responding to challenges in medical …...responding to challenges in medical device security? tara...
TRANSCRIPT
RESPONDING TO CHALLENGES IN MEDICAL DEVICE SECURITY?
Tara Larson - Chief Security Architect CRHF Medtronic
10-May- 2015
2016 MEDEC Regulatory Conference
HOMELAND SEASON 2, EPISODE 10 – “BROKEN HEARTS”HYPOTHESIZED PACEMAKER HACK
Challenge: Hypothesized “hack”: Bad guy breaks into the Vice
President’s home Finds VP’s remote monitor Provides the home monitor serial
number to a remote hacker Hacker remotely and wirelessly
adjusts a pacemaker setting using monitor serial number VP is killed instantly from
ventricular fibrillation
Let’s talk about reality and then get back to this one.
2016 MEDEC Regulatory Conference
DESIGN FOR SECURITYCHALLENGES
Agenda: What is the problem?
How do we solve the challenge? Design for Security
How is medical device security different for IT security?
How are Medical Device Manufacturers Assessing product risk?
How do Medical Device Manufacturers ensure security for product lifecycle?
2016 MEDEC Regulatory Conference
MEDICAL DEVICE SECURITY PROBLEMS
Protection of therapy systems and services including data from unauthorized modification, destruction or disclosure that can lead to patient harm or loss of customer trust. Protection controls often only present the opportunity to secure at time of manufacturing. Often the device must live inside a human body for the life of the battery.
2016 MEDEC Regulatory Conference
CHALLENGES IN MEDICAL DEVICE SECURITY Security engineering principles IT Security practices are hard to apply to Medical Devices
Product Security risk assessment Must be tied to safety and include business risks
Generating actionable & testable cybersecurity requirements Security Requirements are not positive , hard to test a negative
Understanding Threat Models Threat models must encompass Common Vulnerability and
Product threats Security risk mitigations from industry applied to medical devices Applying lessons learned from Industrial, Financial, Government
Mapping of safety risk management terms to security risk management terms and likelihoods
2016 MEDEC Regulatory Conference
IT SECURITY VS. MEDICAL DEVICE SECURITYDEVICE SECURITY IS COUPLED WITH SAFETY
2016 MEDEC Regulatory Conference
DIFFERENCES IN IT AND MEDICAL DEVICECOMMON ATTRIBUTES APPLIEDSecurity Attribute Conventional IT Medical DeviceAccess No access without
CredentialsEmergency Access possible without credentials
Access Management Centralized Localized to PatientAccessibility Typically accessible Intermittent accessibility
and may be inaccessibleProduct Lifecycle Constant flow of new and
revised productsDevice or platform used for decades
Computing Resources Vast and Expandable Sometimes limited and/or power constrained
Updates and Monitoring Continuous connectivityand less likely to require end-to-end validation
More likely to require end-to-end validation
Consequences Economic Safety
2016 MEDEC Regulatory Conference
SECURITY PROCESS SECURITY AND SAFETY RISK MANAGEMENT
2016 MEDEC Regulatory Conference
DESIGN FOR SECURITY PROCESS
Phase 1-2 Project Kickoff and StartPhase 3-4 Requirements definition and design
Phase 5- Security testing and regulatory approvalPhase 6- Post Market Security Support
2016 MEDEC Regulatory Conference
COMMON RISKS/THREATS CONSIDERED
• PATIENT SAFETY• LOSS OF SENSITIVE PERSONAL DATA• LOST OR STOLEN DEVICE• RESEARCHERS AKA “HACKERS”• SOCIAL ENGINEERING• INABILITY TO REACH REMOTE MONITORING SYSTEMS• COMPROMISED FIRMWARE• INCOMPLETE OR INACCURATE DATA FROM DEVICE TO INSTRUMENT/FOLLOW SYSTEM
• BATTERY DRAIN ATTEMPTS VIA COMMUNICATION PROTOCOLS HACKING
• USE OF COMMERCIALLY AVAILABLE HARDWARE/SOFTWARE TO ATTEMPT TO CHANGE THERAPY SETTINGS
• COMPROMISE OF COMMUNICATIONS PROTOCOL• LOSS OF PRIVATE KEY• COMPROMISE OF DATA INTEGRITY• SPECIFIC PRODUCT USE CASE THREAT SCENARIOS
2016 MEDEC Regulatory Conference
SAMPLE THREAT ANALYSIS
Implanted Device
Threat- Hackers or Security Researcher• Attacker attempts to change therapy settings in device using general purpose mobile application
Hazard-Inappropriate
therapy
Current Controls• Close range wireless Proximity to “sting” device to enter into programmable state
• Multi-Layer Encryption• Communication• Hardware• Data
Overall Likelihood of exploitation-
Security Decision
Acceptability or decision to
mitigate further
Asset Threat Event
Vulnerability Controls AcceptabilityThreat Hazard Control Risk Acceptability
2016 MEDEC Regulatory Conference
POST MARKET VULNERABILITY ANALYSIS
• RESPONSIBLE DISCLOSURE PROCESS COORDINATED VIA GLOBAL PRIVACY AND SECURITY OFFICE
• SME EVALUATION OF DISCLOSED AND DISCOVERED VULNERABILITIES
• R&D SME’S WORKING WITH REPORTING PARTIES TO UNDERSTAND AND ATTEMPT TO REPLICATE
• INTERNAL TRACKING FOR OPTIMAL RESOLUTION AND TRACKING
• ACTIVITIES AND OUTCOMES ARE DOCUMENTED
• COORDINATED RESPONSES TO REGULATORY BODIES AND INTERESTED PARTIES
• FOLLOW UP COMMUNICATIONS IN A TIMELY MANNER
2016 MEDEC Regulatory Conference
HOMELAND SEASON 2, EPISODE 10 – “BROKEN HEARTS”HYPOTHESIZED PACEMAKER HACK
How has Med Dev ensured this is highly unlikely to happen to our patients? Secure Design Practices Ongoing Risk Analysis Threat ModelingFinally- Current Med Dev pacemakers are not
directly connected to the internet Therapy settings cannot be set remotely Therapy settings are monitored for
unexpected changes Pacemakers can’t be programmed to
cause fibrillation! Tough to cause harm through programming adjustments alone.
2016 MEDEC Regulatory Conference
Questions?