Addressing New Threats: Medical Device and IoT Risk …...Aug 29, 2019 · The Challenges of Medical Devices • August 5, 2019 -Microsoft catches Russian state hackers using IoT
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• 20+ years in Information Technology and Information Security• 11+ years with the University of Nevada School of Medicine• Information Security specialist, entrepreneur, and trainer• MPA, University of Idaho• Expertise in HIPAA, HITECH, FERPA, PCI-DSS, SOX, GLBA, policy, management,
training, risk management and implementation• Founding member and former Southwest chapter secretary, Cloud Security
Alliance (CSA)• Member: ISC2, CSA, ISSA, ISACA and InfraGard
• August 5, 2019 - Microsoft catches Russian state hackers using IoT devices to breach networks. Fancy Bear servers are communicating with compromised devices inside corporate networks.https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/
• January 30, 2019 - DHS Alerts to Vulnerabilities in Stryker and BD Medical Devices – Smart medical beds subject to wireless attacks that can lead to compromise of administrator accounts
• August 31, 2018 - Nine cybersecurity vulnerabilities have been found in the Philips e-Alert Unit, a tool that monitors MRI system performance, according to an Aug. 30 ICS-CERT advisory.
• October 15, 2018 - The FDA issued a medical device safety alert about cybersecurity vulnerabilities in Medtronic’s CareLink, programmers that could enable an attacker to change the functionality of the programmer or the implanted pacemaker it controls.
• November 7, 2018 - ICS-CERT is warning about cybersecurity vulnerabilities in Roche point-of-care handheld medical devices. https://healthitsecurity.com/tag/medical-device-security
• About 18% of provider organizations surveyed by KLAS experienced malware attacks on medical devices in the past 18 months. https://www.modernhealthcare.com/article/20181005/NEWS/181009942
“The Internet of Things (IoT) Healthcare Market size was evaluated worth $60 billion in 2014, and is estimated to reach net worth $136 billion by 2021. The market growth is expected to register a CAGR of 12.5% over the forecast period.
Internet of things (IoT), comprising of intermediary components, such as devices, network connectivity, electronics system, and software, is basically the networking of smart electronic devices or things to transmit data signals between them in the absence of human intervention.
In the healthcare segment, this technology can be implemented to manage and scrutinize available patient data as well as resources with great ease.”
• They tend to have dated, unpatched operating systems, making them the “low hanging” fruit on the network.
• The devices themselves are usually not monitored directly since modifying FDA certified systems is generally frowned upon.
• Many devices tend to have minimal account management capability, if at all.• They seldom integrate into Active Directory or LDAP services.• Some have no user interface such as a keyboard.• They are easy pivot points to more lucrative targets on the network.
The Challenges of Medical DevicesThe growth of IoMT (Internet of Medical Things) has increased both the types and volumes of data that can be compromised.
This includes: • Drug types and dosages • Control information for devices – anesthesia or drug delivery • Diagnostic images • Lab results • Vital signs of all types • Continuous output from EKG and EEG and similar systems• Data from implanted, connected medical devices • Data from medical and consumer wearables
• The IoMT has changed what constitutes a medical device.• The FDA has not kept up in that regard, with IoMT devices appearing everywhere.• You must look at the device “ecosystem” to ensure you address all the risks and vulnerabilities
that these devices and associated elements present.
A medical device is defined within the Food Drug & Cosmetic Act as "...an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis ofdisease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of it's primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes."
Medical devices distributed in the United Sates are subject to General Controls, pre-marketing and post marketing regulatory controls.
General Controls include:• Establishment Registration by manufacturers, distributors, repackages and re-labelers,• Medical Device Listing with FDA of devices to be marketed,• Manufacturing the devices in accordance with Good Manufacturing Practices,• Labeling medical devices in accordance with the labeling regulations, 21 CFR 801 or 21 CFR 809,• Medical Device Reporting of adverse events as identified by the user, manufacturer and/or distributor of the medical
device.• Pre-marketing controls are device and device classification specific. Pre-marketing controls for a medical device may
include: clearance to market by 510(k) or approval to market by Pre-Market Approval (PMA). • Post marketing controls include Device Listing, Medical Device Reporting (MDR), Establishment Registration and Quality
There are 3 FDA regulatory classifications of medical devices: Class I, Class II and Class III. The classifications are assigned by the risk the medical device presents to the patient and the level of regulatory control the FDA determines is needed to legally market the device. As the classification level increases, the risk to the patient and FDA regulatory control increase. Accessories to medical devices, devices used with a medical device to support use of the device, are considered the same classification as the medical device.
The FDA classification of medical devices is based upon classifications for devices currently legally marketed in the United States. The FDA determines the device classification by the device intended use and risk the device presents to the patient. New medical devices are compared to legally marketed medical device classifications with the same intended use and technological characteristics to determine the device classification.
Class I medical devices have the least amount of regulatory control. Class I devices present minimal potential harm to the user. Class I devices are typically simple in design, manufacture and have a history of safe use. Examples of Class I devices include tongue depressors, arm slings, and hand-held surgical instruments. Most Class I devices are exempt from the premarket notification and may be exempt from compliance with the good manufacturing practices regulation.
Class II medical devices are devices where General Controls are not sufficient to assure safety and effectiveness and existing methods/standards/guidance documents are available to provide assurances of safety and effectiveness. In addition to compliance with General Controls, Class II devices are required to comply with Special Controls. Special Controls include:
• Special labeling requirements,• Mandatory performance standards, both International and United States• Postmarket surveillance• FDA medical device specific guidance
Class III medical devices have the most stringent regulatory controls. For Class III medical devices, sufficient information is not available to assure safety and effectiveness through the application of General Controls and Special Controls. Class III devices usually support or sustain human life, are of substantial importance in preventing impairment of human health or present a potential unreasonable risk of illness or injury to the patient.
From compliance, safety and device management perspectives, the scope of this definition is so broad as to be almost meaningless. Particularly for Class 1 medical devices.
What is a Medical Device?Medical devices can also be viewed as an ecosystem of interconnectivity. That is defined as the Internet of Medical Things (IoMT).
Common Attack Vectors• Targeted attacks – Seeking specific devices, platforms, applications
or people• Malware infections - Ransomware• Physical theft of devices• User or Administrator account vulnerabilities• IT network infrastructure vulnerabilities• Improper third-party vendor connections• Vulnerabilities in systems, networks or devices that are connected
Consumer devices:• They gather data – steps, heart rate, blood pressure, sleep and weight etc…);• Who owns the data (Fitbit, Patient or Medical provider)?• Devices are not under any health system control;• Everything from detailed records of dietary intake to spreadsheets of multiple activity tracker
variables;• Who is wearing the device?• How will it integrate with EHR?• Where are they stored?• Who is responsible (who owns the device)?• How is it and its data secured?
Securing Medical DevicesStep 1Discovery - Identifying and obtaining an accurate inventory of medical devices and their locations – creating an accurate inventory and risk register
Securing Medical DevicesStep 2Device Groupings - Once device discovery and inventory is complete, grouping devices by a comprehensive model allows risks to be managed by device category or grouping rather than by individual devices.
• In a typical hospital there can easily be over 10,000 “network medical devices” as defined by the
FDA.
• Those networked devices that can affect patient safety and outcomes run the gamut from
wireless blood pressure cuffs to CT Scanners to infusion pumps.
• There will be thousands of devices that are network enabled and at risk.
• Assessing risks for each of these devices would be a monumental task, so placing devices into
groups where the risks, functionality and controls are similar allows you to manage risk at an
Patient safety approach:o Security level is based upon the outcome of a compromise in terms of patient safety.o Devices are organized into safety tiers to indicate potential severity of outcomeso Consolidates the massive device list in to 4 categories or tiers that indicate patient safety
impact if the device were compromised.
Tier 1 Patient death
Tier 2 Patient or Operator injury
Tier 3 Inappropriate therapy, misdiagnosis or loss of critical materials
Tier 4 Other clinical devices that pose risks and are networked
Developing a Classification Scheme for Medical DevicesRisk v. Controls
Step 3 Conduct a comprehensive risk analysis of the medical devices and their environment.
• NIST SP 800-30 provides a methodology for conducting a bona fide risk analysis.• NIST SP 800-53 identifies the security controls that should be reflected in the risk analysis.
Using NIST, the Risk Analysis workflow looks like this:1. The analysis should conduct a discovery process to identify every device and place them into a
category or grouping of medical devices.2. The controls present in the environment protecting those medial devices should be assessed.
Securing Medical DevicesStep 3Conduct a comprehensive risk analysis of the medical devices and their environment cont…
Using NIST SP 800-30, the Risk Analysis workflow looks like this:
3. Based upon various threat scenarios and controls currently in place, assess the likelihood of a threat event occurring (e.g. ransomware)
4. Once likelihood has been determined, the impact of such a threat event should then be assessed.5. Once likelihood and impact have been determined, you will then have a risk rating for each category or
01 Risk AcceptanceRisk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. NIST SP 800-39, pg. 42
04 Risk AvoidanceRisk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk … to avoid the potential for unacceptable risk. NIST SP 800-39, pg. 42
02 Risk MitigationRisk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. [Adding or enhancing controls or safeguards] NIST SP 800-39, pg. 42
03 Risk TransferRisk transfer shifts the risk liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies). NIST SP 800-39, pg. 43
Securing Medical DevicesStep 4Risk Response and Remediation:
• Once the discovery, grouping and risk analysis of the medical devices have been conducted, the next step is risk response/remediation.
• From the risk analysis there should be a top tier of device categories that have identified vulnerabilities.
• Identify what controls, either direct or compensating, that can be applied to the device groupings that would mitigate the known risks/vulnerabilities.
• Once the controls have been updated, calculate the residual risk for each category that reflects the changes in the environment.
Question to consider when conducting a risk analysis:• Does the device(s) need to be on the network?
• Can it be isolated on the network?
• Can the device be accessed remotely?
• How are user accounts provisioned and managed if not integrated into Active Directory (and most devices do not integrate)?• Are there policies and procedures that address user management?
• Assess the criticality of device in terms of patient safety or control groups
• Ensure that the appropriate people/groups are involved
• Know your environment – what known vulnerabilities are present?• Have you previously done a complete and thorough Risk Analysis?• Have you remediated any findings from the Risk Analysis?
• Assess the criticality of devices in terms of patient safety or device controls.
• What administrative, technical and physical controls are in place to protect networked and non-networked medical devices?• Are these controls documented and represented in the Risk Analysis?
• Are additional controls, policies or procedures necessary to document compliance?
Q: How often should you conduct a risk analysis once the initial analysis has been conducted and responded to?
A: HHS doesn’t specify a timeframe, rather the decision point is when there has been a material change to operations. For larger organizations this should be done annually.
Q: Is it a requirement to remediate all known risks?
A: No, an organization can accept any risk. However, what you should have in place is a roadmap for remediating the highest rated risks. Have a plan, establish metrics and stick to it.
Medical Device Patching and other Medical Device Misnomers:
• Can medical devices be patched?Yes, the patches must be vendor supplied and approved. There is a widespread belief that these devices can’t be patched. If there is a vendor provided security patch, you should install it.
• Stationary Medical Devices (MRI, CT etc…) are more secure than other types of networked medical devices.
Not true. These systems are just as exposed on a network as any other device.
How to Manage Medical DevicesStep 5Monitoring and Managing the Medical Device Lifecycle
• Is there adequate monitoring of user and device activity?• Are network logs reviewed?• If using a SIEM, are access and device logs ingested in to the SIEM?
• Are there formal procedures for retiring or returning devices?• Is network configuration data scrubbed from devices?• Is ePHI scrubbed?
• How is the medical device lifecycle documented?
• Who is the responsible party for managing this process?
• AAMI TIR57, Principles for medical device security – risk management• Guidance on Risk Analysis Requirements under the HIPAA Security Rule• IEC 80001-1:2010 Application of risk management for IT-networks incorporating medical devices - Part 1:
Roles, responsibilities and activities• ISO 14971 Medical devices — Application of risk management to medical devices • FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance• FDA Postmarket Management of Cybersecurity in Medical Devices• Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework)• FDA – Medical Devices• THE FDA’S ROLE IN MEDICAL DEVICE CYBERSECURITY• NIST SP1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations - DRAFT• NIST SP 800-30 Rev 1, Guide for Conducting Risk Assessments• NIST SP 800-37 Rev1, Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach • NIST SP 800-39, Managing Information Security Risk Organization, Mission, and Information System
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.