission• Bridges the gap between technical and business side stakeholders
• The ability to demonstrate due-diligence and due-care by adopting the framework
• Enables long-term cybersecurity and risk management• Like GAAP is to Accounting, NIST is to Cybersecurity
54
ACCE – 2021 CE-IT Symposium
Why NIST CSF?• It’s a framework
-Not a law or regulatory mandate-Voluntary, adaptable and flexible-Enables repeatable business processes-Applies security in layers-Helps maintain security strategies
• Leverages standards, methodologies, and processes
-Not a compliance checklist or control• Risk-based approach
-Focused on top-down high impact risks-Connects executives, business, and operations
55
ACCE – 2021 CE-IT Symposium
Source: https://www.risklens.com/cyber-risk-solutions/nist-csf-fair
Uses and Benefits of the Framework
• Provides a common language and systematic methodology for managing cybersecurity risk.
• The core identifies activities that should be incorporated into a cybersecurity program.
• The Framework is to complement, not replace, current practices.• Evaluate an enterprise-wide cybersecurity posture and maturity by
conducting an assessment against the CSF model.• Evaluation of current and proposed products and services to meet
security objectives aligned to CSF.
56
ACCE – 2021 CE-IT Symposium
NIST CSF Components
57
ACCE – 2021 CE-IT Symposium
Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk
appetite, and resources against the desired outcomes of the Framework Core.
Tiers describe the degree to which an organization’s cybersecurity risk
management practices exhibit the characteristics defined in the Framework.
The Core is a set of desired cybersecurity activities and outcomes
organized into categories and aligned to informative references. Tiers
Profiles
CoreNIST CSF
NIST CSF Core
58
ACCE – 2021 CE-IT Symposium
IDENTIFY PROTECT DETECT RESPOND RECOVER
• Asset Management
• Business Environment
• Governance• Risk
Assessment• Risk
Management Strategy
• ID and Access Control
• Awareness and Training
• Data Security• Information
Protection and Procedures
• Maintenance• Protective
Technology
• Anomalies and Events
• Security Continuous Monitoring
• Detection Processes
• Response Planning
• Communications• Analysis• Mitigation• Improvements
• Recovery Planning
• Improvements• Communications
Cybersecurity activities and desired outcomes that are best practices for securing assets.
The Five Core Functions
• Highest level of abstraction is the core
• Represents five key pillars of a successful and wholistic cybersecurity program
• Assists organizations in expressing their management of cybersecurity risk at a high level
59
Framework Core
The Identify Function
60
ACCE – 2021 CE-IT Symposium
Example Outcomes:• Identifying physical assets and software of
IoMT devices to establish an asset management program
• Identifying cybersecurity policies to define a governance program
• Conduct risk assessments on IoMT devices• Identifying a risk management strategy for
IoMT devices
The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities.
Framework Core
The Protect Function
Example Outcomes:• Establishing data security protection to
protect the confidentiality, integrity, and availability of IoMT devices
• Managing protective technology to ensure the security and resilience of IoMT systems
• Empowering staff within the organization through awareness and training
61
ACCE – 2021 CE-IT Symposium
The Protect Function supports the ability to limit or contain the impact of potential cybersecurity events and outlines safeguards for delivery of critical services.
Framework Core
The Detect Function
Example Outcomes:• Implementing security continuous
monitoring capabilities to monitor cybersecurity events of IoMT devices
• Ensuring anomalies and events are detected, and their potential impact is understood
• Verifying the effectiveness of protective measures
62
ACCE – 2021 CE-IT Symposium
The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.
Framework Core
The Respond Function
Example Outcomes:• Ensuring response planning processes
include IoMT devices and are executed during and after an incident
• Managing communications during and after an event
• Analyzing effectiveness of response activities for IoMT devices
63
ACCE – 2021 CE-IT Symposium
The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident to minimize impact.
Framework Core
The Recover Function
Example Outcomes:• Ensuring the organization implements
recovery planning processes and procedures that include IoMT devices
• Implementing improvements based on lessons learned
• Be active in communications during recovery activities that involve IoMT devices
64
ACCE – 2021 CE-IT Symposium
The Recover Function identifies appropriate activities to maintain plans for resilience and to restore services impaired during cybersecurity incidents.
Framework Core
NIST CSF Core
65
ACCE – 2021 CE-IT Symposium
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical services.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
NIST CSF Core
66
ACCE – 2021 CE-IT Symposium
5 Functions 23 Categories 108 subcategories 6 informative References
NIST CSF Core
67
ACCE – 2021 CE-IT Symposium
Subcategory Informative References CE Responsiblities CE Operations
ID.AM-1: Physical devices and systems within the organization are inventoried
NIST SP 800-53 Rev. 5 CM-8, PM-5
Medical devices are inventoried within the CMMS.
Update CMMS via CM’s & PM’s. Utilize passive scanning tool and integration.
ID.AM-2: Software platforms and applications within the organization are inventoried
NIST SP 800-53 Rev. 5 CM-8
Medical device software and applications are inventoried.
Update CMMS via CM’s & PM’s. Utilize passive scanning tool and integration
ID.AM-3: Organizational communication and data flows are mapped
NIST SP 800-53 Rev. 5 AC-4, CA-3, CA-9, PL-8, SA-17
Medical device communication data flows are mapped.
Evaluate network data flow of medical devices with the help of passive scanning tool.
ID.AM-4: External information systems are catalogued
NIST SP 800-53 Rev. 5 AC-20, PM-5, SA-9
Medical devices that process PII or ePHI has identified. External providers of services and communications to devices are identified and monitored.
Identify devices with PII and ePHI transmission and storage via CMMS. Utilize a passive scanning tool for better accountability and auditability.
ID.AM-5: Resources are prioritized based on their classification, criticality, and business value
NIST SP 800-53 Rev. 5 CP-2, RA-2, RA-9, SA-20, SC-6
Medical device care categorized by performing a business impact analysis (BIA).
Engage clinical units to perform a business impact analysis. Use passive scanning tool to identify utilization.
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and 3rd party stakeholders are established
NIST SP 800-53 Rev. 5 CP-2, PS-7, PM-2, PM-29
N/A N/A
Function Category ID
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
Protect
Identity Management & Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes & Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
NIST CSF Core
68
ACCE – 2021 CE-IT Symposium
Subcategory Informative References CE Responsiblities CE Operations
PR.DS-1: Data-at-rest is protected NIST SP 800-53 Rev. 5 MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28
Identify and document devices that have encryption mechanisms available, inherent or via 3rd party.
Enable encryption features on devices, test, verify, and document.
PR.DS-2: Data-in-transit is protected NIST SP 800-53 Rev. 5 SC-8, SC-11
Identify inherent device functions and features for data in transit protection.
Configure devices when applicable for data in transit protection.
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
NIST SP 800-53 Rev. 5 CM-8, MP-6, PE-16, PE-20
Medical device lifecycle management policies and procedures.
Have formal processes to decommission with media sanitization policies, document chain of custody.
PR.DS-4: Adequate capacity to ensure availability is maintained
NIST SP 800-53 Rev. 5 AU-4, CP-2, PE-11, SC-5
Have contingency plans for high utilization and high impact devices.
Test and share contingency plans for systems that are essential to business operations.
PR.DS-5: Protection against data leaks are implemented
NIST SP 800-53 Rev. 5 AC-4, AC-5, AC-6, AU-13, PE-19, PS-6, SC-7, SI-4
Identify and document devices that have data loss prevention mechanisms.
If DLP agents can be installed, enable for data loss prevention. Use AV and NGFW if applicable.
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
NIST SP 800-53 Rev. 5 SI-7, SI-10
Identify inherent controls to verify integrity checking of device software.
Integrity checking mechanisms where an when applicable are utilized on devices.
PR.DS-7: The development and testing environments are separate from the production environment
NIST SP 800-53 Rev. 5 CM-2
Identify applicable development instances and VM opportunities for testing patches or changes.
Ensure changes to major systems and applications are tested in a development instance first.
Function Category ID
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
Protect
Identity Management & Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes & Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
CSF Implementation Tiers
• Allow entities to identify their priorities• Based on the assumption that different entities face different
cybersecurity risks• Enterprises can read through the tier qualifications and identify which
tier, and subsequent guidelines, best fit their businesses• How you want to manage risk and how mature you want the processes
to be• How well integrated cyber activities are into business processes
69
ACCE – 2021 CE-IT Symposium
NIST CSF Implementation Tiers
70
ACCE – 2021 CE-IT Symposium
• Incomplete inventory and utilize manual processes
• Software and applications on devices are unknown or ad-hoc
• Continuous updating of inventory and reconciliation
• Understand data flows between devices and clinical systems
• Inventory is accurate within the CMMS
• Software and applications are accounted for on devices
• Encryption on critical medical devices
• Inventory is updated in real-time
• Software and applications versions for devices are updated in real-time
• Data flows are mapped and active
Partial Informed Repeatable Adaptive
Maturity Level – Identify Implementation Tiers
Tier 1 Tier 2 Tier 3 Tier 4
NIST CSF Implementation Tiers
71
ACCE – 2021 CE-IT Symposium
• Some basic protections in place such as firewall enabled and/or anti-virus installed
• Security awareness training
• Continuous vulnerability management for a majority of medical devices
• Continuous risk assessments and training
• Partial network segmentation and ACL’s
• Encryption on critical medical devices
• Proactive vulnerability management (threat hunting)
• Zones and zero trust• Penetration testing
on network segments and controls
Partial Informed Repeatable Adaptive
Maturity Level – Protect Implementation Tiers
Tier 1 Tier 2 Tier 3 Tier 4
Framework Profiles• Profiles guide entities through a self-assessment• Optimizing the CSF to best serve the organization• Alignment of organizational requirements and objectives, risk appetite, and
resources against desired outcomes of the Framework Core• Profiles are opportunities to improving cybercity posture by comparing a
“Current” profile with a “Target” profile
72
ACCE – 2021 CE-IT Symposium
CurrentIdentifyProtectDetect RespondRecover
Tier 1 2 3 4
Target
1 2 3 4
NIST CSF Profiles
Subcategory Priority Gaps Budget Activities (year 1) Activities (year 2)
1 High Large $$$ X
2 Low Small $$ X
3 Moderate Medium $$ X
…… ….. ….. ……
108 Moderate None $$$ Reassess
73
ACCE – 2021 CE-IT Symposium
Target Profile
Organizational Risk –Biomedical Device Mitigations• January 5, 2021, HITECH Act
Amended to provide a “Safe Harbor” in the event of a cyber incident.
• Organizations that take effort to adopt an industry standard (NIST CSF) for all systems 12 months prior to a breach reduce audit time and face reduced fines.
• Biomedical devices require specific mitigations to comply with the NIST CSF.
Identify
Protect
DetectRespond
Recover
74
Identify
Protect
DetectRespond
Recover
ID.AM Asset Management• All medical devices are inventoried• Software and applications on medical devices are inventoried• Medical devices criticality and sensitivity to the organization is
identifiedID.BE Business Environment• Medical device critical business functions must be identified• Medical device system dependencies need established• Resilience requirements for medical devices supporting critical
functions need establishedID.GV Governance• Risk management process need to be applied to medical devicesID.RA Risk Assessment• Medical device vulnerabilties must be identified and documented• Threats to medical devices are identified and documented• Business impacts and likelihoods are identifiedID.RM Risk Management Strategy• Risk management processes are established, managed, and agreed
to by stakeholders• Risk tolerance for medical devices is must be determined
75
Identify
Protect
DetectRespond
Recover
PR.AC Access Control• Access to medical device it limited to authorized users and
processes• Remote access to medical devices must be managedPR.AT Awareness & Training• Privileged users of medical devices need to understand their roles
and responsibilitiesPR.DS Data Security• Data on medical devices is protected• Data transmitted by medical devices is protectedPR.IP Information Protection• Medical device security baselines are established• Media sanitization for medical devices is establishedPR.MA MaintenancePR.PT Protective Technology• Removable media for medical devices is restricted
76
Identify
Protect
DetectRespond
RecoverDE.AE Anomalies & Events• Anomalies and event detection for medical
devices must be established DE.CM Continuous Monitoring• Monitoring of medical devices network activity to
detect cybersecurity events• Monitoring for unauthorized devices and
connections is performedDE.DP Detection Processes• You have event detection processes in place and
tested for medical devices
77
Identify
Protect
DetectRespond
RecoverRS.RP Response Planning• Medical devices are including in response
planningRS.CO CommunicationRS.AN AnalysisRS.MI Mitigation• Medical device incidents are contained and
mitigatedRS.IM Improvement• Medical device incident response strategies
are updated
78
Identify
Protect
DetectRespond
RecoverRC.RP Recovery Planning• A recovery plan is executed during or after a
cybersecurity incident involving a medical deviceRC.IM Improvements• Medical device response strategies must be updated
with improvementsRC.CO Communications• Recovery activities for medical devices are
communicated to internal and external stakeholders as well as executive and management teams
79
Identify
Protect
DetectRespond
Recover
ID.AM Asset Management• All medical devices are inventoried• Software and applications on medical devices are inventoried• Medical devices criticality and sensitivity to the organization is identified
ID.BE Business Environment• Medical device critical business functions must be identified• Medical device system dependencies need established• Resilience requirements for medical devices supporting critical functions need
established
ID.GV Governance• Risk management process need to be applied to medical devices
ID.RA Risk Assessment• Medical device vulnerabilties must be identified and documented• Threats to medical devices are identified and documented• Business impacts and likelihoods are identified
ID.RM Risk Management Strategy• Risk management processes are established, managed, and agreed to by
stakeholders• Risk tolerance for medical devices is must be determined
RC.RP Recovery Planning• A recovery plan is executed during or after a cybersecurity
incident involving a medical device
RC.IM Improvements• Medical device response strategies must be updated with
improvements
RC.CO Communications• Recovery activities for medical devices are communicated to
internal and external stakeholders as well as executive and management teams
RS.RP Response Planning• Medical devices are including in response planning
RS.CO CommunicationRS.AN AnalysisRS.MI Mitigation• Medical device incidents are contained and mitigated
RS.IM Improvement• Medical device incident response strategies are updated
DE.AE Anomalies & Events• Anomalies and event detection for medical devices must be established
DE.CM Continuous Monitoring• Monitoring of medical devices network activity to detect cybersecurity
events• Monitoring for unauthorized devices and connections is performed
DE.DP Detection Processes• You have event detection processes in place and tested for medical
devices
PR.AC Access Control• Access to medical device it limited to authorized users and processes• Remote access to medical devices must be managed
PR.AT Awareness & Training• Privileged users of medical devices need to understand their roles and
responsibilities
PR.DS Data Security• Data on medical devices is protected• Data transmitted by medical devices is protected
PR.IP Information Protection• Medical device security baselines are established• Media sanitization for medical devices is established
PR.MA MaintenancePR.PT Protective Technology• Removable media for medical devices is restricted
80
Measuring NIST CSF Maturity
81
ACCE – 2021 CE-IT Symposium
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0Overall
AssetManag… Business
Environ…
Governance…
RiskAssess…
RiskManag…
SupplyChain…
IdentityManag…
Awareness and…
DataSecurity…
Information…Maintena
nce…Protectiv
e…
Anomalies and…
SecurityContinu…
DetectionProcess…
ResponsePlannin…
Communications…
Analysis(RS.AN)
Mitigation (RS.MI)
Improvements…
RecoveryPlannin…
Improvements…
Communications…
NIST Cyber Security FrameworkMaturity Levels
TargetScore
5 - Optimal4 - Managed3 - Defined2 - Acknowledged1 - Initial0 - Non-existent
NIST CSF CategoriesTarget Score
Policy Score
Practice Score
Overall 3.00 2.68 2.95
IDEN
TIFY
(ID)
Asset Management (ID.AM) 3.00 3.42 5.00Business Environment (ID.BE) 3.00 3.00 5.00Governance (ID.GV) 3.00 5.00 3.00Risk Assessment (ID.RA) 3.00 2.00 4.00Risk Management Strategy (ID.RM) 3.00 4.00 2.00Supply Chain Risk Management (ID.SC) 3.00 1.00 3.00
PRO
TECT
(PR)
Identity Management, Authentication and Access Control (PR.AC) 3.00 3.00 3.00Awareness and Training (PR.AT) 3.00 5.00 3.00Data Security (PR.DS) 3.00 1.00 3.00Information Protection Processes and Procedures (PR.IP) 3.00 3.00 1.00Maintenance (PR.MA) 3.00 5.00 4.00Protective Technology (PR.PT) 3.00 1.00 2.00
DETE
CT (D
E) Anomalies and Events (DE.AE) 3.00 3.00 5.00Security Continuous Monitoring (DE.CM) 3.00 5.00 2.00Detection Processes (DE.DP) 3.00 2.00 5.00
RESP
ON
D (R
S)
Response Planning (RS.RP) 3.00 2.00 2.10Communications (RS.CO) 3.00 2.20 2.90Analysis (RS.AN) 3.00 2.30 2.40Mitigation (RS.MI) 3.00 1.22 2.30Improvements (RS.IM)
RECO
VER
(RC) Recovery Planning (RC.RP) 3.00 1.20 1.90
Improvements (RC.IM) 3.00 2.10 1.90Communications (RC.CO) 3.00 1.50 1.50
82
Questions
Lunch Break
Please move to next room (Brahms 3) for lunch buffet
Next session will start at 1:00 pm with David Finn“Balancing priorities during and following Cyber Attack”
83
ACCE – 2021 CE-IT Symposium
Balancing Priorities During and Following Cyber Attack
David S. Finn, CDPSE, CISM, CISA, CRISCExecutive VP, External Affairs, Information Systems & Security
CynergisTek
84ACCE – 2021 CE-IT Symposium
• Almost 40 years experience in the planning, management and control of information technology and business processes.
• CIO of one of the largest pediatric IDN’s in the United States. • Also served as the Privacy and Security Officer• Health Information Technology Officer for Symantec• Co-authored The Journey Never Ends: Technology’s Role in Perfecting
Health Care Outcomes. Boca Raton: CRC Press for HIMSS Media, writing Chapter 10: “The Future of Information Security in Healthcare.”
• He has published on topics ranging from IT Management to Security in publications such as Baseline and Reflections on Nursing Leadership
• Boards of both HIMSS and CHIME• Two degrees in Theatre
ACCE – 2021 CE-IT Symposium85
About the Speaker
Session Description
• A little background on balancing priorities during/after a cyber attack. • Understanding that you can both under- and over- react to any situation. Neither is
good.• Surviving a cyber attack is, ultimately, about preparation.• Thinking about what can happen - - without having it happen• Discussion
86
ACCE – 2021 CE-IT Symposium
Agenda
87
BALANCING PRIORITIES
STRATEGY TACTICS PLANS VS. EXERCISES
CLOSING THOUGHTS
Q & A
ACCE – 2021 CE-IT Symposium
Crisis Management 1011. Get the cow out of the fence
2. Figure out how the cow got stuck in the fence
3. Create a plan to make sure the cow doesn’t wind up back in the fence
88
Stages of Crisis Management1. Pre-crisis
• Develop and practice various crisis scenarios
2. Crisis Response• Execute the Plan
3. Post-Crisis• Review, adjust, and update plan for the future
ACCE – 2021 CE-IT Symposium
Balancing Priorities
89
You can’t balance priorities, if you don’t have any.
If you don’t have priorities, nothing will get done.
If you have too many priorities, nothing will get done.
“Everyone’s” priorities cannot be the organization’s priorities.
ACCE – 2021 CE-IT Symposium
Strategy
ACCE – 2021 CE-IT Symposium 90
Involve Leadership in Managing the Response Strategy
The best executive is the one who has sense enough to pick good men to do what he wants done, and self-restraint enough to keep from meddling with them while they do it. —Theodore Roosevelt
91
Anyone can hold the helm when the sea is calm. — Publilius Syrus
ACCE – 2021 CE-IT Symposium
Business Continuity
1. Resiliency1
2. Recovery1
3. Contingency1
ACCE – 2021 CE-IT Symposium 92
1 This applies to People, Processes and Technology. It cannot be just a technology issue, if it is addressed that way, operations will still fail.
Supply Chain Business Continuity Framework• Have a plan
• Maintain visibility• Leverage decision support
• Backup routine operations
• Learn from prior experience
• Re-Think Supply Chain Risk• Promote increased collaboration among supply
chain and business stakeholders.
ACCE – 2021 CE-IT Symposium 93
What’s never in the
strategy (or it is but no one does
it)
ACCE – 2021 CE-IT Symposium 94
Tactics
ACCE – 2021 CE-IT Symposium 95
Address Post Incident Responses Comprehensively
96
• We’re already seeing this post COVID-19• Users added• Machines unprotected (personal)• “Group” logons• Unmanaged WiFi networks• Remote/mobile work sites
• We get it, it had to be done fast!• Now, clean it up and bring it back to standards.
ACCE – 2021 CE-IT Symposium
Tie Cyber Risk Management to Business Continuity Plans and Exercises. Or Vice Versa.
Cyber Security Risk Management should be a catalyst for business continuity Planning and Exercising
• Continuity during a Cyber Incident• Coordination• Communications• Resource requirements (not traditional)• Public information challenges• Reporting challenges• Investigation• Private sector (insurance, Continuity of
Operations plans within jurisdictions)
97ACCE – 2021 CE-IT Symposium
Crisis Communication Must be for (Every)one
98ACCE – 2021 CE-IT Symposium
Business Impact Analysis as an Integral Part of the Cyber Risk Management Process• Business continuity planners and cyber teams
show work together in the BIA process• Planning to Execution
• Identify 3rd Parties engaged and the impact of 3rd Party disruption
• One Team, One Dream approach allows faster:
• Response to disruptions• Response to cyber incidents• Recovery
99ACCE – 2021 CE-IT Symposium
Plan vs Exercises
100
ACCE – 2021 CE-IT Symposium
Closing Thoughts
101
ACCE – 2021 CE-IT Symposium
Q & A
102
David FinnDavid.Finn@cynergistek.com832.816.2206linkedin.com/in/davidfinn@DavidSFinn
ACCE – 2021 CE-IT Symposium
Overview of Cybersecurity ResourcesMike Powers, MBA, CHTM, CDP, CMDA
Director, Clinical EngineeringIntermountain Healthcare
103ACCE – 2021 CE-IT Symposium
About the speaker
Mike Powers is a CE Director at Intermountain Healthcare, headquartered in Salt Lake City, Utah. Intermountain is a health network including 23 hospitals, a medical group, ambulatory surgery centers, instacare clinics, and imaging centers. He co-leads a task group for the Health Sector Coordinating Council on Legacy Medical Device Cybersecurity. He is a member of the AAMI Healthcare Technology Leadership Committee. Prior to Intermountain, he was the Clinical Engineering Quality Manager at Christiana Care Health System. He has an MBA in Healthcare Administration from Wilmington University and is a Certified Healthcare Technology Manager, Diversity Professional and Medical Device Auditor.
ACCE – 2021 CE-IT Symposium104
Session Description
ACCE – 2021 CE-IT Symposium105
Medical Device Cybersecurity Resources
A Brief List of some of the best, and when you might use them
AAMI Medical Device Cybersecurity
• Medical Device Cybersecurity (PDF) - AAMI CommunityA tome from Stephen Grimes and Axel Wirth including chapters on cybersecurity fundamentals, the regulatory and standards environment, and inventory and configuration management from over 15 healthcare industry experts. It provides templates of purchase agreements and vendor contracts, risk assessment and management practices, and cybersecurity guidance from leading healthcare industry experts.
106
ACCE – 2021 CE-IT Symposium
Healthcare and Public Health Sector Coordinating Council• The HSCC and the responsibility of all Sector Coordinating Councils (SCC) is
captured in three iterations of a Presidential Executive Order dating to 1998, the most recent being Presidential Policy Directive 21 in 2013, which calls on 16 critical industry sectors to self-organize – in partnership with the government –around the mission to protect essential assets and services from existential threats, both physical/operational and cyber. Every critical industry sector, including healthcare, has been stepping up to this mission. We do this with the day-to-day operational protection, threat analysis and incident response of the Health Information Sharing and Analysis Center (H-ISAC) and related information sharing and analysis organizations, and the longer-term strategic and policy-oriented mission of the HSCC. Under the executive order, the HSCC is recognized as the private industry partner to the Department of Health and Human Services, which looks to us – in a non-regulatory, partnership posture – to help develop policy and operational improvements that enable our sector to better protect against and respond to threats, vulnerabilities and incidents.
107
ACCE – 2021 CE-IT Symposium
HSCC Products
• Cybersecurity Act of 2015, Section 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): The HICP aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the healthcare industry. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes that enhance patient care. The document focuses on several threats, including email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or data loss; and attacks against connected medical devices that may affect patient safety. The publication includes a main document, two technical volumes, and resources and templates.
108
ACCE – 2021 CE-IT Symposium
HSCC Products
• Health Care Industry Cybersecurity Task Force – Health Sector Council Report on Improving Cybersecurity in the Healthcare Industry in 2016 – discusses the recommendations and six imperatives along with cascading action items.
109
ACCE – 2021 CE-IT Symposium
HSCC Products• The Joint Security Plan (JSP) – Health Sector Council – the JSP is
a total product lifecycle reference guide to developing, deploying and supporting cyber secure technology solutions in the healthcare environment, specifically
• Cybersecurity practices in design and development of medical technology products
• Handling product complaints relating to cybersecurity incidents and vulnerabilities
• Managing security risk throughout the lifecycle of medical technology• Assessing the maturity of a product cybersecurity program
110
ACCE – 2021 CE-IT Symposium
HSCC Products on the Horizon
• Cybersecurity of Legacy Medical Equipment • Model Contract Language for the implementation of
Cybersecure partnerships in purchases
111
ACCE – 2021 CE-IT Symposium
Medical Device Cybersecurity Lifecycle Management - (h-isac.org)
• This document provides an overview of a lifecycle-based approach to managing medical device cybersecurity from the perspective of Medical Device Manufacturers and Healthcare Delivery Organizations. It provides a high-level overview of the four main lifecycle phases and the relationship between them. Further, it provides references to key regulations and standards as well as other leading practices provided in the literature
112
ACCE – 2021 CE-IT Symposium
IMDRF Guidance• IMDRF Principles and Practices for Medical Device Cybersecurity
• The purpose of this IMDRF guidance document is to provide fundamental concepts and considerations on the general principles and best practices to facilitate international regulatory convergence on medical device cybersecurity. The document is structured as follows:
• the scope of the document is defined in Section 2 • followed by defined terms in Section 3. • Section 4 provides an overview of the general principles of medical device
cybersecurity, • while Sections 5 and 6 provide a number of recommendations for stakeholders
regarding best practices in the pre-market (focus is on medical device manufacturers) and post-market (includes numerous stakeholders) management of medical device cybersecurity.
113
ACCE – 2021 CE-IT Symposium
ASPR – TRACIE Readiness & Response Considerations• Healthcare System Cybersecurity: Readiness & Response
Considerations (hhs.gov)• ASPR TRACIE designed this resource to help healthcare facilities, and the
systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident. Information within this document is specifically related to the effects of a cyber incident on the healthcare operational environment, specifically the ability to effectively care for patients and maintain business practices and readiness during such an event. While the focus of this document is on disruptions associated with a large-scale cyberattack, many strategies and principles outlined are relevant to a range of cybersecurity incidents and healthcare facilities.
114
ACCE – 2021 CE-IT Symposium
Cyber Resource Hub | CISA
• Free vulnerability assessment by CISA based on your region of the United States. CISA services can help gain visibility into effective mitigations to implement for better protection of networks.
115
ACCE – 2021 CE-IT Symposium
Wrap – Up
• These resources are just a few of the many out there. There are several reasons to become familiar with them, and leverage their information to the benefit of your organization and patients.
116
ACCE – 2021 CE-IT Symposium
117
Coffee Break
please be back by 3:20pm
to join Chris Falkner for
118
ACCE – 2021 CE-IT Symposium
“Getting Ahead of Cybersecurity Risk with Contract Language”
Getting Ahead of Cybersecurity Risk with Contract Language
Christopher Falkner, MS, CCEProduct Owner of Cybersecurity Governance & Standards
Kaiser Permanente
119ACCE – 2021 CE-IT Symposium
About the speaker
Mr. Falkner currently oversees a team of Healthcare Technology Managers leading Kaiser Permanente’s Edge Cybersecurity Program. In his role as Product Owner & Principal Program Manager, he oversees all aspects of a comprehensive Integrated Risk Management (IRM) program and supports the technical development and implementation of cybersecurity solutions across 150k+ medical and IoT devices.
In his previous roles at Kaiser Permanente, Mr. Falkner has led the National Clinical Systems Engineering program and has directed the Technology Innovations Program at KP’s Sydney Garfield Innovation Center. Prior to joining Kaiser Permanente, he was a Clinical Engineering leader at the Veteran’s Health Administration.
Mr. Falkner is currently an adjunct professor of Biomedical Engineering at the University of Connecticut. He holds a Master’s and Bachelor’s degree in Biomedical Engineering and is a Certified Clinical Engineer (CCE).
ACCE – 2021 CE-IT Symposium120
Thank you to: Michael Kushner, Patrick Townsend Wells, Michelle Bentley, Kevin Tambascio, Greg Garcia, and more…
Session Description
ACCE – 2021 CE-IT Symposium121
As cybersecurity threats to healthcare grow, so too does the availability of advanced tools & controls that enable Healthcare Delivery Organizations to protect their ecosystems. However, the cost of these controls can be high, and often increase the complexity of the healthcare environment. Contract language for medical device cybersecurity provides a cost-effective way to ensure inherently more secure devices, improved support from Suppliers, and better awareness of residual risks that may need to be managed. Leveraging a mature set of contract language is a great way to balance the costs of cybersecurity controls while still reducing cybersecurity risks to your organization.
Learning ObjectivesBy the end of this session, you should be able to: Articulate the value of cybersecurity contract language to your leadership. Find key frameworks & resources for improving your contract language. Build a robust process for leveraging contracts throughout the device lifecycle.
ACCE – 2021 CE-IT Symposium122
Session Agenda
1. Cybersecurity at Kaiser Permanente
2. Why we care about contracts
3. What makes a good cybersecurity contract
4. How to operationalize cybersecurity contracts
ACCE – 2021 CE-IT Symposium123
Cybersecurity at Kaiser Permanente
Key Take-Aways: Think Big – consider the expanding technology universe Be a Bridge between IT and Business Divide and conquer across specialized teams
10 minutes
ACCE – 2021 CE-IT Symposium124
Expanding Cybersecurity @ KPThe Edge Cybersecurity Program (Edge) is a business-led initiative to design, develop, and implement a framework and common solutions that allow Kaiser Permanente to consistently manage the safety and security of Edge devices.
Leading From the Middle
ACCE – 2021 CE-IT Symposium125
The Edge Cybersecurity Program will reduce both business and cyber risk for Edge devices, while increasing patient safety, improving business operations, and preventing member data theft and loss.
ACCE – 2021 CE-IT Symposium126
Comprehensive Risk Management
ACCE – 2021 CE-IT Symposium127
Why do we care about contracts?
Key Take-Aways: Cybersecurity is founded in Risk Management Compensating controls have high cost and uncertainty, Inherent Controls are preferred Contract language is the front-line of defense against cybersecurity risks
15 minutes
ACCE – 2021 CE-IT Symposium128
Risk Management & CybersecurityThere are many definitions of risk management – most are good – but here is my working definition:
“Risk management is the pro-active design & maintenance of an ecosystem to ensure stability and predictability under any stresses.
This is achieved by implementing controls (people, process, technology) that mitigate the effects of stresses such that they are minimally realized by the business or it’s customers.”
Let’s see how Cybersecurity in healthcare sizes up against this definition: Focused on implementing controls across a highly integrated ecosystem of devices that are network
connected, contain PHI, and are dependencies for care delivery operations.
Primary goal is to ensure stable and predictable outcomes when vulnerabilities threaten our ecosystem –i.e., business continuity, care delivery.
Secondary goal is to reduce the effects of vulnerabilities such as financial, regulatory, and reputational burden on the organization – i.e., reduce Annualized Loss Expectancy.
Cybersecurity controls come in the form of people (behaviors), process (Policy/SOPs) , and technology(Agents/Configurations/etc.).
Stress Event
Consequence
Stress Event
Controls
“Sea-sick sailor” risk model
Lack of controls creates instability & disruption during an event.
Pro-active controls creates stability, even during an event.
Consequence
ACCE – 2021 CE-IT Symposium129
Moving Controls Upstream
Inherent ControlsCompensating Controls Inherent Capabilities
COSTRISK
Nothing or Not Knowing
Most cybersecurity programs focus on Compensating Controls that can be implemented and managed by the business.
This approach is OK, but Compensating Controls can be expensive to implement & manage, and introduces uncertainty as to whether they are consistently implemented effectively.
$$$$!!!!
$!
Business owned & implemented controls to fill the risk “gaps” on a device.
Control capabilities that need to be “turned on” through
configuration.
Controls that are enabled out of the box or “by default”.
Good cybersecurity contract language drives the risk management discussion with MDMs before you commit to buying devices & services (aka maximum purchasing power!).
It also provides a platform to influence “Inherent Controls” which will reduce uncertainty and costs for your cybersecurity program.
ACCE – 2021 CE-IT Symposium130
Setting Control Expectations
Control Examples:• Whitelisting or Anti-malware• Central Authentication• Physical security
Control Examples:• Perimeter Control• Logging & Monitoring• Network segmentation
Control Examples:• Security Patching• End-point Management• Threat Intelligence
Control Examples:• Data Encryption at Rest• Vendor supported remediation• Good Incident Response
Good cybersecurity contract language is an opportunity to set clear expectations for a comprehensive portfolio of control requirements for devices or services provided by an MDM.
It also identifies controls not being met, which informs HDO costs & effort to manage residual risk by implementing compensating controls or risk acceptances.
ACCE – 2021 CE-IT Symposium131
Example: Product Design (battery analogy)
Poor Inherent Controls, low awareness of HDO cost to manage risk
Compensating Controls – high costs & effort for HDOs on top of device costs due to inadequate design.
Residual Risk – higher risk, more time spent on risk management & IR.
Compensating Controls –“trickle charge” to enable inherent capabilities and protect HDO network.
Very Good Inherent Controls, high awareness of HDO cost to manage risk
Residual Risk – lower risk, less time spent on risk management & IR.
vs.
Limited contract language leads to uncertainty, higher risk management costs, and higher residual risk for selected product.
Good contract language leads to predictability and lower risk management costs for selected product.
Lessons Learned: RFPs are not legally binding and may not always reflect what devices & services are delivered. Contract language can be used in the sourcing process to define “must haves” upstream. Compensating controls transfer cybersecurity costs to the HDO and often do not fully remediate risk.
Scenario – Your organization is evaluating new mobile digital x-ray solutions and is considering the costs to manage cybersecurity risks on the preferred product. The RFP has some “nice to have” features, but leadership is looking for more certain commitment on risk posture & total cost of ownership.
Hospital A Hospital B
ACCE – 2021 CE-IT Symposium132
Example: Vendor Remediation Support
20 Day HDO remediation SLA
?? SLA for MDM impact assessment
?? SLA for MDM patch validation
20 Day HDO remediation SLA
5 Day SLA for MDM impact assessment
15 Day SLA for MDM patch validation
Limited cybersecurity contract language = Unclear MDM SLAs = Policy non-compliance
Good cybersecurity contract language = Clear MDM SLAs = Policy compliance
Policy Non-compliance!!
vs.HDO
MDM
HDO
MDM
Policy compliance
Lessons Learned: HDOs are dependent on MDM partners to meet remediation timelines. Unclear expectations of MDM support SLAs can lead to non-compliance and greater risk exposure. Good contract language will establish the “must have” SLA requirements for MDM support.
Scenario – A new critical vulnerability is identified, and your organization’s policies indicate that an accelerated 20-day remediation timeline is needed to adequately manage the risk. However, you are dependent on your MDMs to validate the security patch before you can push to your medical devices.
Hospital A Hospital B
ACCE – 2021 CE-IT Symposium133
Getting Ahead of Cybersecurity Risk
Sets clear expectations for HDO cybersecurity requirements (not just “nice-to-haves”)
Drives more inherent controls = lower cost, lower uncertainty for HDOs
Proactively informs HDO costs & efforts to manage device risks
Starts a conversation with MDMs about current & future capabilities
Cybersecurity Contract Language
Good cybersecurity contract language is a very powerful tool that can be used to pro-actively ensure that adequate risk management controls are in place for all devices and services, and any gaps in controls are known.
ACCE – 2021 CE-IT Symposium134
What makes a good cybersecurity contract?
Key Take-Aways: Collaboration between HDOs and MDMs is key to improving cybersecurity practices. Cybersecurity contract language should focus on 14 core principles. HSCC is developing a modular framework for contract language that can be used by HDOs.
10 minutes
ACCE – 2021 CE-IT Symposium135
Prioritizing HDO & MDM Partnership Starting in 2018, Kaiser Permanente partnered with
Mayo Clinic, Cleveland Clinic, and Froedtert Health to compare medical device cybersecurity contract language.
We discovered that we had a lot to learn from each other by sharing lessons learned and best practices.
Together we developed the “Bar of Goodness”, which is a framework outlining 14 core principles that should be included in medical device cybersecurity contract language for medical devices.
Supplier Maturity
Product Design Maturity
Supplier Performance
The Bar of Goodness
Supplier MaturityHDOs & MDMs should consider these principles when setting expectations around capabilities and consistent practices.
Universal Coverage
Industry Standards Alignment
Security Development Lifecycle
Current OS Accountability
Security Patch Program
Responsible Data Handling
Product Design MaturityHDOs & MDMs should consider these principles when setting expectations around the inherent capabilities of the product at the time of delivery.
Supplier PerformanceHDOs & MDMs should consider these principles when setting expectations around timeliness and consistency of support.
Secure by Default
Standard Security Controls
Supplier Transparency
Vulnerability Management
Incident Management
Security Patch Validation
Customer Support
CC/FH/KP/MC Framework for HDO & MDM Data Security Partnership
Remote Access Controls
14 Core Principles
136
CC/FH/KP/MC Framework for HDO & MDM Data Security Partnership The Bar of Goodness
Universal Coverage – Security requirements apply to all Customer locations, all Supplier infrastructure, and all Sub-contractors of the Supplier.
Industry Standards Alignment – Supplier demonstrates maximum adherence to industry regulations & standards, with timely adoption of new standards versions.
Security Development Lifecycle – Supplier will support a program for pre-market and post-market penetration and vulnerability testing, Supplier maintains awareness of SANS top 25 and OWASP, and Supplier infrastructure is monitored 24x7.
Current OS Accountability – Supplier demonstrates accountability for validating product on supported Operating Systems.
Security Patch Program – Supplier demonstrates accountability for validating security patches for their software and any 3rd party software on their products.
Responsible Data Handling – Good practices for storage, availability, backup, and handling of data and logs, including at the time of product disposal. Controls that enable HIPAA & other privacy requirements.
Supplier Transparency – Known vulnerabilities should be disclosed, default accounts and settings are documented, and strategic roadmaps for product/controls development are shared with customer, reference architectures are clearly documented.
Why are these principles important?
How do HDOs & MDMs partner on this?
CIS Control #3: Continuous Vulnerability Management
Dialogue at the time of new partnership between HDO & MDM
Demonstrated through pre- and post-market audits & reporting from MDM
Ongoing dialogue about evolving standards (e.g. FDA Regulations)
NIST SP 800-53 CA-7, RA-4, SI-2, CA-8
Health Sector Council Joint Security Plan
Always: Industry Standards & Best Practice
Indicate the values, culture, and ethos of an MDM
Emphasize the importance of adaptability
Industry Alignment Examples:
Contract Example
Industry Standard Documentation:“Supplier shall provide a complete Manufacturer Disclosure Statement for Medical Device Security (MDS2) and a complete Software Bill of Material (SBOM) that outlines at a minimum: (i) All Open-Source Software (OSS), (ii) as-built version of all OSS, (iii) all default user accounts…”
Maturity
137
CC/FH/KP/MC Framework for HDO & MDM Data Security Partnership The Bar of Goodness
Contract Example
Secure by Default – Product should by default have all security features enabled, attack surfaces are reduced, and should be free of malware or unnecessary code and services.
Standard Security Controls – Product should have:
• Network Controls• Physical Security• Anti-Malware• Audit & Logging
• Intrusion Detection• Data Encryption• Access Management• Security Patching
• Protection against malicious code• Privilege Escalation Controls• Documented reference architecture• Remote Access Controls
Why are these principles important?
How do HDOs & MDMs partner on this?
CIS Top 20 Controls (all)
ISO/IEC 27000
FDA Pre- & Post-Market Cybersecurity Guidance
Industry Alignment Examples:
“All Supplier Product cybersecurity features shall either be enabled by default or be clearly identified as requiring initial configuration. Product documentation shall specify how to enable, configure, and use of all Product cybersecurity features.”
Secure By Default:
Always: Industry Standards & Best Practice
Default security reduces error opportunities
Clear guidance indicates where to invest in controls
Incorporated into product evaluations and ongoing audits
Leverage industry standard surveys & shared intelligence Evaluate once, share many times
Maturity
Maturity
138
CC/FH/KP/MC Framework for HDO & MDM Data Security Partnership The Bar of Goodness
Vulnerability Mgmt. – Supplier proactively discloses high risk vulnerabilities and action plans to remediate.
Incident Mgmt. – Supplier actively engages during an incident and provide all necessary support to remediate in a timely manner.
Security Patch Validation – Supplier consistently validates newly released security patches for their software as well as any 3rd party software on their products.
Customer Support – Supplier consistently demonstrates secure behavior in all onsite and remote access to Customer infrastructure
Why are these principles important?
How do HDOs & MDMs partner on this?
Industry Alignment Examples:
Contract Example
NIST SP 800-53 IR-5, IR-8
ISO 29147 & ISO 30111
Health Sector Council Joint Security Plan
Always: Industry Standards & Best Practice
Threat landscape is constantly evolving
Incidents are high risk, high visibility
Dialogue about Key Performance Indicators (KPIs), which could include: Service Level Agreements (SLAs) How success is defined and demonstrated Roles & responsibilities for both HDO and MDM Penalties of incentives for performance against KPIs
Performance should be reviewed regularly
Communication Strategy:“Supplier shall coordinate with KP to define and document a communications strategy for urgent and non-urgent engagement related to Vulnerability management. The strategy must at a minimum outline …”
Maturity
Maturity
139
ACCE – 2021 CE-IT Symposium140
Practicing Partnership via HSCC WorkgroupStarting in 2019, the Health Sector Coordinating Council initiated the Model Contract Technical Working Group to adapt the Bar of Goodness into a set of industry standard medical device cybersecurity contract clauses.
Purpose: Provide a forum for HDO and MDM collaboration on the refinement of standard
contract language that improves coordination on cybersecurity requirements for medical devices.
Publish a set of modular contract clauses that can be easily leveraged by HDOs to accelerate partnerships between HDOs & MDMs.
Approach: Roll the sleeves up and get it done! Over 30+ HDOs, MDMs, GPOs, and other
stakeholders have reviewed and redlined each contract clause.
Clauses are divided into one of the 3 Bar of Goodness Pillars, with each clause aligned to one of the 14 core principles.
Background for each pillar and principle will be provided to help HDOs and MDMs understand the full intent of the contract language.
Next Steps: Following approval vote from HSCC stakeholders, the framework will be published in late 2021.
It’s in your hands! We encourage HDOs to leverage the framework and provide feedback & lessons learned.
A period of stability (i.e. no changes to the framework) will allow time for HDOs and MDMs to adopt.
Roadmap for the Model Contract framework adoption & improvement.
ACCE – 2021 CE-IT Symposium141
How do we operationalize cybersecurity contracts?
Key Take-Aways: Prioritize content that is most relevant to your organization. Make contract language a team sport. Find opportunities to use contracts throughout equipment lifecycle. Consider piloting process to reduce change management challenges.
15 minutes
a.k.a lessons learned the hard way for Kaiser Permanente
ACCE – 2021 CE-IT Symposium142
Building our Cybersecurity Contract Language Consider what pain-points or problems you want to solve for.
Do not just grab every clause unless you have a valid need – longer contracts take longer to sign.
Be sure to understand any existing data security & privacy requirements in your master contract template. Align your medical device contract language to what exists to be sure it is complimentary.
Look for content you might change to better meet your organization’s needs – such as SLAs. Don’t be afraid to ask for what you want, even if it gets redlined it still starts a conversation about your expectations.
Kaiser Permanente cross-walk between IT and Edge cybersecurity requirements.
ACCE – 2021 CE-IT Symposium143
Plan for Reviews and SocializationBuilding the right contract language for your organization takes time, plan accordingly!
Review industry guidance, such other HDO contract language and the HSCC Model Contract framework.
Plan for time to weave improvements or additions into the flow of your current contract language – it must make sense to your sourcing team and to MDMs for it to be affective.
Get review & approval from your HDO sourcing leadership and legal departments.
Get review & approval from your Group Purchasing Organization (GPO), as needed.
Share the updated contract language with your strategic MDM partners – even if it’s not a renewal window.
Kaiser Permanente timeline for development of Edge Security Requirements v2.0.
ACCE – 2021 CE-IT Symposium144
Finding where to use Contract Language
RFP – Product Evaluations
Hardening Guide Development
Contracting Solution Design & Onboarding Lifecycle Mgmt.
Share contract language with Suppliers early so that you can
evaluate their capabilities before you get to contracting.
Contract language can identify key gaps in Supplier capabilities that need to be accounted for in compensating
controls & configurations.
Agreed-on contract language will set the tone and expectations for the duration of the partnership.
When rubber hits the road, contract language helps to hold Suppliers
accountable for capabilities.
Ongoing support from Suppliers can be monitored against the
agreed-on SLAs and behaviors in the contract language.
Observed Supplier growth in maturity against contract requirements can inform
renewal decisions.
Contract Renewal or Decom
Good cybersecurity contract language can be leveraged throughout the product lifecycle and helps HDOs get ahead of avoidable cybersecurity & operational risks.
ACCE – 2021 CE-IT Symposium145
Be Prepared to Support Contract Activities
Provide guidance on when to include
your clauses
Make your clauses easily accessible to your sourcing team
Decide how best to include your clauses
in the contract
Identify resources to review contract
negotiations
Consider approvals and escalations
For KP: Target is all new contracts
and renewal windows.
A “cheat sheet” is provided to sourcing to help them recognize Edge device contracts.
Our master contract supersedes any local service contracts.
For KP: The Edge Security
Requirements (ESR) is posted to an external supplier website so that it can be viewed by anyone.
For KP: The Edge Program has 3
team members trained to review redlines.
We can be contacted by a “group email” that makes it easy for Sourcing to engage our team.
Our SLA for review of redlines is 3 days, not including follow-up meetings with Suppliers.
For KP: The Edge Security
Requirements (ESR) is included as an exhibit or addendum to Edge device contracts.
This prevents unnecessary redlining for non-Edge contracts.
For KP: All redlines are approved
by the Governance & Standards Product Owner.
Escalations or higher-level approvals go to the Edge Program Executive Director or VP.
Supplier C-Suite is engaged on critical conflicts, as needed.
Easier said than done… Contract activities can be time consuming and involves many stakeholders.
ACCE – 2021 CE-IT Symposium146
Monitor Performance & MaturitySupplier Maturity All approved variance from Edge requirements (i.e. non-compliance) will be tracked by the Edge Program as a measure of % Requirements Compliance. Suppliers will be required to provide a roadmap for maturing their offerings to meet Edge requirements over the course of the contract term. Improvements in Supplier offerings will be tracked by the Edge Program as a measure of Delta % Requirements Compliance (i.e. growth in maturity).
Mean Time to Disclosure (MTTD) Measures the amount of time between any knowledge (public or otherwise) of a cybersecurity vulnerability and vendor’s disclosure of the impact to KP including
the vendor’s response plan.
Mean Time to Remediation (MTTR) Measures the amount of time between any knowledge (public or otherwise) of a cybersecurity vulnerability and vendor-provided remediation solution (e.g.
validated security patch).
Consider how your organization will monitor Supplier performance against contract requirements & SLAs.
Kaiser Permanente model for Supplier Management Workgroup, which leads strategic engagement and monitoring of key suppliers.
ACCE – 2021 CE-IT Symposium147
Thank You! Questions?
Let’s continue the discussion!Connect with me on LinkedIn:
https://www.linkedin.com/in/christopher-falkner-b2049746/
Helpful Resources Kaiser Permanente Sourcing website: https://supplier.kp.org/
Kaiser Permanente Data Security Requirements: https://supplier.kp.org/requirements-guidelines/privacy-security-technology/data-security-requirements/
Kaiser Permanente Edge Security Requirements: https://supplier.kp.org/requirements-guidelines/privacy-security-technology/edge-security-requirements/
Health Sector Coordinating Council website: https://healthsectorcouncil.org/
Resources referenced in Edge Security Requirements: FDA Post Market Management of Cybersecurity, NIST 800-53, NIST 800-88, NIST 800-63b, NIST 800-111, ISO 14971, ISO 29417, ISO 30111, OWASP, CWE/SANS, Section 889(a)(1)(B) of the FY19 National Defense Authorization Act (NDAA), NIA Common Vulnerability Scoring System (CVSS), US-CERT, HSCC HIC-MISO
148
ACCE – 2021 CE-IT Symposium
Closing remarks
149
ACCE – 2021 CE-IT Symposium
Thank you to our sponsors
150
BOOTH #C301
BOOTH #C359
ACCE – 2021 CE-IT Symposium
Thank you to our task force team:
Nader HammoudTony Cody
Juuso LeinonenPriyanka Upendra
Suly Chi
151
Sponsored by
You are invited!
Join us at the HTA/ACCE reception
Date: Tuesday, 8/10/21, 6:00-7:30pm
Location: Wynn/Encore – Palmer 2
RSVP to enter the evening drawing
top related