cyber security for your connected health deviceit optimization 2014 2013 2011 2008 2012 2010 2009...
TRANSCRIPT
Cyber Security for your Connected Health Device
Agenda
• Cyber Security Emerging Threats
• Implications to Healthcare
• Healthcare Response
Launch IT Optimization 2014
2013
2011
2008
2012
2010
2009
Formal Launch 1/2008
Launch Application
Security
Launch Vulnerability
Assmt
Launch Governance, Risk &
Compliance
Launch South Central Region
Launch Southwest Region
Launch Mid- Atlantic Region
Launch West Region
Merge with TUV Rheinland
Geographic Expansion Service Evolution
Launch Enterprise Mobility
OpenSky’s timeline…
GLOBAL ORIGINS & BACKGROUND 140 YRS OF INNOVATION
• FDA issued cyber security warning in June 2013 to address the risks
• FDA published draft guideline on Cyber security for medical devices (June 2013)
• Device manufacturers have confirmed the FDA is asking for documentation related to cybersecurity (FDA guidelines) during the approval process (510k, PMA)
• Most hospitals now require device manufacturers to provide evidence that the devices they are buying are secure and not succeptable to cyber security risks
• Increasing publicity surrounding cyber security of medical devices
• Actual related risks and hazards exist ...
http://www.wired.com/2014/04/hospital-equipment-vulnerable/
5
Key Drivers for Cyber Security in Healthcare...
Cyber Security Emerging Threats
The Cyber Security Landscape…
Source: www.mandiant.com
Twelve-Month Timeline of Data Breaches Source: Symantec
Source: Symantec Source: Symantec
Cyber Security by the numbers…
Source: Symantec
• $$$ is the Biggest motivator;
• Targets are changing;
• Medical PII is becoming more valuable than PCI data ($20 vs $2).
Cyber Security Top Industry Targets…
Source: Mandiant M-Trends® Beyond the Breach
Cybersecurity Attack Scenario – Retail…
1. Cybercriminals leveraged minor misconfigurations in the infrastructure to identify systems with direct access to the POS systems.
2. A domain controller, which provided authentication for corporate offices and retail stores, provided the vulnerable pivot point.
3. The card-harvesting malware deployed on each register searched the process memory of the POS application for magnetic stripe data stored in POS system
Source: Mandiant M-Trends® Beyond the Breach
Internet
Medical Information
Server
Nurses
Impatients
Lab Equipment
Medical Devices
AdministrationUser
Cybersecurity Attack Scenario – Hospital…
1. Cybercriminals create phishing email to lure unsuspecting user to click on link that points to malware.
2. Unsuspecting user receives phishing email and clicks on link.
3. Infected Administration PC searches for other unpatched or vulnerable devices. Finding vulnerable application on lab equipment, attacks that equipment to gain access to the Medical Devices.
Cyber Security Implications to Healthcare
“Internet of Things” is here….
Top four medical device threats…
• The security leaders interviewed listed among their top perceived
threats to networked medical devices:
• Hacktivists wishing to cause service interruption.
• Thieves desiring to sell or monetize personal health
information (PHI),
• Malicious groups or individuals seeking to cause harm to
patients (possibly targeting VIP patients)
• Malware that evades existing antivirus engines and rules but is
not specifically targeted at medical devices.
Networked medical device cybersecurity and patient safety Source: Deloitte SANS Healthcare Cyber Security Report
Cyber Security Spending/ Costs…
Cyber Security Malware by Vertical
Locations and Types of Compromised Organizations Source: SANS Healthcare Cyber Security Report
Legend: • Dark states show
highest population
• Orange circle shows the number of organizations compromised
Note: states with most stringiest privacy laws were also the same states most affected.
Highest medical fraud by compromised organizations…
Type of devices emitting malicious traffic…
Source: SANS Healthcare Cyber Security Report
Healthcare’s response Cyber Security threats
Cyber Security Mitigation lifecycle…
Governance
Risk Identification
Risk Management
Risk Assessment Methodology…
Identify All possible threats, objectives, and methods
Filter & Prioritize Highest risk threats, objectives, and methods
Scan for Vulnerabilities Identify which vulnerabilities have controls. Those without controls are likely exposures
Attacker Objectives
Attacker Methods
Threat Agents
Controls
Exposures
MEDICAL
lifecycle Product Development
Device Scope
Design
Validation Market Certification
Product Market
Annual Cost
Provide regulatory
budget for global
markets
Provide data testing
based on regulatory
requirements
TÜV
Rheinland
Core
Business
TÜV
Rheinland
helps
reduce
these cost
OpenSky Risk
Assessments and
Secure Coding
Thank-you!
Jesus “Laz” Montano CSO & VP of Security Services OpenSky Corporation a TÜV Rheinland Company [email protected]
Rayshon L. Payne Medical Account Manager TÜV Rheinland [email protected]