THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013.
A Security Risk Management Framework for Networked Medical Devices
Anita Finnegan, Fergal Mc Caffery, Gerry Coleman
Regulated Software Research Centre & Lero Dundalk Institute of Technology
Dundalk
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 2
Problem Background
New / Proposed Guidance
Overview of Solution • Security Risk Management Life Cycle • IEC/TR 80001-2-2 • Security Assurance Cases • Summary of Solution
Conclusion
Overview
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 3
Advancements in Medical Devices Increased Use of Software Device Communication Abilities
Controlled Hacking Demonstrations of Devices Black Hat Security Conference, Las Vegas Breakpoint Conference, Melbourne ICS-ALERT, Medical Devices hard-coded passwords
Medical Device Security Inquiry - US
2012 - Government Accountability Office (GAO) Report
Challenge Balancing Security with Safety & Effectiveness
Problem Background
Problem Background Recent Guidance & Standards Solution Conclusion
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 4
Issued: FDA Safety Communication: Cybersecurity for Medical
Devices and Hospital Networks
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Draft Guidance for Industry and Food and Drug Administration Staff
IEC/TR 80001-2-2 - Guidance for the communication of medical device security needs, risks and controls
Proposed: IEC/TR 80001-2-8 - Guidance on standards for establishing the
security capabilities identified in IEC/TR 80001-2-2
Guidance & Standards
Problem Background Recent Guidance & Standards Solution Conclusion
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 5
Solution Framework
Security Capabilities Security Controls
Product Risk Analysis
Provides Additional Processes to Extend the PRM
ISO/IEC 15026-4 Assurance in the Life Cycle
NIST SP 800-53, ISO/IEC 27k, IEC 62443, ISO/IEC 15408, IEC/TR 80001-2-2
ISO/IEC 15026-4, 15288
Process Reference Model
Provides Description of Processes Assessed by:
Security Requirements Management
Tool
Threat Modeling
+
Threat Identification
ISO/IEC 15026-4, 15504-6
Process Assessment Model
HDO
Security Assurance Case
Problem Background Recent Guidance & Standards Solution Conclusion
HDO User Needs
Process
Product
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 6
Security Risk Management Life Cycle
Problem Background Recent Guidance & Standards Solution Conclusion
Design Coding Testing
HDO Requirements
Security Requirements
Security Risk Management & SDLC Assurance Case Development
Test Results Requirements Operations
Security Risk Management
HDO Assurance Case Maintenance
Retirement
Feedback
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 7
IEC/TR 80001-2-2
Problem Background Recent Guidance & Standards Solution Conclusion
A framework for the disclosure of security-related capabilities necessary for managing the risk of connecting medical devices to IT-networks This technical report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls The capability descriptions in the report are intended to supply healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) with a basis for discussing risk and their respective roles and responsibilities for the management of this risk
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 8
IEC/TR 80001-2-2
Problem Background Recent Guidance & Standards Solution Conclusion
IEC/TR 80001-2-2 Security Capabilities
Automatic Logoff Audit Controls Authorization Configuration of Security Features
Cyber Security Product Upgrades
Data Backup and Disaster Recovery
Emergency Access Health Data De-identification
Health Data Integrity and Authenticity
Health Data Storage Confidentiality
Malware Protection/ Detection
Node Authentication
Person Authentication Physical Locks on Devices
Security Guides System & Application Hardening
Third Party Components in Product Lifecycle Roadmaps
Transmission Confidentiality
Transmission Integrity
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 9
IEC/TR 80001-2-2
Problem Background Recent Guidance & Standards Solution Conclusion
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 10
Security Mapping
Problem Background Recent Guidance & Standards Solution Conclusion
IEC/TR 80001-2-2 Security Capabilities
Security Controls required for the implementation of each Security
Capability
ISO/IEC 27002
ISO 27799
IEC 62443
NIST SP 800-53
ISO/IEC 15408
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 11
Security Mapping
Problem Background Recent Guidance & Standards Solution Conclusion
IEC/TR 80001-2-2 Capability
Security Control
Source
Automatic Logoff (ALOF) SR 1.4 Authenticator Management IEC 62443-3-3
SR 1.5 Strength of Password Based Authentication IEC 62443-3-3
SR 2.5 Remote session termination IEC 62443-3-3
11.1.1 Access Control Policy ISO/IEC 27002
11.3.1 Password Use ISO/IEC 27002
11.3.2 Unattended User Equipment ISO/IEC 27002
11.3.3 Clear desk & Clear Screen Policy ISO/IEC 27002
11.5.5 Session Time-out ISO/IEC 27002
11.5.6 Limitation of connection time ISO/IEC 27002
7.8.1.2 Access Control Policy ISO 27799
7.8.3 Password Use ISO 27799
7.8.3 Unattended User Equipment ISO 27799
7.8.3 Clear desk & Clear Screen Policy ISO 27799
7.8.4 Session Time-out ISO 27799
7.8.4 Limitation of connection time ISO 27799
AC-1 Access Control Policy & Management NIST 800-53
AC-2 Account Management NIST 800-53
AC-11 Session Lock NIST 800-53
SI-1 System & Information Integrity Policy & Procedures
NIST 800-53
FDP-ACC Access control policy ISO/IEC 15408-2
FIA_UAU User Authentication ISO/IEC 15408-2
FIA_UID User Identification ISO/IEC 15408-2
FMT_MOF Management of Functions in TSF ISO/IEC 15408-2
FTA_SSL Session Locking & Termination ISO/IEC 15408-2
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 12
Security Risk Management
Problem Background Recent Guidance & Standards Solution Conclusion
1. HDO Internal Risk Assessment
Identify ‘user needs’ to determine required security capability of a medical device
2. Agreement between MDM and HDO
Serves as the basis for one or more responsibility agreements as specified in IEC 80001-1
3. MDM Security Risk Assessment
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 13
Security Risk Management
Problem Background Recent Guidance & Standards Solution Conclusion
4. Delivery
Medical device accompanied by tailored assurance case detailing the security capability of the product
5. HDO Risk Management
Ongoing security risk management using HDO tailored assurance
case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 14
Security Assurance Cases
Problem Background Recent Guidance & Standards Solution Conclusion
An assurance case is a body of evidence organised into an argument demonstrating some claim that a system holds i.e. is acceptably safe. Required when it is important to show that a system exhibits some complex property such as safety, security, or reliability.
1. Must make a claim or set of claims about a property of a system; 2. Provide a set of arguments; 3. Make clear the assumptions and judgements underlying the
arguments; 4. Produce the supportive evidence
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 15
Assurance Case Structure
Problem Background Recent Guidance & Standards Solution Conclusion
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 16
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 17
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 18
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 19
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 20
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 21
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 22
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 23
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 24
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 25
SDLC Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
MDM Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 26
SDLC Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
MDM Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 27
SDLC Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
MDM Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 28
SDLC Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
MDM Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 29
SDLC Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
MDM Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 30
SDLC Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
MDM Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 31
SDLC Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
MDM Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 32
HDO Security Assurance Case
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
HDO Assurance Case
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 33
The aim of this risk management framework it to assist both HDOs and MDMs better understand the required security capabilities of networked devices IEC/TR 80001-2-2 sets out to develop a common framework for the communication of security needs, risks and controls. This will be further compounded with the MDS2 revision and also the potential IEC/TR 80001-2-8 Guidance on interpreting and updating the IEC/TR 80001-2-2 assurance case will be sufficiently covered and supported by these documents
Conclusion
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide
This research is supported by the Science Foundation Ireland (SFI) Stokes Lectureship Programme, grant number 07/SK/I1299, the SFI Principal Investigator Programme, grant number 08/IN.1/I2030 (the funding of this project was awarded by Science Foundation Ireland under a co-funding initiative by the Irish Government and European Regional
Development Fund), and supported in part by Lero - the Irish Software Engineering Research Centre (http://www.lero.ie) grant 10/CE/I1855
Lero© 2012 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2012. Slide 34
Thank You for Listening
Anita Finnegan
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 35
500,000 world wide insulin pump users
Conclusion
Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion