Assessing the Risk of Your Medical Devices March 3, 2016
Steve Spearman, CEO, Health Security Solutions Mary McGuirl, CIO, Oneida Health System
Conflict of Interest
Steve Spearman
Mary McGuirl
Has no real or apparent conflicts of interest to report.
Mary McGuirl, CIO Oneida Healthcare • 38 years experience in healthcare
– Redesign of hospital wage and salary administration
– Creation of institutional development program
– Information Systems
• Management of applications, implementation, training and support – one 2-hospital system and 2 independent hospitals
• Management of IT component of 2-hospital merger
• CIO
Agenda
• About Oneida • Small Hospital Challenges • Known vulnerabilities • HIPAA and risk analysis • Common Problems with Medical Devices • Conducting Risk Analysis • Controls • Pre-purchase and post-purchase activities
Learning Objectives
• Identify the types of medical devices that should be included in your HIPAA
risk analysis
• Categorize the levels of risk associated with medical devices based on
likelihood and impact
• Evaluate and address vendor objections related to patching and security of
medical devices
• Identify, document, mediate and manage the risks associated with the use
of medical devices
http://www.himss.org/ValueSuite
Improve
Patient Safety
Ensure Integrity in
the Administration
and Management
of Treatment
Improved
Security of
Patient Records
Protect the
Confidentiality,
Integrity and
Availability of ePHI
Oneida Healthcare • Full Service Community Hospital in Oneida New York
– Serves 24 communities, population 80,000, Madison and Oneida counties
– 101 Certified beds
– 160 Long term care beds
– 4 Primary Care Clinics / 6 Specialty Practice / 1 “Quick Care”
– 3,280 Annual Admissions
– 164,000 OP Visits
– 25,000 ER Visits
– 1,200 Employees
• Willing to invest in technology – 1st in area:
• Davinci Robot
• 3D Mammography
Oneida Healthcare Leapfrog Group Grade “A”
Hospital Challenges
• Competition for IT Resources
– Smaller hospital 15 miles south
– Larger hospital 15 miles north
– Large affiliated hospitals 20 miles east
– 2 Large affiliated hospital systems and 1 Major medical center 20 miles west
• Non-specialized resources to meet regulatory compliance
– More people wear more hats, limited availability of specialists
• Growing areas of vulnerability
– More medical devices than computers
– More points of vulnerability per device
Organization Structure & Resource Challenges • IT and Materials Mgmt answer to Finance
• Biomedical answers to Operations
• Personnel
– 2 Network Technicians – 1 responsible for security
– 9 System Analyst FTEs, 2 answer to other departments
– 2 Biomedical engineers
• Reporting lines are complex, responsibility cuts across divisions
• All groups need to be involved
• I.T. •User Departments
•Bio-Medical •Materials Management
Pre-purchase Information /
Vendor Relationship /
BAA
Installation / Upgrades /
Documentation
Network / Physical Security
Secure Use Procedures /
Auditing
Addressing the Risk
• Know limitations
• Engage experts
• Coordinate with appropriate departments and resources
• Develop and execute ongoing plan
• 21 years in Healthcare Information Technology
• HIPAA Privacy and Security Expert
– Risk Analysis
– Compliance
• Host of monthly Webinar – HIPAA Chat
• HIMSS Risk Assessment Working Group
Steve Spearman VP of HIPAA Compliance Services
O 864-643-2579 | M 864-650-6977
healthicity.com
Examples of Vulnerable Medical Devices
Device Risk Vulnerability
Hospira LifeCare Infusion Pump Remotely change dose Physical access, network
access
Medtronic insulin pumps* Unauthorized remote insulin
dosage
Unauthenticated, unencrypted
wireless message
Implantable Cardioverter
Defibrillators (ICDs)
Hijack signal delivers
unwarranted shock
Insecure Bluetooth stack, weak
credentials
X-Ray Systems Unauthorized access to images Insecure backup
Blood Refrigeration Units Alter storage temp, disable
notification
Unchangeable, hard-coded
password
CT Scans Change radiation exposure
limits
Remotely alter config files
*Austrian hospital patients became addicted to opiates after patient hacked the computer
and dialed up dosing
Lahey Medical Center Settlement…”Lessons for Users of Medical Devices” • $850,000 Settlement and Corrective Action Plan
• Stolen Laptop that ran CT Scanner
• 599 Records breached
Investigation found:
• No risk analysis for “all of it’s ePHI”
• Inadequate physical safeguards of a workstation
• No polices and procedures safeguarding ePHI for devices
• No unique credentials for users for the workstation
• No procedures allowing for the tracking of activity
http://www.hhs.gov/about/news/2015/11/25/hipaa-settlement-reinforces-
lessons-users-medical-devices.html#.VlzSn5EcFV4.twitter
What is Risk Assessment?
• Risk Assessment is...The methodical process for identifying, analyzing, evaluating and ranking the risks to an organizations data or information against a predetermine criteria
• HIPAA Risk Assessment is…the application of these processes by covered entities to determine and document the risks to the confidentiality, integrity and availability of ePHI
• Risk Analysis and Risk Assessment…are often used interchangeably
• A Risk Assessment Report is…the formal documented output of a risk assessment
• Improves Awareness
• Justification for “Reasonable and Appropriate” for Addressable Implementation Specifications
• Identify assets, vulnerabilities and controls
• Improved basis for decision making
• Justify Expenditures for Security
• Helps determine personnel access levels
Why Security Risk Analysis?
Otherwise you are just guessing!
• Confidentiality: The property that data or information is not made available or disclosed to an unauthorized person
• Integrity: The property that data or information has not been altered or destroyed in an unauthorized manner
• Availability: The property that data or information is accessible and useable upon demand by an unauthorized person
CIA – Confidentiality, Integrity, Availability
+
Safety
Meaningful Use Stage 3 Requirement # 1
“Conduct or review a Security Risk Analysis per 45 CFR 164.308(a)(1) and implement
security updates as necessary”
Security Risk Analysis and Meaningful Use
HIPAA Verbiage
“ “
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information
Security vs. Patient Safety
• Part of the requirement for HIPAA? Not necessarily
• But needs to be a part of your evaluation
• Device related incident may not impact
Confidentiality, Integrity or Availability but still
compromises intended use
• Patient harm is a real risk
Risk Analysis and Medical Devices
• Perform for all medical devices that process, manage, store or transmit ePHI
• Evaluate the medical devices intended use?
• What are the potential hazards associated with the use of this device?
– Patient Safety
– Breach of ePHI
– Network Attack Vector
Common risks associated with Medical Devices
• Risks to patient safety
• Risks to quality of care
• Risks to network integrity
• Risks to privacy of patient data
Common Security Deficiencies
• Weak credentials
• No mechanisms for managing credentials
• Hard-coded credentials
• Lack of encryption of data in motion
• Lack of encryption of data at rest
• Missing patches and updates
• No mechanism for managing security attributes
• Physical access security
Medical Devices should comply with HIPAA requirements
How to Conduct a Security Risk Analysis? #1
• NIST
– SP 800-30r1 – Guidance on Risk Assessment
– SP 800-66 – Resource Guide for Implementing HIPAA
• Other Frameworks
– HITRUST
– ISO
Phase 1: Establish Risk Assessment Criteria
• Goal: establish the criteria for the identification of assets and their priority level and obtain senior management's strategic objectives
– Process 1: Establish Risk Assessment Criteria
– Process 2: Apply the Critical Asset Criteria to Classify Assets and Resources
Phase 2: Develop Initial Security Strategies
• Goal: Identify vulnerabilities and the threats that can exploit those vulnerabilities.
– Process 1: Strategic Objectives - Senior Management
– Process 2: Operational Objectives - Departmental Management
– Process 3: Practice Objectives – Staff
– Process 4: Consolidated View of Security Requirements
Phase 3: Identify Infrastructure Vulnerabilities
• Goal: To identify areas of potential exposure associated with the systems architecture.
– Process 1: Evaluation of Key Technology Components
– Process 2: Evaluation of Selected Technology Components
Phase 4: Develop Security Strategy and
Plans • Goal: Determine the level of risk associated with each system.
Prioritize the mitigation the highest risks. Executive leadership decides the degree of risk that the organization will be willing to accept.
– Process 1: Risk Pairings
1. Assess the potential impact of threats (and vulnerabilities) to critical assets (qualitative and/or quantitative)
2. Evaluate the likelihood of occurrence of the threats (high, medium, low)
3. Create a consolidated analysis of risks, based on the impact value to critical assets and the likelihood of occurrence
– Process 2: Protection Strategy and Mitigation Plans
19. Rank overall risk based on the “vulnerability pairings”
Step by Step Guide - Determine the Level of Risk
Elements of Security Risk Analysis
1. Determine Scope
2. Data Collection
3. Assess Current Security Measures
4. ID and Document Potential Threats and Vulnerabilities
5. Determine the Likelihood of
6. Threat Occurrence
6. Determine the
Potential Impact of
Threat Occurrence
7. Determine the Level of
Risk
8. Document results
9. Review and updated
as needed
Role of the Provider in Managing Risk
• Ultimate responsibility for managing the security of medical devices
• Must comply with HIPAA regulations
• Must provide administrative, physical and technical controls consistent with the HIPAA standards
• Implement medical devices consistent with organization security management policies and procedures and industry best practice
• Risk should include Patient Safety
Role of the Medical Device Manufacturer
• Provide native controls, primarily technical, to facilitate the implementation of effective security management programs by covered entity customers
• Provide transparent and accurate information related to the native capabilities and security features of devices
• Provide guidance to health care providers on the secure staging and implementation of its device into organizations environments
• Provide hardware and software updates (such as firmware updates, etc.) to allow providers to use devices consistent with its security management policies and procedures and industry best practices
Determine for Each Medical Device
• Does the device generate, process, store or transmit ePHI?
• Can admin functions be limited to system administrators?
• Does the device allow for the individual authentication of users? If so, how? Passwords?
• What password security attributes are supported? Length? Characters? Login required at first startup, reset? Etc.
• Is Active Directory integration supported? Group policy objects?
• Will the device support auto-logoff? Is re-authentication required?
• What is logged and auditable within the system?
• Firmware in use? Version? Known vulnerabilities?
Clinical Engineering • Partner with Clinical Engineering
• Organizational Structure can impact cooperation
– Operations or IT
• By far, most knowledgeable of these devices
• Already have procedures around tracking, inventorying, supporting, managing recalls and claims, cleaning, provisioning and transporting devices
• Good rapport with vendors
• Bring in to IT with procedures and tools to facilitate (e.g. Integration with AD, interfaces to EMR, auditing of data, tracking, etc.)
Medical Device Inventory: What Devices to Include?
• Devices that process, access, manage or store ePHI
– Remember, ePHI, by definition includes identifiers
• Devices that accesses the corporate network via wireless or wired connections (vector for attack)
• Devices that can be accessed via direct physical connection
Inventory Should Include
• ePHI
– Stored
– Transmitted
• Encryption
– At rest
– In motion
• Location
• Departments in Use
• Patient Safety related
– Monitoring
– ICU
– Pumps, etc.
• High Availability requirement
• Interfaces
• Authentication procedures
• Firmware and software
– Proprietary, Commercial,
Open Source
• Software version
• Is software patched
• Software support status
• Accesses network
• Dedicated clinical network
• Wireless protocol
Using the MDS2
• Co-developed by the National Electrical Manufacturers Association and HIMSS
• Intended as a tool for gathering data from manufacturers and vendors
• Excellent guide for self-use by organizations
• Sections
o Management of Private Data
o Maintaining Private Data
o Transmission of Private Data
o Auto Logoff
o Audit Controls
o Authorization
o Config of Security Features
o Security Upgrades
o De-Identification
o Data Backup
o Emergency Access
o Data Integrity
o Malware Detection/Protection
o Authentication
o Physical Locks
o Hardening
Pre-purchase Activities
• Evaluate security readiness of devices and compliance with requirements and policies
• Evaluate security hygiene protocols of device
– Firmware updates
– Security of data at rest and in motion
– Authentication and credentials
– Integrity of data
– Auditability of data
• BAA by vendor
• Contract language regarding versioning, tracking, firmware, updates, etc.
Recommending Controls
Controls should be consistent with the nature of the risks and threats, for example:
• Management of 3rd part risks and vendor conformance
• Creation of separate domain/network for medical devices or class
• Encryption of databases for data at rest and in motion
• Sandbox for release of updates
• Physical security – locks, tracking, hard-wiring
• 2FA
Include in Security Management Plan
Post-Purchase Activities
• Develop and implement policies and procedures consistent with security framework and best practices
• Procedures should consider intended use, patient safety risk, network access, storage of data, transmission of data
• Security lifecycle
• Establish clear lines of responsibility and communication
• What will manufacturer pro-actively provide
• What must the providers pro-actively monitor
• Monitor forums and government releases for known issues, recalls, etc.
Challenges
• How do you find out what you need to know:
– Firmware
– Known Vulnerabilities
• Vendor non-cooperation
• Incentives may work against transparency
Questionable Vendor Claims • FDA Clearance will not allow us to upgrade the
firmware
• Our FDA Clearance will not allow us to change the default password
• Incentives work against transparency
• Stakeholder mal-alignment and lack of partnership
Output: Report Key Elements
• Risk Assessment
Methodology
• Scope
• Summary of Inventory
• System Characterization
• System/Device by Type
• System/Device by Risk
– Safety
– Privacy Breach
– Attack Vector
– Network Compromise
• Vulnerability Pairings
– Likelihood
– Impact
• Key Findings – Ranked
Critical to Low
• Recommended Controls –
Required, recommended,
beneficial
• Security Management Plan
Provided insights into the risks and
threats associated with the use of
medical devices. We gave practical
advice and steps to identify those risks
and mitigate them. Secure medical
devices enhance patient safety and
provide for the security to the
Confidentiality, Integrity and Availability
of ePHI
http://www.himss.org/ValueSuite
References
• http://www.wired.com/2014/04/hospital-equipment-vulnerable/
• http://www.wired.com/2015/08/video-shows-terrifying-drug-infusion-pump-hack-action/
• http://www.wired.com/2015/11/medical-devices-that-are-vulnerable-to-life-threatening-hacks/#slide-1
• http://www.hhs.gov/about/news/2015/11/25/hipaa-settlement-reinforces-lessons-users-medical-devices.html#.VlzSn5EcFV4.twitter
Questions
m
Mary McGuirl
Director, Information Systems
Oneida Healthcare Center
phone (315) 361-2034
cell (315) 725-2753
Thank You!
m
Mary McGuirl
Director, Information Systems
Oneida Healthcare Center
phone (315) 361-2034
cell (315) 725-2753