SlideShare a Scribd company logo

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device

Priyanka Aash
Priyanka Aash

Imagine being dependent on a wireless infusion pump to receive the correct dosage of life-supporting medication. Now imagine the implications, were that pump to be maliciously hacked. In this session learn more about how to successfully secure these medical devices, based on work being conducted at the National Cybersecurity Center of Excellence (NCCoE) with premier health care organizations. (Source: RSA USA 2016-San Francisco)

Technology
1 of 19
Download to read offline
SESSION ID: #RSAC Nate Lesser Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device MBS-W05 Deputy Directory National Cybersecurity Center of Excellence NIST
#RSAC In the News 2 Lax medical device security needs urgent action Medical Devices Used as Pivot Point in Hospital Attacks: Report
#RSAC Risks, Threats, Vulnerabilities to Infusion Pumps 3 RISKS • Patient safety (lives) • Operational/downtime • Patient trust & staff morale THREATS • Collateral damage • Malware • Theft/loss • Lateral attack • Hacktivism VULNERABILITIES • Tightly regulated "turn-key" systems • Long useful life • Poorly protected & patched • No detection & alerting • System complexity Courtesy of Axel Wirth
#RSAC Infusion Pumps 4 Infusion pumps are medical devices that deliver fluids and medications into a patient’s body in controlled amounts. Infusion pumps among the most are ubiquitous connected medical devices in hospitals. Estimated that more than 2 million infusion pumps are in use in hospitals.
#RSAC Infusion Pumps in the News 5 Hospital Drug Pump Can Be Hacked Through Network, FDA Warns
#RSAC Infusion Pump Vulnerability Notices 6 FDA Safety Communication on Vulnerabilities of Infusion Pump Systems, May 13, 2015: recommendation for health care facilities to secure affected infusion pumps. ICS-CERT Advisory (ICSA1512501B): provides details of vulnerabilities including CVE numbers and CVSS scores. Postmarket Management of Cybersecurity in Medical Devices: draft guidance on cybersecurity risk management, remediation, and reporting
#RSAC Local or cloud apps Pump Server EHR Alarm Manger Infusion Pump Infusion Pump Physical Architecture 7 Communication Subsystem Drug Delivery Controller Alarms Remote Management Nurses Station
#RSAC 8 Demo
#RSAC Exploit #1: Compromise Patient Information 9 TELNET access to “root” account No authentication required CVE-2015-3459 Risk Gain root access to pump Pump used as a pivot Pump Server Attacker’s Laptop Electronic Health Records
#RSAC Exploit #1: Compromise Patient Information 10 Unauthenticated telnet to pump Use pump to pivot Extract desired information Move information to web server Extract via web browser Attacker Pump Telnet Pump Server EHR Telnet Steal PHI Transfer to pump Extract PHI
#RSAC Exploit #2: Crash Communication Subsystem 11 Denial of service attack Stops network communication Using resource consumption Can corrupt flash file system Risk Stops pump from sending alerts and messages Pump Server Attacker’s Laptop Electronic Health Records
#RSAC Exploit #2: Crash Communication Subsystem 12 Normal Operations Error condition Empty vial Alarm sent Error condition cleared Nurse replaces vial Infusion resumes Attacker Pump Patient Nurse Vial Empty Alarm New Vial Infuse
#RSAC Exploit #2: Crash Communication Subsystem 13 Anonymous FTP to pump Upload gzip’d file TELNET access to “root” account gunzip file Consumes all available RAM Corrupts part of file system No file system repair tools Attacker Pump Patient Nurse File transfer gunzip Out of memory Vial Empty No alarm communications are stopped
#RSAC All Devices Have Vulnerabilities 14 Although the vulnerabilities might not be known Just because it’s vulnerable doesn’t mean it’s exploitable Patching may not be possible right away Surround and protect the vulnerable Defense in depth Isolation
#RSAC Wireless Infusion Pump Problem Statement 15 RESEARCH BUILD SHARE Help health care delivery organizations understand risks & secure medical devices on an enterprise network Focus on wireless infusion pumps as archetype of medical device Assess risk Identify mitigating security technologies Build example implementation Independent validation of implementation Publish practice guide: NIST Special Publication 1800 series
#RSAC Challenges 16  Firmware version control  Multiple versions in service  Access control  Physical and networked  “Break the glass”  Malware or other unexpected software on pump  Wireless access point and network configuration  Alarms  Asset management and monitoring  Identity management and Credentialing  Maintenance and firmware updates  Pump variability  Multiple types of pumps  Multiple models in usage
#RSAC NCCoE Strategy 17 GOAL 1 PROVIDE PRACTICAL CYBERSECURITY Help people secure their data and digital infrastructure by equipping them with practical ways to implement standards-based cybersecurity solutions that are modular, repeatable and scalable VISION ADVANCE CYBERSECURITY A secure cyber infrastructure that inspires technological innovation and fosters economic growth MISSION ACCELERATE ADOPTION OF SECURE TECHNOLOGIES Collaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs GOAL 2 INCREASE RATE OF ADOPTION Enable companies to rapidly deploy commercially available cybersecurity technologies by reducing technological, educational and economic barriers to adoption GOAL 3 ACCELERATE INNOVATION Empower innovators to creatively address businesses’ most pressing cybersecurity challenges in a state-of-the-art, collaborative environment
#RSAC NCCoE Tenets 18 Standards-based: Apply relevant local, national and international standards to each security implementation and account for each sector’s individual needs; demonstrate reference designs for new standards Modular: Develop reference designs with individual components that can be easily substituted with alternates that offer equivalent input-output specifications Repeatable: Enable anyone to recreate the NCCoE builds and achieve the same results by providing a complete practice guide including a reference design, bill of materials, configuration files, relevant code, diagrams, tutorials and instructions Commercially available: Work with the technology community to identify commercially available products that can be brought together in reference designs to address challenges identified by industry Usable: Design usable blueprints that end users can easily and cost-effectively adopt and integrate into their businesses without disrupting day-to-day operations Open and transparent: Use open and transparent processes to complete work, and seek and incorporate public comments on NCCoE documentation, artifacts and results
#RSAC hit_nccoe@nist.gov301-975-0200 100 Bureau Dr, M/S 2002 Gaithersburg, MD 20899 http://nccoe.nist.gov Participate

Recommended

Applying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsApplying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data Sets
Priyanka Aash
 
Realities of Data Security
Realities of Data SecurityRealities of Data Security
Realities of Data Security
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
Priyanka Aash
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
Priyanka Aash
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)
Priyanka Aash
 

Recommended

Applying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsApplying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data Sets
Priyanka Aash
 
Realities of Data Security
Realities of Data SecurityRealities of Data Security
Realities of Data Security
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
Priyanka Aash
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
Priyanka Aash
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)
Priyanka Aash
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
Priyanka Aash
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security Trends
Priyanka Aash
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
IDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthIDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in Depth
Ken Tulegenov
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
Priyanka Aash
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
Ransomware Threats to the Healthcare Industry
Ransomware Threats to the Healthcare IndustryRansomware Threats to the Healthcare Industry
Ransomware Threats to the Healthcare Industry
Tim Gurganus
 
Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks
Bangladesh Network Operators Group
 

More Related Content

What's hot

Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
Sirius
 

What's hot (20)

How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security Trends
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
IDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthIDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in Depth
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
 

Similar to Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device

Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
webhostingguy
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
Muhammad FAHAD
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
185
185185
185
vivatechijri
 

Similar to Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device (20)

Ransomware Threats to the Healthcare Industry
Ransomware Threats to the Healthcare IndustryRansomware Threats to the Healthcare Industry
Ransomware Threats to the Healthcare Industry
 
Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attack
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber security
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018
 
Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2
 
185
185185
185
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device

  • 1. SESSION ID: #RSAC Nate Lesser Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device MBS-W05 Deputy Directory National Cybersecurity Center of Excellence NIST
  • 2. #RSAC In the News 2 Lax medical device security needs urgent action Medical Devices Used as Pivot Point in Hospital Attacks: Report
  • 3. #RSAC Risks, Threats, Vulnerabilities to Infusion Pumps 3 RISKS • Patient safety (lives) • Operational/downtime • Patient trust & staff morale THREATS • Collateral damage • Malware • Theft/loss • Lateral attack • Hacktivism VULNERABILITIES • Tightly regulated "turn-key" systems • Long useful life • Poorly protected & patched • No detection & alerting • System complexity Courtesy of Axel Wirth
  • 4. #RSAC Infusion Pumps 4 Infusion pumps are medical devices that deliver fluids and medications into a patient’s body in controlled amounts. Infusion pumps among the most are ubiquitous connected medical devices in hospitals. Estimated that more than 2 million infusion pumps are in use in hospitals.
  • 5. #RSAC Infusion Pumps in the News 5 Hospital Drug Pump Can Be Hacked Through Network, FDA Warns
  • 6. #RSAC Infusion Pump Vulnerability Notices 6 FDA Safety Communication on Vulnerabilities of Infusion Pump Systems, May 13, 2015: recommendation for health care facilities to secure affected infusion pumps. ICS-CERT Advisory (ICSA1512501B): provides details of vulnerabilities including CVE numbers and CVSS scores. Postmarket Management of Cybersecurity in Medical Devices: draft guidance on cybersecurity risk management, remediation, and reporting
  • 7. #RSAC Local or cloud apps Pump Server EHR Alarm Manger Infusion Pump Infusion Pump Physical Architecture 7 Communication Subsystem Drug Delivery Controller Alarms Remote Management Nurses Station
  • 9. #RSAC Exploit #1: Compromise Patient Information 9 TELNET access to “root” account No authentication required CVE-2015-3459 Risk Gain root access to pump Pump used as a pivot Pump Server Attacker’s Laptop Electronic Health Records
  • 10. #RSAC Exploit #1: Compromise Patient Information 10 Unauthenticated telnet to pump Use pump to pivot Extract desired information Move information to web server Extract via web browser Attacker Pump Telnet Pump Server EHR Telnet Steal PHI Transfer to pump Extract PHI
  • 11. #RSAC Exploit #2: Crash Communication Subsystem 11 Denial of service attack Stops network communication Using resource consumption Can corrupt flash file system Risk Stops pump from sending alerts and messages Pump Server Attacker’s Laptop Electronic Health Records
  • 12. #RSAC Exploit #2: Crash Communication Subsystem 12 Normal Operations Error condition Empty vial Alarm sent Error condition cleared Nurse replaces vial Infusion resumes Attacker Pump Patient Nurse Vial Empty Alarm New Vial Infuse
  • 13. #RSAC Exploit #2: Crash Communication Subsystem 13 Anonymous FTP to pump Upload gzip’d file TELNET access to “root” account gunzip file Consumes all available RAM Corrupts part of file system No file system repair tools Attacker Pump Patient Nurse File transfer gunzip Out of memory Vial Empty No alarm communications are stopped
  • 14. #RSAC All Devices Have Vulnerabilities 14 Although the vulnerabilities might not be known Just because it’s vulnerable doesn’t mean it’s exploitable Patching may not be possible right away Surround and protect the vulnerable Defense in depth Isolation
  • 15. #RSAC Wireless Infusion Pump Problem Statement 15 RESEARCH BUILD SHARE Help health care delivery organizations understand risks & secure medical devices on an enterprise network Focus on wireless infusion pumps as archetype of medical device Assess risk Identify mitigating security technologies Build example implementation Independent validation of implementation Publish practice guide: NIST Special Publication 1800 series
  • 16. #RSAC Challenges 16  Firmware version control  Multiple versions in service  Access control  Physical and networked  “Break the glass”  Malware or other unexpected software on pump  Wireless access point and network configuration  Alarms  Asset management and monitoring  Identity management and Credentialing  Maintenance and firmware updates  Pump variability  Multiple types of pumps  Multiple models in usage
  • 17. #RSAC NCCoE Strategy 17 GOAL 1 PROVIDE PRACTICAL CYBERSECURITY Help people secure their data and digital infrastructure by equipping them with practical ways to implement standards-based cybersecurity solutions that are modular, repeatable and scalable VISION ADVANCE CYBERSECURITY A secure cyber infrastructure that inspires technological innovation and fosters economic growth MISSION ACCELERATE ADOPTION OF SECURE TECHNOLOGIES Collaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs GOAL 2 INCREASE RATE OF ADOPTION Enable companies to rapidly deploy commercially available cybersecurity technologies by reducing technological, educational and economic barriers to adoption GOAL 3 ACCELERATE INNOVATION Empower innovators to creatively address businesses’ most pressing cybersecurity challenges in a state-of-the-art, collaborative environment
  • 18. #RSAC NCCoE Tenets 18 Standards-based: Apply relevant local, national and international standards to each security implementation and account for each sector’s individual needs; demonstrate reference designs for new standards Modular: Develop reference designs with individual components that can be easily substituted with alternates that offer equivalent input-output specifications Repeatable: Enable anyone to recreate the NCCoE builds and achieve the same results by providing a complete practice guide including a reference design, bill of materials, configuration files, relevant code, diagrams, tutorials and instructions Commercially available: Work with the technology community to identify commercially available products that can be brought together in reference designs to address challenges identified by industry Usable: Design usable blueprints that end users can easily and cost-effectively adopt and integrate into their businesses without disrupting day-to-day operations Open and transparent: Use open and transparent processes to complete work, and seek and incorporate public comments on NCCoE documentation, artifacts and results
  • 19. #RSAC hit_nccoe@nist.gov301-975-0200 100 Bureau Dr, M/S 2002 Gaithersburg, MD 20899 http://nccoe.nist.gov Participate