Cyber Security for your Connected Health Device

Agenda

• Cyber Security Emerging Threats

• Implications to Healthcare

• Healthcare Response

Launch IT Optimization 2014

2013

2011

2008

2012

2010

2009

Formal Launch 1/2008

Launch Application

Security

Launch Vulnerability

Assmt

Launch Governance, Risk &

Compliance

Launch South Central Region

Launch Southwest Region

Launch Mid- Atlantic Region

Launch West Region

Merge with TUV Rheinland

Geographic Expansion Service Evolution

Launch Enterprise Mobility

OpenSky’s timeline…

GLOBAL ORIGINS & BACKGROUND 140 YRS OF INNOVATION

• FDA issued cyber security warning in June 2013 to address the risks

• FDA published draft guideline on Cyber security for medical devices (June 2013)

• Device manufacturers have confirmed the FDA is asking for documentation related to cybersecurity (FDA guidelines) during the approval process (510k, PMA)

• Most hospitals now require device manufacturers to provide evidence that the devices they are buying are secure and not succeptable to cyber security risks

• Increasing publicity surrounding cyber security of medical devices

• Actual related risks and hazards exist ...

http://www.wired.com/2014/04/hospital-equipment-vulnerable/

5

Key Drivers for Cyber Security in Healthcare...

Cyber Security Emerging Threats

The Cyber Security Landscape…

Source: www.mandiant.com

Twelve-Month Timeline of Data Breaches Source: Symantec

Source: Symantec Source: Symantec

Cyber Security by the numbers…

Source: Symantec

• $$$ is the Biggest motivator;

• Targets are changing;

• Medical PII is becoming more valuable than PCI data ($20 vs $2).

Cyber Security Top Industry Targets…

Source: Mandiant M-Trends® Beyond the Breach

Cybersecurity Attack Scenario – Retail…

1. Cybercriminals leveraged minor misconfigurations in the infrastructure to identify systems with direct access to the POS systems.

2. A domain controller, which provided authentication for corporate offices and retail stores, provided the vulnerable pivot point.

3. The card-harvesting malware deployed on each register searched the process memory of the POS application for magnetic stripe data stored in POS system

Source: Mandiant M-Trends® Beyond the Breach

Internet

Medical Information

Server

Nurses

Impatients

Lab Equipment

Medical Devices

AdministrationUser

Cybersecurity Attack Scenario – Hospital…

1. Cybercriminals create phishing email to lure unsuspecting user to click on link that points to malware.

2. Unsuspecting user receives phishing email and clicks on link.

3. Infected Administration PC searches for other unpatched or vulnerable devices. Finding vulnerable application on lab equipment, attacks that equipment to gain access to the Medical Devices.

Cyber Security Implications to Healthcare

“Internet of Things” is here….

Top four medical device threats…

• The security leaders interviewed listed among their top perceived

threats to networked medical devices:

• Hacktivists wishing to cause service interruption.

• Thieves desiring to sell or monetize personal health

information (PHI),

• Malicious groups or individuals seeking to cause harm to

patients (possibly targeting VIP patients)

• Malware that evades existing antivirus engines and rules but is

not specifically targeted at medical devices.

Networked medical device cybersecurity and patient safety Source: Deloitte SANS Healthcare Cyber Security Report

Cyber Security Spending/ Costs…

Cyber Security Malware by Vertical

Locations and Types of Compromised Organizations Source: SANS Healthcare Cyber Security Report

Legend: • Dark states show

highest population

• Orange circle shows the number of organizations compromised

Note: states with most stringiest privacy laws were also the same states most affected.

Highest medical fraud by compromised organizations…

Type of devices emitting malicious traffic…

Source: SANS Healthcare Cyber Security Report

Healthcare’s response Cyber Security threats

Cyber Security Mitigation lifecycle…

Governance

Risk Identification

Risk Management

Risk Assessment Methodology…

Identify All possible threats, objectives, and methods

Filter & Prioritize Highest risk threats, objectives, and methods

Scan for Vulnerabilities Identify which vulnerabilities have controls. Those without controls are likely exposures

Attacker Objectives

Attacker Methods

Threat Agents

Controls

Exposures

MEDICAL

lifecycle Product Development

Device Scope

Design

Validation Market Certification

Product Market

Annual Cost

Provide regulatory

budget for global

markets

Provide data testing

based on regulatory

requirements

TÜV

Rheinland

Core

Business

TÜV

Rheinland

helps

reduce

these cost

OpenSky Risk

Assessments and

Secure Coding

Thank-you!

Jesus “Laz” Montano CSO & VP of Security Services OpenSky Corporation a TÜV Rheinland Company jmontano@openskycorp.com

Rayshon L. Payne Medical Account Manager TÜV Rheinland rpayne@us.tuv.com