SlideShare a Scribd company logo

313 – Security Challenges in Healthcare IoT - ME

EQS Group, profile picture
EQS Group

The document discusses security challenges for medical IoT devices. It begins with background on cyber-physical systems, Industry 4.0, and the context of IoT. It then presents a threat model for medical IoT devices, outlining risks across the device lifecycle from physical security to orchestration issues. Regulatory requirements for medical device cybersecurity from the FDA and EU are summarized. Suggestions for improvement include standardizing network communication, strengthening regulations, adopting a security-by-design approach, and supporting secure and agile software updates.

1 of 51
Downloaded 44 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Marco Ermini, CISSP, CISA, CISM – Senior IT Security Analyst – ResMed
© ISACA 2016. All Rights Reserved. #EUROCACS u Context: CPS, Industry 4.0, IoT, Security Challenges u Threat Model for Medical IoT Devices u Regulatory background for Cybersecurity on Medical Devices u Suggestions for improvements Agenda
© ISACA 2016. All Rights Reserved. #EUROCACS CPS, Industry 4.0, IoT, Security Challenges
© ISACA 2016. All Rights Reserved. #EUROCACS u Marc Andreessen’s “Software is eating the world” (2011) – Software companies take over the economy – Industries are disrupted by software – Technology required to transformed industry via software is available on a global scale – Software eats up chain value of “physical” industries – In every industry, companies need to assume that a software revolution is coming u Agile management practices – Agile, Scrum, Continuous Delivery – Transition from software into other sectors Context for IoT
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS u Must satisfy those characteristics – Link between computational and physical element – “Smart” – Must talk together – are “networked” Cyber-Physical Systems (CPS)
© ISACA 2016. All Rights Reserved. #EUROCACS - Interoperability - Virtualization - Decentralization - Real-Time Capability - Service Orientation - Modularity - Often connected with machine learning (AI) Industry 4.0 and CPS ecosystem
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS u Link between computational and physical element – “CPS” u “Smart” u Must talk together – are “networked” Definition of IoT
© ISACA 2016. All Rights Reserved. #EUROCACS u Classification – Industrial/Manufacturing applications – Energy – Military – Robotics – Infrastructure – Insurance – Health Care – Consumer Products • Wearables • Media • Home Automation • Smart Appliances Definition of IoT
© ISACA 2016. All Rights Reserved. #EUROCACS u Complex attack surface – Device itself – Apps – Backend u Specificities: – Interaction – Patching – Physical – Market acceleration – No standardisation IoT Security Challenges
© ISACA 2016. All Rights Reserved. #EUROCACS Threat Model for Medical IoT Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u E2E data lifecycle protection risks – Physical security – Orchestration issues – Lack of standardisation – Platform(s) security u Disruption from Cybersecurity attacks – Denial of Cybersecurity issues from device manufacturers – “Security is always secondary after safety” – Security bolted-in, rather than coming by design u Lack of Visible and Usable Security & Privacy – “Internet of someone else’s Thing” Risks for Medical IoT Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u Network Security u Direct PCB Attacks u Interfaces u Applications u Backend u Software Updates Attack Vectors for Medical IoT Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi u Bluetooth/Bluetooth LE u Home Automation (ZigBee / Z-Wave / X10) u Cellular (2/3/4/5G, M2M) u “Low Power” networking (LoRa, LTE-M, Sigfox, NarrowBand) u Ethernet / Serial over Ethernet u “Industrial” protocols – DeviceNet (CAN) – ControlNet – Profibus (PROFINET) – Modbus – … Network Connectivity
© ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi attacks u Bluetooth attacks u ZigBee attacks u Z-Wave “security by obscurity” u X10 intrinsic limitations u Cellular Network attacks – 3/4G attacks – M2M attacks – Configuration mistakes u Industrial Protocols’ limitations u “Internet of S*it”, ”Internet of Stupid Things”, “Internet of Junk” Network Connectivity Attacks
© ISACA 2016. All Rights Reserved. #EUROCACS Internet of Junk
© ISACA 2016. All Rights Reserved. #EUROCACS u At least two attacks are generally possible on the PCB – Serial port – JTAG port u Internal Communication Modules can be attacked Direct PCB Attacks
© ISACA 2016. All Rights Reserved. #EUROCACS u Tendency of moving care from facilities to home u USB attacks – “BadUSB” attacks on the host OS – Serial Ports on medical devices u Indirectly, what is the status of the healthcare facility’s network? – Serial-to-Ethernet or Serial-to-Wi-Fi converter – SANS Healthcare Cyber threat Report – Forced evolution over IPv6 – 81% of healthcare facilities in the US had a security incident Interfaces’ Attacks
© ISACA 2016. All Rights Reserved. #EUROCACS u Everything has an “App” u Disconnection between perception and reality u Analysis of 126 popular mobile health and mobile finance apps from US, UK, Germany, Japan (71 health) – 87% executives feel their Apps are secure enough – 90% (86% health) had critical security vulnerabilities – 98% (97% health) lacked software integrity protection – 83% (79% health) had data leakage / data transport broken – All were approved by FDAand NHS Applications’ Security
© ISACA 2016. All Rights Reserved. #EUROCACS u HIPAA Security Rule/HITECH/NIST Cybersecurity Framework u European Network and Information Security (NIS) directive u Authentication can depend on the kind of transport network used u Sniffing of traffic can reveal attack vectors to be used against the backend u Healthcare industry is a popular – and growing – target – Credit card can be replaced – PHI/PII data cannot – Cost of notifications – Post breach costs Backend Security
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS u “OWASP Top 10 for IoT” u Susceptible to MITM – Relatively easy to address in centralized scenarios, but difficult to deploy in standalone apps u Updating embedded devices is trickier – Unconventional constraints and threats – New risks u Signed updates require PKI/always on system u Unsigned updates is the norm Software Updates
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS Regulatory background
© ISACA 2016. All Rights Reserved. #EUROCACS u FDACFR Title 21, Part 11 – Electronic Records; Electronic Signatures u FDACFR Title 21, Part 820 – Quality System Regulation/MD GMP u FDA“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” u FDA“Cybersecurity for Networked Medical Devices Containing Off-the- Shelf (OTS) Software” u FDA“Postmarket Management of Cybersecurity in Medical Devices” (DRAFT) – Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) – ISO14971:2007 “Application of risk management to medical devices” u ANSI/AAMI/IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” Medical Devices’ Cybersecurity Req’s (USA)
© ISACA 2016. All Rights Reserved. #EUROCACS u 2003, 2014, 2016 u Manufacturers must implement controls, including – Validations – Audit Trails, documentation for software and systems – Method to retain legacy systems – Record Retention – Electronic Signatures u Practically speaking: use PGP for FDA submissions – 15 reasons not to use PGP: http://secushare.org/PGP – No good Authority, no FS, old crypto, incompatibilities, relies on email (in)security, bad key usage, etc. FDA CFR Title 21, Part 11 – ERES
© ISACA 2016. All Rights Reserved. #EUROCACS u 1978, 1996 u FDA CFR 21 part 820 – Subpart C 820.30 “Design Controls” – Subpart J 820.100 “Corrective and Preventive Action” u Compliance management issues – Patient’s consent – Need to disconnect/tokenize EU users – Healthcare provider: data processors FDA CFR Title 21, Part 820 – QSR MD CGMP
© ISACA 2016. All Rights Reserved. #EUROCACS u 2014 u Not compulsory u Recognise additional risks for “connecting” devices u Manufacturers should – “address cybersecurity during design and development phase” – “establish design inputs for their device related to cybersecurity” – “establish a cybersecurity vulnerability and management approach” – requires specific Cybersecurity documentation • Hazard analysis, traceability matrix, secure updates, software integrity, additional Cybersecurity controls – employ NIST Cybersecurity Framework FDA – Premarket Submissions for Management of Cybersecurity in Medical Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u Risk assessment is focused on patient’s health, not Cybersecurity risks u Besides patients’ risk, hospital’s networks are in scope u FDA does not necessarily question the content u No verification/test of effectiveness is required FDA – Premarket Submissions – issues
© ISACA 2016. All Rights Reserved. #EUROCACS u 2015 u Not compulsory – “current thinking” of FDA u Focus on OTS software which connects to the Internet – also “useful” for network administrators and IT vendors u Medical device vendor is responsible for Cybersecurity u Clarifies that CFR 820.100 also includes Cybersecurity FDA “Cybersecurity for Devices Containing Off- the-Shelf Software”
© ISACA 2016. All Rights Reserved. #EUROCACS u 2016 u Recommends NIST Cybersecurity Framework – “Identify, Protect, Detect, Respond and Recover” – Recommends ISO14971 for risk assessment u Monitor Cybersecurity information sources u Assessing impact of vulnerabilities (using CVSS) u Establish need of a process for handling vulnerabilities u Deploy early mitigations FDA “Postmarket Management of Cybersecurity in Medical Devices” (DRAFT)
© ISACA 2016. All Rights Reserved. #EUROCACS u Only a “guidance”, with little compulsory sections u Not binding for device compliance u Risk context is Quality, not Security u No difference for what concerns different levels of risk – threat modelling is very simple u Does not encourage an efficient way of elaborating an ISMS u Simplistic mitigation procedures – Who ensures mitigation procedures are followed? – What is the boundary that triggers the need for re-approval? – “Security patch” is not panacea FDA “Postmarket Management of Cybersecurity” (DRAFT) – issues
© ISACA 2016. All Rights Reserved. #EUROCACS u 2010 – started in 2005 u Match at the network level the IEC 14971 standard u Destined to healthcare providers (hospitals) u MDDSs require FDA registration/Responsibility Agreement u Safety, Effectiveness, Data and System Security ANSI/AAMI/IEC 80001-1
© ISACA 2016. All Rights Reserved. #EUROCACS u European Network and Information Security (NIS) directive u “The Alliance for Internet of Things Innovation (AIOTI)” u IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” u ISO/IEC 270xx standards Medical Devices’ Cybersecurity Req’s (EU)
© ISACA 2016. All Rights Reserved. #EUROCACS u SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and AccountabilityAct (HIPAA) Security Rule u SP 800-61: Computer Security Incident Handling Guide DRAFT SP 800-53: Recommended Security Controls for Federal Information Systems u SP 800-55: Security Metrics Guide for Information Technology Systems u SP 800-50: Building an Information Technology SecurityAwareness and Training Program u SP 800-42: Guideline on Network Security Testing u SP 800-35: Guide to Information Technology Security Services u SP 800-34: Contingency Planning Guide for Information Technology Systems u SP 800-30: Risk Management Guide for Information Technology Systems, u SP 800-27 Rev. A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) u SP 800-26: Security Self-Assessment Guide for Information Technology Systems NIST Resources
© ISACA 2016. All Rights Reserved. #EUROCACS u ECRI publications – “Security Guide for Biomedical Technology” – “How FDA Sees Cybersecurity” u ISO/IEC 60601-1 (2005) u HIMSS/NEMA HN 1-2008 Manufacturer’s Disclosure Statement for Medical Device Security (MDS2) u MIL-STD-882E DOD’s Standard Practice for System Safety u ACCE ECRI Security Guide for Biomedical Technology u The Joint Commission Sentinel Event Alert #42: Safely implementing health information and converging technologies, December 11, 2008 u Systems Engineering Guide for Systems of Systems, Version 1.0 (ODUSD), 2008 Other Resources
© ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements
© ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements u Network Communication Standardisation – Including security interfaces u Regulation step-up – Making cybersecurity prescriptive / revise 501k – Simplify the normative jungle u Change thinking paradigms of Medical Devices manufacturers – Collaboration between P&D and InfoSec/Risk Management – “Security should be evaluated according for impact on safety” – Less simplistic approach for FDACybersecurity Risk Assessments u Cybersecurity! – Security by design (as required by new EU GDPR) – Re-use existing frameworks as much as possible – Implement advanced OS security (e.g. signed updates, fail safely) – Harvest on technological advances
© ISACA 2016. All Rights Reserved. #EUROCACS u Cyber Safety by Design: I respect domain expertise from those that came before. I will inform design with security lifecycle, adversarial resilience, and secure supply chain practices. u Third-Party Collaboration: I acknowledge that vulnerabilities will persist, despite best efforts. I will invite disclosure of potential safety or security issues, reported in good faith. u Evidence Capture: I foresee unexpected outcomes. I will facilitate evidence capture, preservation, and analysis to learn from safety investigations. u Resilience and Containment: I recognize failures in components and in the environment are inevitable. I will safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable. u Cyber Safety Updates: I understand that cyber safety will always change. I will support prompt, agile, and secure updates. ”I am the Cavalry” Hippocratic Oath
© ISACA 2016. All Rights Reserved. #EUROCACS Questions?
© ISACA 2016. All Rights Reserved. #EUROCACS Thank you

More Related Content

PDF
Secure Your Medical Devices From the Ground Up
ICS
 
PDF
Cybersecurity Challenges in Healthcare
Doug Copley
 
PPTX
CyberSecurity Medical Devices
Suresh Mandava
 
PDF
The Role of Internet-of-Things (IoT) in Healthcare
Luís Rita
 
PPTX
Health 4.0
Napier University
 
PPTX
Internet of things & healthcare
khalidhassan105
 
PPTX
Cyber Security and Healthcare
Jonathon Coulter
 
PPTX
IoT in healthcare
Nikhil Neema
 
Secure Your Medical Devices From the Ground Up
ICS
 
Cybersecurity Challenges in Healthcare
Doug Copley
 
CyberSecurity Medical Devices
Suresh Mandava
 
The Role of Internet-of-Things (IoT) in Healthcare
Luís Rita
 
Health 4.0
Napier University
 
Internet of things & healthcare
khalidhassan105
 
Cyber Security and Healthcare
Jonathon Coulter
 
IoT in healthcare
Nikhil Neema
 

What's hot (20)

PPTX
IoT on Medical System
Aad Eez
 
PPTX
Reliable array of independent nodes
Pratik Gondaliya
 
PDF
Internet of medical things (IOMT)
K Raman Sethuraman
 
PPTX
Internet of Things (IoT) - IK
Ilgın Kavaklıoğulları
 
PDF
Internet of things for Healthcare
Smartify Health
 
PPTX
Iot in healthcare
GauravBiswas9
 
PPTX
IoT in Healthcare
Venkat Alagarsamy
 
PDF
The internet of things for health care a comprehensive survey
redpel dot com
 
PPTX
Internet of things
Vikrant Negi
 
PDF
The many faces of IoT (Internet of Things) in Healthcare
Stocker Partnership
 
PPTX
Wearable Tech - What is Next?
Venkat Alagarsamy
 
PPTX
ADVANCED HEALTH CARE SYSTEM USING IOT
D Y PATIL COLLEGE OF ENGINEERING PUNE
 
PPTX
IOT - internet of Things - August 2017
paul young cpa, cga
 
PDF
IoT Networking
Hitesh Mohapatra
 
PPTX
Home automation using IoT
Athira_1993
 
DOCX
IoT(Internet of Things) Report
Hitesh Kumar Singh
 
PPT
Internet Of Things
venkat thangella
 
PPTX
EDR(End Point Detection And Response).pptx
SMIT PAREKH
 
DOC
I.t in space
nunna09
 
PPTX
Smart home Environment using iot
parvathy s m
 
IoT on Medical System
Aad Eez
 
Reliable array of independent nodes
Pratik Gondaliya
 
Internet of medical things (IOMT)
K Raman Sethuraman
 
Internet of Things (IoT) - IK
Ilgın Kavaklıoğulları
 
Internet of things for Healthcare
Smartify Health
 
Iot in healthcare
GauravBiswas9
 
IoT in Healthcare
Venkat Alagarsamy
 
The internet of things for health care a comprehensive survey
redpel dot com
 
Internet of things
Vikrant Negi
 
The many faces of IoT (Internet of Things) in Healthcare
Stocker Partnership
 
Wearable Tech - What is Next?
Venkat Alagarsamy
 
ADVANCED HEALTH CARE SYSTEM USING IOT
D Y PATIL COLLEGE OF ENGINEERING PUNE
 
IOT - internet of Things - August 2017
paul young cpa, cga
 
IoT Networking
Hitesh Mohapatra
 
Home automation using IoT
Athira_1993
 
IoT(Internet of Things) Report
Hitesh Kumar Singh
 
Internet Of Things
venkat thangella
 
EDR(End Point Detection And Response).pptx
SMIT PAREKH
 
I.t in space
nunna09
 
Smart home Environment using iot
parvathy s m
 
Ad

Similar to 313 – Security Challenges in Healthcare IoT - ME (20)

PDF
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
PDF
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
Glen Koskela
 
PPTX
OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT)...
Great Bay Software
 
PPTX
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
PPTX
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
OnRamp
 
PPTX
Medical IoT<E security issues: Risks and Challenges
Amgad Magdy
 
ODP
Cybersecurity in medical devices
SafisSolutions
 
ODP
Cybersecurity in medical devices
SafisSolutions
 
PPTX
How Medical Devices Risk Patient Safety and Security
Great Bay Software
 
PDF
Cybersécurité des dispositifs médicaux
Market iT
 
PDF
Medical device security presentation - Frank Siepmann
Frank Siepmann
 
PDF
Medical Security [EN] .pdf
Snarky Security
 
PPTX
IoT Slam Healthcare 12-02-2016
Great Bay Software
 
PDF
Safeguard Your Medical Devices from Cyber Threats
ICS
 
PDF
The Healthcare Internet of Things: Rewards and Risks
atlanticcouncil
 
PDF
Acus intel medical_devices
atlanticcouncil
 
PDF
Security and privacy issues with io t healthcare devices
Zoe Gilbert
 
PPTX
[Wroclaw #6] Medical device security
OWASP
 
PPTX
Andy-Bridden-IoMT-Canterburyv1.pptx
safsda1
 
PDF
Cybersecurity in smart medical devices
Stefan Weiss
 
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
Glen Koskela
 
OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT)...
Great Bay Software
 
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
OnRamp
 
Medical IoT<E security issues: Risks and Challenges
Amgad Magdy
 
Cybersecurity in medical devices
SafisSolutions
 
Cybersecurity in medical devices
SafisSolutions
 
How Medical Devices Risk Patient Safety and Security
Great Bay Software
 
Cybersécurité des dispositifs médicaux
Market iT
 
Medical device security presentation - Frank Siepmann
Frank Siepmann
 
Medical Security [EN] .pdf
Snarky Security
 
IoT Slam Healthcare 12-02-2016
Great Bay Software
 
Safeguard Your Medical Devices from Cyber Threats
ICS
 
The Healthcare Internet of Things: Rewards and Risks
atlanticcouncil
 
Acus intel medical_devices
atlanticcouncil
 
Security and privacy issues with io t healthcare devices
Zoe Gilbert
 
[Wroclaw #6] Medical device security
OWASP
 
Andy-Bridden-IoMT-Canterburyv1.pptx
safsda1
 
Cybersecurity in smart medical devices
Stefan Weiss
 
Ad

More from EQS Group (9)

PDF
Blockchain: everyone wants to sell me that - but is that really right for my ...
EQS Group
 
PDF
Impact of GDPR on Third Party and M&A Security
EQS Group
 
PDF
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
PDF
M&A security - E-crime Congress 2017
EQS Group
 
PDF
Architecting Security across global networks
EQS Group
 
PPT
Achieving PCI-DSS compliance with network security implementations - April 2011
EQS Group
 
PPT
Top risks in using NIPS - Brighttalk - July 2010
EQS Group
 
PPT
Best practices in NIPS - IDC Sofia - March 2010
EQS Group
 
PPT
Best practices in NIPS - Brighttalk - January 2010
EQS Group
 
Blockchain: everyone wants to sell me that - but is that really right for my ...
EQS Group
 
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
M&A security - E-crime Congress 2017
EQS Group
 
Architecting Security across global networks
EQS Group
 
Achieving PCI-DSS compliance with network security implementations - April 2011
EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
EQS Group
 
Best practices in NIPS - IDC Sofia - March 2010
EQS Group
 
Best practices in NIPS - Brighttalk - January 2010
EQS Group
 

313 – Security Challenges in Healthcare IoT - ME

  • 1. Marco Ermini, CISSP, CISA, CISM – Senior IT Security Analyst – ResMed
  • 2. © ISACA 2016. All Rights Reserved. #EUROCACS u Context: CPS, Industry 4.0, IoT, Security Challenges u Threat Model for Medical IoT Devices u Regulatory background for Cybersecurity on Medical Devices u Suggestions for improvements Agenda
  • 3. © ISACA 2016. All Rights Reserved. #EUROCACS CPS, Industry 4.0, IoT, Security Challenges
  • 4. © ISACA 2016. All Rights Reserved. #EUROCACS u Marc Andreessen’s “Software is eating the world” (2011) – Software companies take over the economy – Industries are disrupted by software – Technology required to transformed industry via software is available on a global scale – Software eats up chain value of “physical” industries – In every industry, companies need to assume that a software revolution is coming u Agile management practices – Agile, Scrum, Continuous Delivery – Transition from software into other sectors Context for IoT
  • 5. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 6. © ISACA 2016. All Rights Reserved. #EUROCACS u Must satisfy those characteristics – Link between computational and physical element – “Smart” – Must talk together – are “networked” Cyber-Physical Systems (CPS)
  • 7. © ISACA 2016. All Rights Reserved. #EUROCACS - Interoperability - Virtualization - Decentralization - Real-Time Capability - Service Orientation - Modularity - Often connected with machine learning (AI) Industry 4.0 and CPS ecosystem
  • 8. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 9. © ISACA 2016. All Rights Reserved. #EUROCACS u Link between computational and physical element – “CPS” u “Smart” u Must talk together – are “networked” Definition of IoT
  • 10. © ISACA 2016. All Rights Reserved. #EUROCACS u Classification – Industrial/Manufacturing applications – Energy – Military – Robotics – Infrastructure – Insurance – Health Care – Consumer Products • Wearables • Media • Home Automation • Smart Appliances Definition of IoT
  • 11. © ISACA 2016. All Rights Reserved. #EUROCACS u Complex attack surface – Device itself – Apps – Backend u Specificities: – Interaction – Patching – Physical – Market acceleration – No standardisation IoT Security Challenges
  • 12. © ISACA 2016. All Rights Reserved. #EUROCACS Threat Model for Medical IoT Devices
  • 13. © ISACA 2016. All Rights Reserved. #EUROCACS u E2E data lifecycle protection risks – Physical security – Orchestration issues – Lack of standardisation – Platform(s) security u Disruption from Cybersecurity attacks – Denial of Cybersecurity issues from device manufacturers – “Security is always secondary after safety” – Security bolted-in, rather than coming by design u Lack of Visible and Usable Security & Privacy – “Internet of someone else’s Thing” Risks for Medical IoT Devices
  • 14. © ISACA 2016. All Rights Reserved. #EUROCACS u Network Security u Direct PCB Attacks u Interfaces u Applications u Backend u Software Updates Attack Vectors for Medical IoT Devices
  • 15. © ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi u Bluetooth/Bluetooth LE u Home Automation (ZigBee / Z-Wave / X10) u Cellular (2/3/4/5G, M2M) u “Low Power” networking (LoRa, LTE-M, Sigfox, NarrowBand) u Ethernet / Serial over Ethernet u “Industrial” protocols – DeviceNet (CAN) – ControlNet – Profibus (PROFINET) – Modbus – … Network Connectivity
  • 16. © ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi attacks u Bluetooth attacks u ZigBee attacks u Z-Wave “security by obscurity” u X10 intrinsic limitations u Cellular Network attacks – 3/4G attacks – M2M attacks – Configuration mistakes u Industrial Protocols’ limitations u “Internet of S*it”, ”Internet of Stupid Things”, “Internet of Junk” Network Connectivity Attacks
  • 17. © ISACA 2016. All Rights Reserved. #EUROCACS Internet of Junk
  • 18. © ISACA 2016. All Rights Reserved. #EUROCACS u At least two attacks are generally possible on the PCB – Serial port – JTAG port u Internal Communication Modules can be attacked Direct PCB Attacks
  • 19. © ISACA 2016. All Rights Reserved. #EUROCACS u Tendency of moving care from facilities to home u USB attacks – “BadUSB” attacks on the host OS – Serial Ports on medical devices u Indirectly, what is the status of the healthcare facility’s network? – Serial-to-Ethernet or Serial-to-Wi-Fi converter – SANS Healthcare Cyber threat Report – Forced evolution over IPv6 – 81% of healthcare facilities in the US had a security incident Interfaces’ Attacks
  • 20. © ISACA 2016. All Rights Reserved. #EUROCACS u Everything has an “App” u Disconnection between perception and reality u Analysis of 126 popular mobile health and mobile finance apps from US, UK, Germany, Japan (71 health) – 87% executives feel their Apps are secure enough – 90% (86% health) had critical security vulnerabilities – 98% (97% health) lacked software integrity protection – 83% (79% health) had data leakage / data transport broken – All were approved by FDAand NHS Applications’ Security
  • 21. © ISACA 2016. All Rights Reserved. #EUROCACS u HIPAA Security Rule/HITECH/NIST Cybersecurity Framework u European Network and Information Security (NIS) directive u Authentication can depend on the kind of transport network used u Sniffing of traffic can reveal attack vectors to be used against the backend u Healthcare industry is a popular – and growing – target – Credit card can be replaced – PHI/PII data cannot – Cost of notifications – Post breach costs Backend Security
  • 22. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 23. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 24. © ISACA 2016. All Rights Reserved. #EUROCACS u “OWASP Top 10 for IoT” u Susceptible to MITM – Relatively easy to address in centralized scenarios, but difficult to deploy in standalone apps u Updating embedded devices is trickier – Unconventional constraints and threats – New risks u Signed updates require PKI/always on system u Unsigned updates is the norm Software Updates
  • 25. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 26. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 27. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 28. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 29. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 30. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 31. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 32. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 33. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 34. © ISACA 2016. All Rights Reserved. #EUROCACS Regulatory background
  • 35. © ISACA 2016. All Rights Reserved. #EUROCACS u FDACFR Title 21, Part 11 – Electronic Records; Electronic Signatures u FDACFR Title 21, Part 820 – Quality System Regulation/MD GMP u FDA“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” u FDA“Cybersecurity for Networked Medical Devices Containing Off-the- Shelf (OTS) Software” u FDA“Postmarket Management of Cybersecurity in Medical Devices” (DRAFT) – Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) – ISO14971:2007 “Application of risk management to medical devices” u ANSI/AAMI/IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” Medical Devices’ Cybersecurity Req’s (USA)
  • 36. © ISACA 2016. All Rights Reserved. #EUROCACS u 2003, 2014, 2016 u Manufacturers must implement controls, including – Validations – Audit Trails, documentation for software and systems – Method to retain legacy systems – Record Retention – Electronic Signatures u Practically speaking: use PGP for FDA submissions – 15 reasons not to use PGP: http://secushare.org/PGP – No good Authority, no FS, old crypto, incompatibilities, relies on email (in)security, bad key usage, etc. FDA CFR Title 21, Part 11 – ERES
  • 37. © ISACA 2016. All Rights Reserved. #EUROCACS u 1978, 1996 u FDA CFR 21 part 820 – Subpart C 820.30 “Design Controls” – Subpart J 820.100 “Corrective and Preventive Action” u Compliance management issues – Patient’s consent – Need to disconnect/tokenize EU users – Healthcare provider: data processors FDA CFR Title 21, Part 820 – QSR MD CGMP
  • 38. © ISACA 2016. All Rights Reserved. #EUROCACS u 2014 u Not compulsory u Recognise additional risks for “connecting” devices u Manufacturers should – “address cybersecurity during design and development phase” – “establish design inputs for their device related to cybersecurity” – “establish a cybersecurity vulnerability and management approach” – requires specific Cybersecurity documentation • Hazard analysis, traceability matrix, secure updates, software integrity, additional Cybersecurity controls – employ NIST Cybersecurity Framework FDA – Premarket Submissions for Management of Cybersecurity in Medical Devices
  • 39. © ISACA 2016. All Rights Reserved. #EUROCACS u Risk assessment is focused on patient’s health, not Cybersecurity risks u Besides patients’ risk, hospital’s networks are in scope u FDA does not necessarily question the content u No verification/test of effectiveness is required FDA – Premarket Submissions – issues
  • 40. © ISACA 2016. All Rights Reserved. #EUROCACS u 2015 u Not compulsory – “current thinking” of FDA u Focus on OTS software which connects to the Internet – also “useful” for network administrators and IT vendors u Medical device vendor is responsible for Cybersecurity u Clarifies that CFR 820.100 also includes Cybersecurity FDA “Cybersecurity for Devices Containing Off- the-Shelf Software”
  • 41. © ISACA 2016. All Rights Reserved. #EUROCACS u 2016 u Recommends NIST Cybersecurity Framework – “Identify, Protect, Detect, Respond and Recover” – Recommends ISO14971 for risk assessment u Monitor Cybersecurity information sources u Assessing impact of vulnerabilities (using CVSS) u Establish need of a process for handling vulnerabilities u Deploy early mitigations FDA “Postmarket Management of Cybersecurity in Medical Devices” (DRAFT)
  • 42. © ISACA 2016. All Rights Reserved. #EUROCACS u Only a “guidance”, with little compulsory sections u Not binding for device compliance u Risk context is Quality, not Security u No difference for what concerns different levels of risk – threat modelling is very simple u Does not encourage an efficient way of elaborating an ISMS u Simplistic mitigation procedures – Who ensures mitigation procedures are followed? – What is the boundary that triggers the need for re-approval? – “Security patch” is not panacea FDA “Postmarket Management of Cybersecurity” (DRAFT) – issues
  • 43. © ISACA 2016. All Rights Reserved. #EUROCACS u 2010 – started in 2005 u Match at the network level the IEC 14971 standard u Destined to healthcare providers (hospitals) u MDDSs require FDA registration/Responsibility Agreement u Safety, Effectiveness, Data and System Security ANSI/AAMI/IEC 80001-1
  • 44. © ISACA 2016. All Rights Reserved. #EUROCACS u European Network and Information Security (NIS) directive u “The Alliance for Internet of Things Innovation (AIOTI)” u IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” u ISO/IEC 270xx standards Medical Devices’ Cybersecurity Req’s (EU)
  • 45. © ISACA 2016. All Rights Reserved. #EUROCACS u SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and AccountabilityAct (HIPAA) Security Rule u SP 800-61: Computer Security Incident Handling Guide DRAFT SP 800-53: Recommended Security Controls for Federal Information Systems u SP 800-55: Security Metrics Guide for Information Technology Systems u SP 800-50: Building an Information Technology SecurityAwareness and Training Program u SP 800-42: Guideline on Network Security Testing u SP 800-35: Guide to Information Technology Security Services u SP 800-34: Contingency Planning Guide for Information Technology Systems u SP 800-30: Risk Management Guide for Information Technology Systems, u SP 800-27 Rev. A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) u SP 800-26: Security Self-Assessment Guide for Information Technology Systems NIST Resources
  • 46. © ISACA 2016. All Rights Reserved. #EUROCACS u ECRI publications – “Security Guide for Biomedical Technology” – “How FDA Sees Cybersecurity” u ISO/IEC 60601-1 (2005) u HIMSS/NEMA HN 1-2008 Manufacturer’s Disclosure Statement for Medical Device Security (MDS2) u MIL-STD-882E DOD’s Standard Practice for System Safety u ACCE ECRI Security Guide for Biomedical Technology u The Joint Commission Sentinel Event Alert #42: Safely implementing health information and converging technologies, December 11, 2008 u Systems Engineering Guide for Systems of Systems, Version 1.0 (ODUSD), 2008 Other Resources
  • 47. © ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements
  • 48. © ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements u Network Communication Standardisation – Including security interfaces u Regulation step-up – Making cybersecurity prescriptive / revise 501k – Simplify the normative jungle u Change thinking paradigms of Medical Devices manufacturers – Collaboration between P&D and InfoSec/Risk Management – “Security should be evaluated according for impact on safety” – Less simplistic approach for FDACybersecurity Risk Assessments u Cybersecurity! – Security by design (as required by new EU GDPR) – Re-use existing frameworks as much as possible – Implement advanced OS security (e.g. signed updates, fail safely) – Harvest on technological advances
  • 49. © ISACA 2016. All Rights Reserved. #EUROCACS u Cyber Safety by Design: I respect domain expertise from those that came before. I will inform design with security lifecycle, adversarial resilience, and secure supply chain practices. u Third-Party Collaboration: I acknowledge that vulnerabilities will persist, despite best efforts. I will invite disclosure of potential safety or security issues, reported in good faith. u Evidence Capture: I foresee unexpected outcomes. I will facilitate evidence capture, preservation, and analysis to learn from safety investigations. u Resilience and Containment: I recognize failures in components and in the environment are inevitable. I will safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable. u Cyber Safety Updates: I understand that cyber safety will always change. I will support prompt, agile, and secure updates. ”I am the Cavalry” Hippocratic Oath
  • 50. © ISACA 2016. All Rights Reserved. #EUROCACS Questions?
  • 51. © ISACA 2016. All Rights Reserved. #EUROCACS Thank you