SlideShare una empresa de Scribd logo

313 – Security Challenges in Healthcare IoT - ME

EQS Group
EQS Group
1 de 51
Descargar para leer sin conexión
Marco Ermini, CISSP, CISA, CISM – Senior IT Security Analyst – ResMed
© ISACA 2016. All Rights Reserved. #EUROCACS u Context: CPS, Industry 4.0, IoT, Security Challenges u Threat Model for Medical IoT Devices u Regulatory background for Cybersecurity on Medical Devices u Suggestions for improvements Agenda
© ISACA 2016. All Rights Reserved. #EUROCACS CPS, Industry 4.0, IoT, Security Challenges
© ISACA 2016. All Rights Reserved. #EUROCACS u Marc Andreessen’s “Software is eating the world” (2011) – Software companies take over the economy – Industries are disrupted by software – Technology required to transformed industry via software is available on a global scale – Software eats up chain value of “physical” industries – In every industry, companies need to assume that a software revolution is coming u Agile management practices – Agile, Scrum, Continuous Delivery – Transition from software into other sectors Context for IoT
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS u Must satisfy those characteristics – Link between computational and physical element – “Smart” – Must talk together – are “networked” Cyber-Physical Systems (CPS)
© ISACA 2016. All Rights Reserved. #EUROCACS - Interoperability - Virtualization - Decentralization - Real-Time Capability - Service Orientation - Modularity - Often connected with machine learning (AI) Industry 4.0 and CPS ecosystem
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS u Link between computational and physical element – “CPS” u “Smart” u Must talk together – are “networked” Definition of IoT
© ISACA 2016. All Rights Reserved. #EUROCACS u Classification – Industrial/Manufacturing applications – Energy – Military – Robotics – Infrastructure – Insurance – Health Care – Consumer Products • Wearables • Media • Home Automation • Smart Appliances Definition of IoT
© ISACA 2016. All Rights Reserved. #EUROCACS u Complex attack surface – Device itself – Apps – Backend u Specificities: – Interaction – Patching – Physical – Market acceleration – No standardisation IoT Security Challenges
© ISACA 2016. All Rights Reserved. #EUROCACS Threat Model for Medical IoT Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u E2E data lifecycle protection risks – Physical security – Orchestration issues – Lack of standardisation – Platform(s) security u Disruption from Cybersecurity attacks – Denial of Cybersecurity issues from device manufacturers – “Security is always secondary after safety” – Security bolted-in, rather than coming by design u Lack of Visible and Usable Security & Privacy – “Internet of someone else’s Thing” Risks for Medical IoT Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u Network Security u Direct PCB Attacks u Interfaces u Applications u Backend u Software Updates Attack Vectors for Medical IoT Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi u Bluetooth/Bluetooth LE u Home Automation (ZigBee / Z-Wave / X10) u Cellular (2/3/4/5G, M2M) u “Low Power” networking (LoRa, LTE-M, Sigfox, NarrowBand) u Ethernet / Serial over Ethernet u “Industrial” protocols – DeviceNet (CAN) – ControlNet – Profibus (PROFINET) – Modbus – … Network Connectivity
© ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi attacks u Bluetooth attacks u ZigBee attacks u Z-Wave “security by obscurity” u X10 intrinsic limitations u Cellular Network attacks – 3/4G attacks – M2M attacks – Configuration mistakes u Industrial Protocols’ limitations u “Internet of S*it”, ”Internet of Stupid Things”, “Internet of Junk” Network Connectivity Attacks
© ISACA 2016. All Rights Reserved. #EUROCACS Internet of Junk
© ISACA 2016. All Rights Reserved. #EUROCACS u At least two attacks are generally possible on the PCB – Serial port – JTAG port u Internal Communication Modules can be attacked Direct PCB Attacks
© ISACA 2016. All Rights Reserved. #EUROCACS u Tendency of moving care from facilities to home u USB attacks – “BadUSB” attacks on the host OS – Serial Ports on medical devices u Indirectly, what is the status of the healthcare facility’s network? – Serial-to-Ethernet or Serial-to-Wi-Fi converter – SANS Healthcare Cyber threat Report – Forced evolution over IPv6 – 81% of healthcare facilities in the US had a security incident Interfaces’ Attacks
© ISACA 2016. All Rights Reserved. #EUROCACS u Everything has an “App” u Disconnection between perception and reality u Analysis of 126 popular mobile health and mobile finance apps from US, UK, Germany, Japan (71 health) – 87% executives feel their Apps are secure enough – 90% (86% health) had critical security vulnerabilities – 98% (97% health) lacked software integrity protection – 83% (79% health) had data leakage / data transport broken – All were approved by FDAand NHS Applications’ Security
© ISACA 2016. All Rights Reserved. #EUROCACS u HIPAA Security Rule/HITECH/NIST Cybersecurity Framework u European Network and Information Security (NIS) directive u Authentication can depend on the kind of transport network used u Sniffing of traffic can reveal attack vectors to be used against the backend u Healthcare industry is a popular – and growing – target – Credit card can be replaced – PHI/PII data cannot – Cost of notifications – Post breach costs Backend Security
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS u “OWASP Top 10 for IoT” u Susceptible to MITM – Relatively easy to address in centralized scenarios, but difficult to deploy in standalone apps u Updating embedded devices is trickier – Unconventional constraints and threats – New risks u Signed updates require PKI/always on system u Unsigned updates is the norm Software Updates
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS
© ISACA 2016. All Rights Reserved. #EUROCACS Regulatory background
© ISACA 2016. All Rights Reserved. #EUROCACS u FDACFR Title 21, Part 11 – Electronic Records; Electronic Signatures u FDACFR Title 21, Part 820 – Quality System Regulation/MD GMP u FDA“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” u FDA“Cybersecurity for Networked Medical Devices Containing Off-the- Shelf (OTS) Software” u FDA“Postmarket Management of Cybersecurity in Medical Devices” (DRAFT) – Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) – ISO14971:2007 “Application of risk management to medical devices” u ANSI/AAMI/IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” Medical Devices’ Cybersecurity Req’s (USA)
© ISACA 2016. All Rights Reserved. #EUROCACS u 2003, 2014, 2016 u Manufacturers must implement controls, including – Validations – Audit Trails, documentation for software and systems – Method to retain legacy systems – Record Retention – Electronic Signatures u Practically speaking: use PGP for FDA submissions – 15 reasons not to use PGP: http://secushare.org/PGP – No good Authority, no FS, old crypto, incompatibilities, relies on email (in)security, bad key usage, etc. FDA CFR Title 21, Part 11 – ERES
© ISACA 2016. All Rights Reserved. #EUROCACS u 1978, 1996 u FDA CFR 21 part 820 – Subpart C 820.30 “Design Controls” – Subpart J 820.100 “Corrective and Preventive Action” u Compliance management issues – Patient’s consent – Need to disconnect/tokenize EU users – Healthcare provider: data processors FDA CFR Title 21, Part 820 – QSR MD CGMP
© ISACA 2016. All Rights Reserved. #EUROCACS u 2014 u Not compulsory u Recognise additional risks for “connecting” devices u Manufacturers should – “address cybersecurity during design and development phase” – “establish design inputs for their device related to cybersecurity” – “establish a cybersecurity vulnerability and management approach” – requires specific Cybersecurity documentation • Hazard analysis, traceability matrix, secure updates, software integrity, additional Cybersecurity controls – employ NIST Cybersecurity Framework FDA – Premarket Submissions for Management of Cybersecurity in Medical Devices
© ISACA 2016. All Rights Reserved. #EUROCACS u Risk assessment is focused on patient’s health, not Cybersecurity risks u Besides patients’ risk, hospital’s networks are in scope u FDA does not necessarily question the content u No verification/test of effectiveness is required FDA – Premarket Submissions – issues
© ISACA 2016. All Rights Reserved. #EUROCACS u 2015 u Not compulsory – “current thinking” of FDA u Focus on OTS software which connects to the Internet – also “useful” for network administrators and IT vendors u Medical device vendor is responsible for Cybersecurity u Clarifies that CFR 820.100 also includes Cybersecurity FDA “Cybersecurity for Devices Containing Off- the-Shelf Software”
© ISACA 2016. All Rights Reserved. #EUROCACS u 2016 u Recommends NIST Cybersecurity Framework – “Identify, Protect, Detect, Respond and Recover” – Recommends ISO14971 for risk assessment u Monitor Cybersecurity information sources u Assessing impact of vulnerabilities (using CVSS) u Establish need of a process for handling vulnerabilities u Deploy early mitigations FDA “Postmarket Management of Cybersecurity in Medical Devices” (DRAFT)
© ISACA 2016. All Rights Reserved. #EUROCACS u Only a “guidance”, with little compulsory sections u Not binding for device compliance u Risk context is Quality, not Security u No difference for what concerns different levels of risk – threat modelling is very simple u Does not encourage an efficient way of elaborating an ISMS u Simplistic mitigation procedures – Who ensures mitigation procedures are followed? – What is the boundary that triggers the need for re-approval? – “Security patch” is not panacea FDA “Postmarket Management of Cybersecurity” (DRAFT) – issues
© ISACA 2016. All Rights Reserved. #EUROCACS u 2010 – started in 2005 u Match at the network level the IEC 14971 standard u Destined to healthcare providers (hospitals) u MDDSs require FDA registration/Responsibility Agreement u Safety, Effectiveness, Data and System Security ANSI/AAMI/IEC 80001-1
© ISACA 2016. All Rights Reserved. #EUROCACS u European Network and Information Security (NIS) directive u “The Alliance for Internet of Things Innovation (AIOTI)” u IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” u ISO/IEC 270xx standards Medical Devices’ Cybersecurity Req’s (EU)
© ISACA 2016. All Rights Reserved. #EUROCACS u SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and AccountabilityAct (HIPAA) Security Rule u SP 800-61: Computer Security Incident Handling Guide DRAFT SP 800-53: Recommended Security Controls for Federal Information Systems u SP 800-55: Security Metrics Guide for Information Technology Systems u SP 800-50: Building an Information Technology SecurityAwareness and Training Program u SP 800-42: Guideline on Network Security Testing u SP 800-35: Guide to Information Technology Security Services u SP 800-34: Contingency Planning Guide for Information Technology Systems u SP 800-30: Risk Management Guide for Information Technology Systems, u SP 800-27 Rev. A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) u SP 800-26: Security Self-Assessment Guide for Information Technology Systems NIST Resources
© ISACA 2016. All Rights Reserved. #EUROCACS u ECRI publications – “Security Guide for Biomedical Technology” – “How FDA Sees Cybersecurity” u ISO/IEC 60601-1 (2005) u HIMSS/NEMA HN 1-2008 Manufacturer’s Disclosure Statement for Medical Device Security (MDS2) u MIL-STD-882E DOD’s Standard Practice for System Safety u ACCE ECRI Security Guide for Biomedical Technology u The Joint Commission Sentinel Event Alert #42: Safely implementing health information and converging technologies, December 11, 2008 u Systems Engineering Guide for Systems of Systems, Version 1.0 (ODUSD), 2008 Other Resources
© ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements
© ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements u Network Communication Standardisation – Including security interfaces u Regulation step-up – Making cybersecurity prescriptive / revise 501k – Simplify the normative jungle u Change thinking paradigms of Medical Devices manufacturers – Collaboration between P&D and InfoSec/Risk Management – “Security should be evaluated according for impact on safety” – Less simplistic approach for FDACybersecurity Risk Assessments u Cybersecurity! – Security by design (as required by new EU GDPR) – Re-use existing frameworks as much as possible – Implement advanced OS security (e.g. signed updates, fail safely) – Harvest on technological advances
© ISACA 2016. All Rights Reserved. #EUROCACS u Cyber Safety by Design: I respect domain expertise from those that came before. I will inform design with security lifecycle, adversarial resilience, and secure supply chain practices. u Third-Party Collaboration: I acknowledge that vulnerabilities will persist, despite best efforts. I will invite disclosure of potential safety or security issues, reported in good faith. u Evidence Capture: I foresee unexpected outcomes. I will facilitate evidence capture, preservation, and analysis to learn from safety investigations. u Resilience and Containment: I recognize failures in components and in the environment are inevitable. I will safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable. u Cyber Safety Updates: I understand that cyber safety will always change. I will support prompt, agile, and secure updates. ”I am the Cavalry” Hippocratic Oath
© ISACA 2016. All Rights Reserved. #EUROCACS Questions?
© ISACA 2016. All Rights Reserved. #EUROCACS Thank you

Recomendados

Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
CompTIA
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
Artificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for CybersecurityArtificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for Cybersecurity
Dr David Probert
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
RambilashTudu
 
AI in security
AI in securityAI in security
AI in security
Subrat Panda, PhD
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
Graham Mann
 
The internet of things for health care a comprehensive survey
The internet of things for health care a comprehensive surveyThe internet of things for health care a comprehensive survey
The internet of things for health care a comprehensive survey
redpel dot com
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 

Recomendados

Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
CompTIA
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
Artificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for CybersecurityArtificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for Cybersecurity
Dr David Probert
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
RambilashTudu
 
AI in security
AI in securityAI in security
AI in security
Subrat Panda, PhD
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
Graham Mann
 
The internet of things for health care a comprehensive survey
The internet of things for health care a comprehensive surveyThe internet of things for health care a comprehensive survey
The internet of things for health care a comprehensive survey
redpel dot com
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
Olivier Busolini
 
Neuroweb: Enacting Transhumanist Vision
Neuroweb: Enacting Transhumanist VisionNeuroweb: Enacting Transhumanist Vision
Neuroweb: Enacting Transhumanist Vision
Pavel Luksha
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultant
John Kingsley
 
Computer Security
Computer SecurityComputer Security
Computer Security
Klynveld Peat Marwick Goerdeler Global Services
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
10 min IoT ppt
10 min IoT ppt10 min IoT ppt
10 min IoT ppt
Vaishnavu Pathayathodi
 
IoT Introduction Architecture and Applications
IoT Introduction Architecture and ApplicationsIoT Introduction Architecture and Applications
IoT Introduction Architecture and Applications
The IOT Academy
 
Iot forensics
Iot forensicsIot forensics
Iot forensics
Abeis Ab
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
Vaughan Olufemi ACIB, AICEN, ANIM
 
IoT in Healthcare.pptx
IoT in Healthcare.pptxIoT in Healthcare.pptx
IoT in Healthcare.pptx
Hachmdhmdzad
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
IoT for Healthcare
IoT for HealthcareIoT for Healthcare
IoT for Healthcare
SenZations Summer School
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 
Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0 Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0
Glorium Tech
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT Security
SHAAMILIVARSAGV
 
vCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptxvCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptx
Art Ocain
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success
Electric Imp
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018
Jack Shaffer
 

Más contenido relacionado

La actualidad más candente

HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultant
John Kingsley
 
IoT in Healthcare.pptx
IoT in Healthcare.pptxIoT in Healthcare.pptx
IoT in Healthcare.pptx
Hachmdhmdzad
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 

La actualidad más candente (20)

ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
 
Neuroweb: Enacting Transhumanist Vision
Neuroweb: Enacting Transhumanist VisionNeuroweb: Enacting Transhumanist Vision
Neuroweb: Enacting Transhumanist Vision
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultant
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
10 min IoT ppt
10 min IoT ppt10 min IoT ppt
10 min IoT ppt
 
IoT Introduction Architecture and Applications
IoT Introduction Architecture and ApplicationsIoT Introduction Architecture and Applications
IoT Introduction Architecture and Applications
 
Iot forensics
Iot forensicsIot forensics
Iot forensics
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
 
IoT in Healthcare.pptx
IoT in Healthcare.pptxIoT in Healthcare.pptx
IoT in Healthcare.pptx
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
IoT for Healthcare
IoT for HealthcareIoT for Healthcare
IoT for Healthcare
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
 
Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0 Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT Security
 
vCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptxvCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptx
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 

Similar a 313 – Security Challenges in Healthcare IoT - ME

SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
Get to zero stealth natural gas_executive_overview_ch
Get to zero stealth natural gas_executive_overview_chGet to zero stealth natural gas_executive_overview_ch
Get to zero stealth natural gas_executive_overview_ch
Sherid444
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
EMMAIntl
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains
Aparajita Banerjee
 

Similar a 313 – Security Challenges in Healthcare IoT - ME (20)

[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018
 
Cybersecurity in Medical Devices
Cybersecurity in Medical DevicesCybersecurity in Medical Devices
Cybersecurity in Medical Devices
 
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
 
EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the skyEuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the sky
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 
Get to zero stealth natural gas_executive_overview_ch
Get to zero stealth natural gas_executive_overview_chGet to zero stealth natural gas_executive_overview_ch
Get to zero stealth natural gas_executive_overview_ch
 
chile-2015 (2)
chile-2015 (2)chile-2015 (2)
chile-2015 (2)
 
Grid Analytics Europe 2016: "Defend the Grid", April 2016
Grid Analytics Europe 2016: "Defend the Grid", April 2016Grid Analytics Europe 2016: "Defend the Grid", April 2016
Grid Analytics Europe 2016: "Defend the Grid", April 2016
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issues
 
Cybersecurity isaca
Cybersecurity isacaCybersecurity isaca
Cybersecurity isaca
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
 

Más de EQS Group

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
EQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
EQS Group
 
Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
EQS Group
 

Más de EQS Group (9)

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
 
Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010
 
Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
 
Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010
 

313 – Security Challenges in Healthcare IoT - ME

  • 1. Marco Ermini, CISSP, CISA, CISM – Senior IT Security Analyst – ResMed
  • 2. © ISACA 2016. All Rights Reserved. #EUROCACS u Context: CPS, Industry 4.0, IoT, Security Challenges u Threat Model for Medical IoT Devices u Regulatory background for Cybersecurity on Medical Devices u Suggestions for improvements Agenda
  • 3. © ISACA 2016. All Rights Reserved. #EUROCACS CPS, Industry 4.0, IoT, Security Challenges
  • 4. © ISACA 2016. All Rights Reserved. #EUROCACS u Marc Andreessen’s “Software is eating the world” (2011) – Software companies take over the economy – Industries are disrupted by software – Technology required to transformed industry via software is available on a global scale – Software eats up chain value of “physical” industries – In every industry, companies need to assume that a software revolution is coming u Agile management practices – Agile, Scrum, Continuous Delivery – Transition from software into other sectors Context for IoT
  • 5. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 6. © ISACA 2016. All Rights Reserved. #EUROCACS u Must satisfy those characteristics – Link between computational and physical element – “Smart” – Must talk together – are “networked” Cyber-Physical Systems (CPS)
  • 7. © ISACA 2016. All Rights Reserved. #EUROCACS - Interoperability - Virtualization - Decentralization - Real-Time Capability - Service Orientation - Modularity - Often connected with machine learning (AI) Industry 4.0 and CPS ecosystem
  • 8. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 9. © ISACA 2016. All Rights Reserved. #EUROCACS u Link between computational and physical element – “CPS” u “Smart” u Must talk together – are “networked” Definition of IoT
  • 10. © ISACA 2016. All Rights Reserved. #EUROCACS u Classification – Industrial/Manufacturing applications – Energy – Military – Robotics – Infrastructure – Insurance – Health Care – Consumer Products • Wearables • Media • Home Automation • Smart Appliances Definition of IoT
  • 11. © ISACA 2016. All Rights Reserved. #EUROCACS u Complex attack surface – Device itself – Apps – Backend u Specificities: – Interaction – Patching – Physical – Market acceleration – No standardisation IoT Security Challenges
  • 12. © ISACA 2016. All Rights Reserved. #EUROCACS Threat Model for Medical IoT Devices
  • 13. © ISACA 2016. All Rights Reserved. #EUROCACS u E2E data lifecycle protection risks – Physical security – Orchestration issues – Lack of standardisation – Platform(s) security u Disruption from Cybersecurity attacks – Denial of Cybersecurity issues from device manufacturers – “Security is always secondary after safety” – Security bolted-in, rather than coming by design u Lack of Visible and Usable Security & Privacy – “Internet of someone else’s Thing” Risks for Medical IoT Devices
  • 14. © ISACA 2016. All Rights Reserved. #EUROCACS u Network Security u Direct PCB Attacks u Interfaces u Applications u Backend u Software Updates Attack Vectors for Medical IoT Devices
  • 15. © ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi u Bluetooth/Bluetooth LE u Home Automation (ZigBee / Z-Wave / X10) u Cellular (2/3/4/5G, M2M) u “Low Power” networking (LoRa, LTE-M, Sigfox, NarrowBand) u Ethernet / Serial over Ethernet u “Industrial” protocols – DeviceNet (CAN) – ControlNet – Profibus (PROFINET) – Modbus – … Network Connectivity
  • 16. © ISACA 2016. All Rights Reserved. #EUROCACS u Wi-Fi attacks u Bluetooth attacks u ZigBee attacks u Z-Wave “security by obscurity” u X10 intrinsic limitations u Cellular Network attacks – 3/4G attacks – M2M attacks – Configuration mistakes u Industrial Protocols’ limitations u “Internet of S*it”, ”Internet of Stupid Things”, “Internet of Junk” Network Connectivity Attacks
  • 17. © ISACA 2016. All Rights Reserved. #EUROCACS Internet of Junk
  • 18. © ISACA 2016. All Rights Reserved. #EUROCACS u At least two attacks are generally possible on the PCB – Serial port – JTAG port u Internal Communication Modules can be attacked Direct PCB Attacks
  • 19. © ISACA 2016. All Rights Reserved. #EUROCACS u Tendency of moving care from facilities to home u USB attacks – “BadUSB” attacks on the host OS – Serial Ports on medical devices u Indirectly, what is the status of the healthcare facility’s network? – Serial-to-Ethernet or Serial-to-Wi-Fi converter – SANS Healthcare Cyber threat Report – Forced evolution over IPv6 – 81% of healthcare facilities in the US had a security incident Interfaces’ Attacks
  • 20. © ISACA 2016. All Rights Reserved. #EUROCACS u Everything has an “App” u Disconnection between perception and reality u Analysis of 126 popular mobile health and mobile finance apps from US, UK, Germany, Japan (71 health) – 87% executives feel their Apps are secure enough – 90% (86% health) had critical security vulnerabilities – 98% (97% health) lacked software integrity protection – 83% (79% health) had data leakage / data transport broken – All were approved by FDAand NHS Applications’ Security
  • 21. © ISACA 2016. All Rights Reserved. #EUROCACS u HIPAA Security Rule/HITECH/NIST Cybersecurity Framework u European Network and Information Security (NIS) directive u Authentication can depend on the kind of transport network used u Sniffing of traffic can reveal attack vectors to be used against the backend u Healthcare industry is a popular – and growing – target – Credit card can be replaced – PHI/PII data cannot – Cost of notifications – Post breach costs Backend Security
  • 22. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 23. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 24. © ISACA 2016. All Rights Reserved. #EUROCACS u “OWASP Top 10 for IoT” u Susceptible to MITM – Relatively easy to address in centralized scenarios, but difficult to deploy in standalone apps u Updating embedded devices is trickier – Unconventional constraints and threats – New risks u Signed updates require PKI/always on system u Unsigned updates is the norm Software Updates
  • 25. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 26. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 27. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 28. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 29. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 30. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 31. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 32. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 33. © ISACA 2016. All Rights Reserved. #EUROCACS
  • 34. © ISACA 2016. All Rights Reserved. #EUROCACS Regulatory background
  • 35. © ISACA 2016. All Rights Reserved. #EUROCACS u FDACFR Title 21, Part 11 – Electronic Records; Electronic Signatures u FDACFR Title 21, Part 820 – Quality System Regulation/MD GMP u FDA“Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” u FDA“Cybersecurity for Networked Medical Devices Containing Off-the- Shelf (OTS) Software” u FDA“Postmarket Management of Cybersecurity in Medical Devices” (DRAFT) – Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) – ISO14971:2007 “Application of risk management to medical devices” u ANSI/AAMI/IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” Medical Devices’ Cybersecurity Req’s (USA)
  • 36. © ISACA 2016. All Rights Reserved. #EUROCACS u 2003, 2014, 2016 u Manufacturers must implement controls, including – Validations – Audit Trails, documentation for software and systems – Method to retain legacy systems – Record Retention – Electronic Signatures u Practically speaking: use PGP for FDA submissions – 15 reasons not to use PGP: http://secushare.org/PGP – No good Authority, no FS, old crypto, incompatibilities, relies on email (in)security, bad key usage, etc. FDA CFR Title 21, Part 11 – ERES
  • 37. © ISACA 2016. All Rights Reserved. #EUROCACS u 1978, 1996 u FDA CFR 21 part 820 – Subpart C 820.30 “Design Controls” – Subpart J 820.100 “Corrective and Preventive Action” u Compliance management issues – Patient’s consent – Need to disconnect/tokenize EU users – Healthcare provider: data processors FDA CFR Title 21, Part 820 – QSR MD CGMP
  • 38. © ISACA 2016. All Rights Reserved. #EUROCACS u 2014 u Not compulsory u Recognise additional risks for “connecting” devices u Manufacturers should – “address cybersecurity during design and development phase” – “establish design inputs for their device related to cybersecurity” – “establish a cybersecurity vulnerability and management approach” – requires specific Cybersecurity documentation • Hazard analysis, traceability matrix, secure updates, software integrity, additional Cybersecurity controls – employ NIST Cybersecurity Framework FDA – Premarket Submissions for Management of Cybersecurity in Medical Devices
  • 39. © ISACA 2016. All Rights Reserved. #EUROCACS u Risk assessment is focused on patient’s health, not Cybersecurity risks u Besides patients’ risk, hospital’s networks are in scope u FDA does not necessarily question the content u No verification/test of effectiveness is required FDA – Premarket Submissions – issues
  • 40. © ISACA 2016. All Rights Reserved. #EUROCACS u 2015 u Not compulsory – “current thinking” of FDA u Focus on OTS software which connects to the Internet – also “useful” for network administrators and IT vendors u Medical device vendor is responsible for Cybersecurity u Clarifies that CFR 820.100 also includes Cybersecurity FDA “Cybersecurity for Devices Containing Off- the-Shelf Software”
  • 41. © ISACA 2016. All Rights Reserved. #EUROCACS u 2016 u Recommends NIST Cybersecurity Framework – “Identify, Protect, Detect, Respond and Recover” – Recommends ISO14971 for risk assessment u Monitor Cybersecurity information sources u Assessing impact of vulnerabilities (using CVSS) u Establish need of a process for handling vulnerabilities u Deploy early mitigations FDA “Postmarket Management of Cybersecurity in Medical Devices” (DRAFT)
  • 42. © ISACA 2016. All Rights Reserved. #EUROCACS u Only a “guidance”, with little compulsory sections u Not binding for device compliance u Risk context is Quality, not Security u No difference for what concerns different levels of risk – threat modelling is very simple u Does not encourage an efficient way of elaborating an ISMS u Simplistic mitigation procedures – Who ensures mitigation procedures are followed? – What is the boundary that triggers the need for re-approval? – “Security patch” is not panacea FDA “Postmarket Management of Cybersecurity” (DRAFT) – issues
  • 43. © ISACA 2016. All Rights Reserved. #EUROCACS u 2010 – started in 2005 u Match at the network level the IEC 14971 standard u Destined to healthcare providers (hospitals) u MDDSs require FDA registration/Responsibility Agreement u Safety, Effectiveness, Data and System Security ANSI/AAMI/IEC 80001-1
  • 44. © ISACA 2016. All Rights Reserved. #EUROCACS u European Network and Information Security (NIS) directive u “The Alliance for Internet of Things Innovation (AIOTI)” u IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices” u ISO/IEC 270xx standards Medical Devices’ Cybersecurity Req’s (EU)
  • 45. © ISACA 2016. All Rights Reserved. #EUROCACS u SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and AccountabilityAct (HIPAA) Security Rule u SP 800-61: Computer Security Incident Handling Guide DRAFT SP 800-53: Recommended Security Controls for Federal Information Systems u SP 800-55: Security Metrics Guide for Information Technology Systems u SP 800-50: Building an Information Technology SecurityAwareness and Training Program u SP 800-42: Guideline on Network Security Testing u SP 800-35: Guide to Information Technology Security Services u SP 800-34: Contingency Planning Guide for Information Technology Systems u SP 800-30: Risk Management Guide for Information Technology Systems, u SP 800-27 Rev. A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) u SP 800-26: Security Self-Assessment Guide for Information Technology Systems NIST Resources
  • 46. © ISACA 2016. All Rights Reserved. #EUROCACS u ECRI publications – “Security Guide for Biomedical Technology” – “How FDA Sees Cybersecurity” u ISO/IEC 60601-1 (2005) u HIMSS/NEMA HN 1-2008 Manufacturer’s Disclosure Statement for Medical Device Security (MDS2) u MIL-STD-882E DOD’s Standard Practice for System Safety u ACCE ECRI Security Guide for Biomedical Technology u The Joint Commission Sentinel Event Alert #42: Safely implementing health information and converging technologies, December 11, 2008 u Systems Engineering Guide for Systems of Systems, Version 1.0 (ODUSD), 2008 Other Resources
  • 47. © ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements
  • 48. © ISACA 2016. All Rights Reserved. #EUROCACS Suggestions for improvements u Network Communication Standardisation – Including security interfaces u Regulation step-up – Making cybersecurity prescriptive / revise 501k – Simplify the normative jungle u Change thinking paradigms of Medical Devices manufacturers – Collaboration between P&D and InfoSec/Risk Management – “Security should be evaluated according for impact on safety” – Less simplistic approach for FDACybersecurity Risk Assessments u Cybersecurity! – Security by design (as required by new EU GDPR) – Re-use existing frameworks as much as possible – Implement advanced OS security (e.g. signed updates, fail safely) – Harvest on technological advances
  • 49. © ISACA 2016. All Rights Reserved. #EUROCACS u Cyber Safety by Design: I respect domain expertise from those that came before. I will inform design with security lifecycle, adversarial resilience, and secure supply chain practices. u Third-Party Collaboration: I acknowledge that vulnerabilities will persist, despite best efforts. I will invite disclosure of potential safety or security issues, reported in good faith. u Evidence Capture: I foresee unexpected outcomes. I will facilitate evidence capture, preservation, and analysis to learn from safety investigations. u Resilience and Containment: I recognize failures in components and in the environment are inevitable. I will safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable. u Cyber Safety Updates: I understand that cyber safety will always change. I will support prompt, agile, and secure updates. ”I am the Cavalry” Hippocratic Oath
  • 50. © ISACA 2016. All Rights Reserved. #EUROCACS Questions?
  • 51. © ISACA 2016. All Rights Reserved. #EUROCACS Thank you