responding to challenges in medical …...responding to challenges in medical device security? tara...

RESPONDING TO CHALLENGES IN MEDICAL DEVICE SECURITY?

Tara Larson - Chief Security Architect CRHF Medtronic

10-May- 2015

2016 MEDEC Regulatory Conference

HOMELAND SEASON 2, EPISODE 10 – “BROKEN HEARTS”HYPOTHESIZED PACEMAKER HACK

Challenge: Hypothesized “hack”: Bad guy breaks into the Vice

President’s home Finds VP’s remote monitor Provides the home monitor serial

number to a remote hacker Hacker remotely and wirelessly

adjusts a pacemaker setting using monitor serial number VP is killed instantly from

ventricular fibrillation

Let’s talk about reality and then get back to this one.


DESIGN FOR SECURITYCHALLENGES

Agenda: What is the problem?

How do we solve the challenge? Design for Security

How is medical device security different for IT security?

How are Medical Device Manufacturers Assessing product risk?

How do Medical Device Manufacturers ensure security for product lifecycle?


MEDICAL DEVICE SECURITY PROBLEMS

Protection of therapy systems and services including data from unauthorized modification, destruction or disclosure that can lead to patient harm or loss of customer trust. Protection controls often only present the opportunity to secure at time of manufacturing. Often the device must live inside a human body for the life of the battery.


CHALLENGES IN MEDICAL DEVICE SECURITY Security engineering principles IT Security practices are hard to apply to Medical Devices

Product Security risk assessment Must be tied to safety and include business risks

Generating actionable & testable cybersecurity requirements Security Requirements are not positive , hard to test a negative

Understanding Threat Models Threat models must encompass Common Vulnerability and

Product threats Security risk mitigations from industry applied to medical devices Applying lessons learned from Industrial, Financial, Government

Mapping of safety risk management terms to security risk management terms and likelihoods


IT SECURITY VS. MEDICAL DEVICE SECURITYDEVICE SECURITY IS COUPLED WITH SAFETY


DIFFERENCES IN IT AND MEDICAL DEVICECOMMON ATTRIBUTES APPLIEDSecurity Attribute Conventional IT Medical DeviceAccess No access without

CredentialsEmergency Access possible without credentials

Access Management Centralized Localized to PatientAccessibility Typically accessible Intermittent accessibility

and may be inaccessibleProduct Lifecycle Constant flow of new and

revised productsDevice or platform used for decades

Computing Resources Vast and Expandable Sometimes limited and/or power constrained

Updates and Monitoring Continuous connectivityand less likely to require end-to-end validation

More likely to require end-to-end validation

Consequences Economic Safety


SECURITY PROCESS SECURITY AND SAFETY RISK MANAGEMENT


DESIGN FOR SECURITY PROCESS

Phase 1-2 Project Kickoff and StartPhase 3-4 Requirements definition and design

Phase 5- Security testing and regulatory approvalPhase 6- Post Market Security Support


COMMON RISKS/THREATS CONSIDERED

• PATIENT SAFETY• LOSS OF SENSITIVE PERSONAL DATA• LOST OR STOLEN DEVICE• RESEARCHERS AKA “HACKERS”• SOCIAL ENGINEERING• INABILITY TO REACH REMOTE MONITORING SYSTEMS• COMPROMISED FIRMWARE• INCOMPLETE OR INACCURATE DATA FROM DEVICE TO INSTRUMENT/FOLLOW SYSTEM

• BATTERY DRAIN ATTEMPTS VIA COMMUNICATION PROTOCOLS HACKING

• USE OF COMMERCIALLY AVAILABLE HARDWARE/SOFTWARE TO ATTEMPT TO CHANGE THERAPY SETTINGS

• COMPROMISE OF COMMUNICATIONS PROTOCOL• LOSS OF PRIVATE KEY• COMPROMISE OF DATA INTEGRITY• SPECIFIC PRODUCT USE CASE THREAT SCENARIOS


SAMPLE THREAT ANALYSIS

Implanted Device

Threat- Hackers or Security Researcher• Attacker attempts to change therapy settings in device using general purpose mobile application

Hazard-Inappropriate

therapy

Current Controls• Close range wireless Proximity to “sting” device to enter into programmable state

• Multi-Layer Encryption• Communication• Hardware• Data

Overall Likelihood of exploitation-

Security Decision

Acceptability or decision to

mitigate further

Asset Threat Event

Vulnerability Controls AcceptabilityThreat Hazard Control Risk Acceptability


POST MARKET VULNERABILITY ANALYSIS

• RESPONSIBLE DISCLOSURE PROCESS COORDINATED VIA GLOBAL PRIVACY AND SECURITY OFFICE

• SME EVALUATION OF DISCLOSED AND DISCOVERED VULNERABILITIES

• R&D SME’S WORKING WITH REPORTING PARTIES TO UNDERSTAND AND ATTEMPT TO REPLICATE

• INTERNAL TRACKING FOR OPTIMAL RESOLUTION AND TRACKING

• ACTIVITIES AND OUTCOMES ARE DOCUMENTED

• COORDINATED RESPONSES TO REGULATORY BODIES AND INTERESTED PARTIES

• FOLLOW UP COMMUNICATIONS IN A TIMELY MANNER


HOMELAND SEASON 2, EPISODE 10 – “BROKEN HEARTS”HYPOTHESIZED PACEMAKER HACK

How has Med Dev ensured this is highly unlikely to happen to our patients? Secure Design Practices Ongoing Risk Analysis Threat ModelingFinally- Current Med Dev pacemakers are not

directly connected to the internet Therapy settings cannot be set remotely Therapy settings are monitored for

unexpected changes Pacemakers can’t be programmed to

cause fibrillation! Tough to cause harm through programming adjustments alone.


Questions?

responding to challenges in medical …...responding to challenges in medical device security? tara...

Documents