October 25, 2017 Medical Devices at Risk? The Current Cybersecurity Landscape in Healthcare Fall Meeting of the New England Society for Healthcare Materials Management John Hayes – Cambridge Health Alliance/NESHMM Rob Maliff - ECRI Institute

c

Overview We face a number of threats to our I.T. system security. HHS reported 106 hacking incidents in 2016 and this was more than double the number for 2015. Hackers seek information such as addresses, Social Security Numbers and credit card numbers as this will allow them to steal an identify for fraud purposes. BREACH BAROMETER REPORT: YEAR IN REVIEW: 2016 Averaged at Least One Health Data Breach Per Day, Affecting more Than 27M Patient Records. Insiders were responsible for 192 Health Data Breach Incidents. It took an average of 233 days for a healthcare organization to discover they had a health data breach. (Protenus, Inc. in Collaboration with DataBreaches.net)

Top 2016 Hacking Incidents Source: HHS In one of the 2016 incidents, hospital employees were potentially accessing patients’ medical information for years due to a lack of current technology to prevent this happening. Top 2016 Hacking Incidents Breached Entity Individuals Affected Banner Health 3.6 million Newkirk Products 3.5 million 21st Century Oncology 2.2 million Valley Anesthesiology Consultants 883,000 Peachtree Orthopaedic Clinic 531,000

Top 5 Concerns of CIO’s – recent survey 1. Vulnerabilities from aging applications and technologies 2. Human error 3. Malware 4. Phishing campaigns 5. Internet-facing attacks, such as distributed denial-of-service attacks

Ransomware Ransomware is malware that is deployed to prevent organizations from accessing applications such as HER or other targeted systems. It will either refuse access or encrypt the organizations data. Even if the organization pays the ransom demand this does not guarantee restored access. Recent legal attempts to deal with this issue occurred when both California and Connecticut have passed legislation that makes ransomware illegal and they outlined how these crimes will be prosecuted. California legislation calls for detention of up to four years and a fine up to $10,000 Connecticut penalties are $3,500 fine and up to 3 years in prison

How secure is your organization?

FDA 510(k) clearance In October 2017, Smiths Medical has received FDA 510(k) clearance on the CADD®-Solis Ambulatory Infusion Pump v4.1 with wireless communication.   What does that mean? What is the role of the FDA?

U.S. Cybersecurity response – agencies and organizations Agencies/Organizations Involved in Cybersecurity issues: National Telecomunication and Information Administration (Dep. Of Commerce) FDA   Department of Health and Human Services (HHS) Department of Homeland Security (DHS) NIST and NCCOE

Cyber: some recent history… Feb. 2016: National Institute for Safety and Standards: NCCoE(National Cybersecurity Center of Excellence) start-up launched in February 2016. July 2016: Baldridge performance cybersecurity framework adopted by NCCoE Dec. 2016: FDA publishes Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff. Dec. 2016: President Elect promised to release an anti-hacking plan in his first 90 days in office Apr. 2017: Erie County Medical Center computer shut down affected surgeries Apr. 2017: Congress worked on the Main Street Cybersecurity Act. 60% of businesses close after attack (Bi-Partisan support in Senate) Apr. 2017: FDA Fact sheet on their role in Medical Device Cybersecurity May 2017: NCCoE released a publication titled Securing Wireless Infusion Pumps seeking feedback. May 2017: FDA held a public workshop on Cybersecurity of Medical Devices May 2017: FBI: James Comey “hospitals should join forces with the bureau for better cybersecurity.” June 2017: Health Care Industry Cybersecurity Task Force reports to Congress July 2017: Health and Human Services issued guidelines on whether ransomware incidents should be supported as breaches under HIPAA. Aug. 2017: NIST crafts Next-Generation Safeguards for Information Systems and the Internet of Things Sept. 2017: NIST/NCCOE releases new guide “Data Integrity: Recovering from Ransomware and Other Destructive Events” Sept. 2017: Blockchain prototype tested (Pfizer and ABC) to verify authenticity of their drugs Oct. 2017: House bill “The Internet of Medical Things Resilience Partnership Act”

The Internet of Medical Devices > 20,000 medical device manufacturers/resellers/distributors Average number of devices/bed is around 17 1 in 4 of these bedside devices are networked, and increasing Healthcare industry spends about 5% of IT budget on security; financial institutions average 15%.

Medical Device Hacking – What Do We Know Medical Device Hacking – What Do We Know? Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System FDA Safety Communication (July 31, 2015) Remote ability to control an infusion pump “We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps.” - FDA

Medical Device Hacking – What Do We Know Medical Device Hacking – What Do We Know? Cybersecurity Vulnerabilities from a Short Seller? A security research group MedSec and Muddy Waters Research (an investment firm) released a report detailing vulnerabilities with the St. Jude Pacemaker in August 2016. Potentially the first case where public disclosure of a medical device cyber-vulnerability pushed a manufacturer develop a solution rapidly. St Jude initially denied that any vulnerabilities were present in their system. FDA Safety Communication (1/9/2017): Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter

Medical Device Hacking – What Do We Know? Ransomware – The New Normal Low Risk High Reward WannaCry/Petya/KRACK attacks

Wanna Cry ransomware Low Risk High Reward Motivations for ransomware Revenge Personal gain Bragging Theft of a) Identity - $500; b) medical record - $50; c) clinical research, or d) formulations/procedures

Patch Management Challenges in Updating Medical Devices How to ensure that medical devices are up to date with the latest security patches? Develop a policy for updating your medical devices MYTH - “FDA needs to approve a cybersecurity patch.” MYTH – “Customers need to place devices on a secure network.” Challenges: Lagging security patches – at best 2-3 months behind Often hands on update required Equipment down time -> impact patient care Disconnect between FDA and the manufacturer Security patches do not need a new 510(k)

What if a device was compromised… Disabled communication to other information systems Impact normal workflow e.g., data does not flow to the patient’s EHR Disabled the device Availability of the device to perform its intended function may be limited Possibly mitigated by a back up unit As a vector to attack the organization’s network Compromised wireless network credentials Compromised enterprise network

What if a device was compromised… Alter the intended operation of the device Change device configuration or settings Difficult, extended device access required – there are easier ways to hurt people Steal PHI Confidential patient information lost Loss of trust in the organization Financial impacts, fines

Healthcare Facility Action Plan A Significant Resource Commitment Equipment management Patch management Staff security training Vulnerability scanning Risk management Sourcing - language to include security features Device Integration Test Lab

Equipment Management Start with Documentation! Identify Which devices are connected to the network? Document Software versions Network configuration settings IP Addresses MAC Addresses Prioritize Does the device hold PHI? Life critical functionality – what happens if you cannot use the device?

Patch Management Challenges in Updating Medical Devices How to ensure that medical devices are up to date with the latest security patches? Develop a policy for updating your medical devices Challenges: Lagging security patches – at best 2-3 months behind Often hands on update required Equipment down time -> impact patient care Disconnect between FDA and the manufacturer Security patches do not need a new 510(k)

Patch Management Ransomware/WannaCry Do's Identify networked medical devices/servers/workstations that are operating on a Windows OS.   Identify whether connected medical devices/device servers have gotten the relevant Microsoft Windows OS MS17-010 security patch.   Consider running a vulnerability scan in your medical device networks to identify affected medical devices. Prioritize response on any connected Windows-OS-based medical device systems  

Patch Management Ransomware/WannaCry Do's  If a malware infection is identified or suspected in a medical device: If clinically acceptable, disconnect the medical device from the network and work with your internal IT and Clinical Engineering departments and the device manufacturer to contain the infection and to restore the system. If any unencrypted patient data was involved, have risk management coordinate the response regarding the data breach, as per its obligation under HIPAA.  Dont's Don't overreact.  Don't install unvalidated patches.  Don't simply turn off or disconnect all networked medical devices that have Windows OS.

Staff Security Training Ensure appropriate security training is in place Phishing scams Identifying suspect emails, do not click on all email links USBs can spread viruses and cause device malfunction ECRI Top 10 Hazard 2015 USB use policy – Block USB use if merited Passwords do matter! Promote the importance of strong passwords Password sharing Passwords do not belong on a post-it-note by the nurses station BYOD – Bring your own device Establish a policy on how to deal with BYOD

Vulnerability Scanning Standard network tool to identify known vulnerabilities Commonplace for IT assets Limited to known vulnerabilities Medical devices – Can I scan it? Not always Network scanning took out a facility’s telemetry system Scanning for medical devices may be best done during the day shift, so in case something does go wrong there is sufficient staffing to address it.

Risk Management What to do with my networked medical devices? Identify existing vulnerabilities Develop compensating controls to minimize risk e.g., block commonly used communication ports Human resources to address network security needs e.g., CISO Consider the adoption of ANSI/AAMI/IEC 80001-1:2010

RFP language to include security features Include language about common security features Buying a system based on Windows XP with a lot of known vulnerabilities is not necessarily the best idea! MDS2 – Manufacturer Disclosure Statement for Medical Device Security Require it! VA Directive 6550 for Pre-procurement Assessment

The Ultimate Questions for Medical Device Cybersecurity After conducting a model-specific risk assessment for cybersecurity, does the hospital: Upgrade the device? If an upgrade is even available. Replace the device? If capital is available. Accept the risk of continued use? If all options exhausted and safeguards implemented.

For more ECRI assistance with medical device cybersecurity Medical Device Cybersecurity Gap Analysis Medical Device Inventory Cyber Risk Analysis Rob Maliff rmaliff@ecri.org (610) 825-6000, ext. 5130