Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 25, 2017 Medical Devices at Risk? The Current Cybersecurity Landscape in Healthcare Fall Meeting of the New England Society for Healthcare Materials.

Published byMervyn Jenkins Modified over 6 years ago

Similar presentations

Presentation on theme: "October 25, 2017 Medical Devices at Risk? The Current Cybersecurity Landscape in Healthcare Fall Meeting of the New England Society for Healthcare Materials."— Presentation transcript:

1 October 25, 2017 Medical Devices at Risk? The Current Cybersecurity Landscape in Healthcare Fall Meeting of the New England Society for Healthcare Materials Management John Hayes – Cambridge Health Alliance/NESHMM Rob Maliff - ECRI Institute

2 c

3 Overview We face a number of threats to our I.T. system security. HHS reported 106 hacking incidents in 2016 and this was more than double the number for Hackers seek information such as addresses, Social Security Numbers and credit card numbers as this will allow them to steal an identify for fraud purposes. BREACH BAROMETER REPORT: YEAR IN REVIEW: 2016 Averaged at Least One Health Data Breach Per Day, Affecting more Than 27M Patient Records. Insiders were responsible for 192 Health Data Breach Incidents. It took an average of 233 days for a healthcare organization to discover they had a health data breach. (Protenus, Inc. in Collaboration with DataBreaches.net)

4 Top 2016 Hacking Incidents Source: HHS
In one of the 2016 incidents, hospital employees were potentially accessing patients’ medical information for years due to a lack of current technology to prevent this happening. Top 2016 Hacking Incidents Breached Entity Individuals Affected Banner Health 3.6 million Newkirk Products 3.5 million 21st Century Oncology 2.2 million Valley Anesthesiology Consultants 883,000 Peachtree Orthopaedic Clinic 531,000

5 Top 5 Concerns of CIO’s – recent survey
1. Vulnerabilities from aging applications and technologies 2. Human error 3. Malware 4. Phishing campaigns 5. Internet-facing attacks, such as distributed denial-of-service attacks

6 Ransomware Ransomware is malware that is deployed to prevent organizations from accessing applications such as HER or other targeted systems. It will either refuse access or encrypt the organizations data. Even if the organization pays the ransom demand this does not guarantee restored access. Recent legal attempts to deal with this issue occurred when both California and Connecticut have passed legislation that makes ransomware illegal and they outlined how these crimes will be prosecuted. California legislation calls for detention of up to four years and a fine up to $10,000 Connecticut penalties are $3,500 fine and up to 3 years in prison

7 How secure is your organization?

8 FDA 510(k) clearance In October 2017, Smiths Medical has received FDA 510(k) clearance on the CADD®-Solis Ambulatory Infusion Pump v4.1 with wireless communication. What does that mean? What is the role of the FDA?

9 U.S. Cybersecurity response – agencies and organizations
Agencies/Organizations Involved in Cybersecurity issues: National Telecomunication and Information Administration (Dep. Of Commerce) FDA Department of Health and Human Services (HHS) Department of Homeland Security (DHS) NIST and NCCOE

10 Cyber: some recent history…
Feb. 2016: National Institute for Safety and Standards: NCCoE(National Cybersecurity Center of Excellence) start-up launched in February 2016. July 2016: Baldridge performance cybersecurity framework adopted by NCCoE Dec. 2016: FDA publishes Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff. Dec. 2016: President Elect promised to release an anti-hacking plan in his first 90 days in office Apr. 2017: Erie County Medical Center computer shut down affected surgeries Apr. 2017: Congress worked on the Main Street Cybersecurity Act. 60% of businesses close after attack (Bi-Partisan support in Senate) Apr. 2017: FDA Fact sheet on their role in Medical Device Cybersecurity May 2017: NCCoE released a publication titled Securing Wireless Infusion Pumps seeking feedback. May 2017: FDA held a public workshop on Cybersecurity of Medical Devices May 2017: FBI: James Comey “hospitals should join forces with the bureau for better cybersecurity.” June 2017: Health Care Industry Cybersecurity Task Force reports to Congress July 2017: Health and Human Services issued guidelines on whether ransomware incidents should be supported as breaches under HIPAA. Aug. 2017: NIST crafts Next-Generation Safeguards for Information Systems and the Internet of Things Sept. 2017: NIST/NCCOE releases new guide “Data Integrity: Recovering from Ransomware and Other Destructive Events” Sept. 2017: Blockchain prototype tested (Pfizer and ABC) to verify authenticity of their drugs Oct : House bill “The Internet of Medical Things Resilience Partnership Act”

11 The Internet of Medical Devices
> 20,000 medical device manufacturers/resellers/distributors Average number of devices/bed is around 17 1 in 4 of these bedside devices are networked, and increasing Healthcare industry spends about 5% of IT budget on security; financial institutions average 15%.

12 Medical Device Hacking – What Do We Know
Medical Device Hacking – What Do We Know? Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System FDA Safety Communication (July 31, 2015) Remote ability to control an infusion pump “We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps.” - FDA

13 Medical Device Hacking – What Do We Know
Medical Device Hacking – What Do We Know? Cybersecurity Vulnerabilities from a Short Seller? A security research group MedSec and Muddy Waters Research (an investment firm) released a report detailing vulnerabilities with the St. Jude Pacemaker in August 2016. Potentially the first case where public disclosure of a medical device cyber-vulnerability pushed a manufacturer develop a solution rapidly. St Jude initially denied that any vulnerabilities were present in their system. FDA Safety Communication (1/9/2017): Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Transmitter

14 Medical Device Hacking – What Do We Know? Ransomware – The New Normal
Low Risk High Reward WannaCry/Petya/KRACK attacks

15 Wanna Cry ransomware Low Risk High Reward Motivations for ransomware
Revenge Personal gain Bragging Theft of a) Identity - $500; b) medical record - $50; c) clinical research, or d) formulations/procedures

16 Patch Management Challenges in Updating Medical Devices
How to ensure that medical devices are up to date with the latest security patches? Develop a policy for updating your medical devices MYTH - “FDA needs to approve a cybersecurity patch.” MYTH – “Customers need to place devices on a secure network.” Challenges: Lagging security patches – at best 2-3 months behind Often hands on update required Equipment down time -> impact patient care Disconnect between FDA and the manufacturer Security patches do not need a new 510(k)

17 What if a device was compromised…
Disabled communication to other information systems Impact normal workflow e.g., data does not flow to the patient’s EHR Disabled the device Availability of the device to perform its intended function may be limited Possibly mitigated by a back up unit As a vector to attack the organization’s network Compromised wireless network credentials Compromised enterprise network

18 What if a device was compromised…
Alter the intended operation of the device Change device configuration or settings Difficult, extended device access required – there are easier ways to hurt people Steal PHI Confidential patient information lost Loss of trust in the organization Financial impacts, fines

19 Healthcare Facility Action Plan A Significant Resource Commitment
Equipment management Patch management Staff security training Vulnerability scanning Risk management Sourcing - language to include security features Device Integration Test Lab

20 Equipment Management Start with Documentation!
Identify Which devices are connected to the network? Document Software versions Network configuration settings IP Addresses MAC Addresses Prioritize Does the device hold PHI? Life critical functionality – what happens if you cannot use the device?

21 Patch Management Challenges in Updating Medical Devices
How to ensure that medical devices are up to date with the latest security patches? Develop a policy for updating your medical devices Challenges: Lagging security patches – at best 2-3 months behind Often hands on update required Equipment down time -> impact patient care Disconnect between FDA and the manufacturer Security patches do not need a new 510(k)

22 Patch Management Ransomware/WannaCry
Do's Identify networked medical devices/servers/workstations that are operating on a Windows OS.   Identify whether connected medical devices/device servers have gotten the relevant Microsoft Windows OS MS security patch.   Consider running a vulnerability scan in your medical device networks to identify affected medical devices. Prioritize response on any connected Windows-OS-based medical device systems  

23 Patch Management Ransomware/WannaCry
Do's  If a malware infection is identified or suspected in a medical device: If clinically acceptable, disconnect the medical device from the network and work with your internal IT and Clinical Engineering departments and the device manufacturer to contain the infection and to restore the system. If any unencrypted patient data was involved, have risk management coordinate the response regarding the data breach, as per its obligation under HIPAA.  Dont's Don't overreact.  Don't install unvalidated patches.  Don't simply turn off or disconnect all networked medical devices that have Windows OS.

24 Staff Security Training
Ensure appropriate security training is in place Phishing scams Identifying suspect s, do not click on all links USBs can spread viruses and cause device malfunction ECRI Top 10 Hazard 2015 USB use policy – Block USB use if merited Passwords do matter! Promote the importance of strong passwords Password sharing Passwords do not belong on a post-it-note by the nurses station BYOD – Bring your own device Establish a policy on how to deal with BYOD

25 Vulnerability Scanning
Standard network tool to identify known vulnerabilities Commonplace for IT assets Limited to known vulnerabilities Medical devices – Can I scan it? Not always Network scanning took out a facility’s telemetry system Scanning for medical devices may be best done during the day shift, so in case something does go wrong there is sufficient staffing to address it.

26 Risk Management What to do with my networked medical devices?
Identify existing vulnerabilities Develop compensating controls to minimize risk e.g., block commonly used communication ports Human resources to address network security needs e.g., CISO Consider the adoption of ANSI/AAMI/IEC :2010

27 RFP language to include security features
Include language about common security features Buying a system based on Windows XP with a lot of known vulnerabilities is not necessarily the best idea! MDS2 – Manufacturer Disclosure Statement for Medical Device Security Require it! VA Directive 6550 for Pre-procurement Assessment

28 The Ultimate Questions for Medical Device Cybersecurity
After conducting a model-specific risk assessment for cybersecurity, does the hospital: Upgrade the device? If an upgrade is even available. Replace the device? If capital is available. Accept the risk of continued use? If all options exhausted and safeguards implemented.

29 For more ECRI assistance with medical device cybersecurity
Medical Device Cybersecurity Gap Analysis Medical Device Inventory Cyber Risk Analysis Rob Maliff (610) , ext. 5130

Download ppt "October 25, 2017 Medical Devices at Risk? The Current Cybersecurity Landscape in Healthcare Fall Meeting of the New England Society for Healthcare Materials."

Similar presentations

Hospital Emergency Management

Hospital Emergency Management
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague,

® © 2005 University HealthSystem Consortium UHC Powerpoint.ppt Cybersecurity for Medical Devices presented at the MedSun Audioconference by Catherine Sprague,
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Network security policy: best practices

Network security policy: best practices
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Self-Assessment and Formulation of a National Cyber security/ciip Strategy: culture of security.

Self-Assessment and Formulation of a National Cyber security/ciip Strategy: culture of security.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Cyber Security Nevada Businesses Overview June, 2014.

Cyber Security Nevada Businesses Overview June, 2014.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Similar presentations

Ads by Google