Your SlideShare is downloading. ×
The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity

16,757
views

Published on

This article is intended for the customer facing risk managers, sales staff, and IT staff of a medical device manufacturer and their medical doctors and IT hospital and clinical counterparts. It is …

This article is intended for the customer facing risk managers, sales staff, and IT staff of a medical device manufacturer and their medical doctors and IT hospital and clinical counterparts. It is intended to give an overview and highlight process considerations for incident management and reporting of cybersecurity issues.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
16,757
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The FDA and BYOD, Mobile and Fixed Medical Device Cybersecurity Published originally for ISSA Journal, September 2013 issue (www.ISSA.org) Authors: Pam Gilmore, BS Business Administration, ISSA Raleigh, NC member. Valdez Ladd, CISSP, CISA, COBIT 4.1, CIW-SP, CNSS NSTISSI 4011 ISSP, MBA. MAIA, Member ISO Technical Committee 215 Health Informatics Working Group 4 - Privacy & Security Abstract: In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance: “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. This was followed on August by the FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for Industry and Food and Drug Administration Staff”. This article is intended for the customer facing risk managers, sales staff, and IT staff of a medical device manufacturer and their medical doctors and IT hospital and clinical counterparts. It is intended to give an overview and highlight process considerations for incident management and reporting of cybersecurity issues. Disclaimers: This article is an IT security awareness document only. It is not to be considered an official FDA document guide or consulting tool. Please seek legal counsel and consult your own corporate IT security along with any additional external professional expertise as deemed necessary for your business. Also note that the views expressed here in this article are those of the authors soley and do not necessarily reflect the positions of any current or former employers or organizations.
  • 2. In June 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance on titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. Its goal is to begin the process of bringing network connected or accessible medical device's cybersecurity under their jurisdiction. This draft will be accessible for public comment until mid-September 2013. Final rules are expected to be published in early 2014. Healthcare is a high security environment. One which is constantly under constant attack. It is always combating the risk of exposure of protected patient health information (PHI). This requires using technical, administrative, and physical security controls for network connected medical devices. Though mobile smartphone and table applications are not covered currently, it is a good assumption that a security requirement is coming modelled on the current network device connected draft that this research paper covers. Therefore it is important that information technology (IT) security professionals not view this FDA draft through the prism of the customary CIA (confidentiality, integrity & availability) triad. It is too limited for use within the medical sector. A better heuristic is the more complete PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) to account for the stringent demands of medical devices and applications for patient requirements. (Sloan) 1. Sloane , Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security Issues”-NIST/OCR HIPPA Conference, (11, 12 May 2010) – http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf Though it surprised some people outside the medical field, it can be seen as regulations trying to catch up to the explosion of Internet and network devices. This ranges from implanted devices such as insulin pumps, patient medical imaging storage, and wireless medical BYOD devices to X-Ray, MRI, ultrasound units, and other diagnostic equipment. Though this is a US regulation, it is sure to influence many other nations across the world as they consider their medical device review, acceptance, and procurement processes and laws to address cybersecurity risks to patients and their privacy. see figure 1. 2. ElBoghdady, Dina. Health apps under the microscope. 2012. Photograph. chicagotribune.com, Chicago. Web. 7 17 2013. <http://articles.chicagotribune.com/2012-06-26/business/ct-biz-0626-health-apps-20120626_1_smartphone-application- mobile-apps-android>. Illustration 1: (El Boghdady)
  • 3. While the FDA document did not reference outside technical reference there are several useful expert authoritative documents to consider. First the NIST SP 800-124 Revision 1 covers securing both organization-provided and personally-owned (bring your own device) mobile devices. Also the NIST Special Publication 800-53 (Rev. 4) and 800-53A (Rev. 1) Security Controls and Assessment Procedures for Federal Information Systems and Organizations should be added to the list. Finally be familiar with ISO/DTR 17522 Health informatics --Provisions for Health Applications on Mobile/Smart Devices 2013-01-29 30.20 and ISO/AWI TR 80001-Application of risk management for IT-networks incorporating medical devices. Existing Quality documentation processes for existing regulated device error reporting will have to include cybersecurity knowledge or subject matter expertise. This will allow for capturing relevant data in the case of a fast moving major security incident. This information should be made available to the medical device manufacturer's technical support per modality (ultrasound, X-Ray, blood serum diagnostic, etc.,) and quality control staff. Each may have training for serious incident hazard reporting, but will need to incorporate cybersecurity. This process will require expert training and review so their reporting processes can be efficient and compliant. The degree of harm caused by a major virus infection, rootkit or other malware can be extensive and possibly fatal. Time will be essential as mobile medical devices increase grows and connection via wireless networks grows. The same will be true for stationary and mobile imaging devices. Professional expertise will be needed for the preliminary incident. Basic data gathering only can be handled over the telephone with the customer. Beyond the basic five questions of who, what, when, where, and how (if possible) will require more training and on-site investigation by the manufacturer’s experts for the malware affected medical device. Semi-automated forensic hardware-and-software tool and processes have to be made available for deployment by device manufacturers in the USA and other countries that adopt similar levels of assurance and investigation. The manufacturer's customer facing IT and modality engineer staff will face growing to incorporate first responder capabilities within this area. Wireless Radio Frequency (RF) Devices The FDA's “Radio Frequency Wireless Technology in Medical Devices Guidance for Industry and Food and Drug Administration Staff” pressures manufacturers to consider the use of wireless technology in their medical devices. Also it encourages a risk based assessment of RF wireless technology in the device's design. The report states “The correct, timely, and secure transmission of medical data and information is important for the safe and effective use of both wired and wireless medical devices and device systems”. see figure 2. FDA (2013, August 13). Radio Frequency Wireless Technology in Medical Devices. http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/4GuidanceDocuments/ucm077210.htm
  • 4. The newest and fast growing area in medicine is bring-your-own-device (BYOD). The range of services and medical references that doctors and clinical staff have at their disposal is a powerful incentive to use the smartphone, tablet or other mobile device they have learned and mastered. However as one security expert stated,” Wireless implantable devices and other patient monitoring equipment "could be a back door into your network," noted Peter Swire, an Ohio State University law professor and former presidential adviser on privacy issue”. (Desta) 3. Desta, A.,"Content of Premarket Submissions for Management of Cybersecurity in Medical Devices-Draft guidance or Industry and Food and Drug Administration Staff.US-FDA (2013, 06) - http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments 4. csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pd 5. csrc.nist.gov/publications/nistpubs/800-53A.../sp800-53A-rev1-final.pdf 6. csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf 7. www.iso.org/iso/catalogue_detail.htm?csnumber=59949 FDA Cybersecurity Draft details: On June 13, 2013, the U.S. Food and Drug Administration (“FDA”) released draft guidance on titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Draft Guidance for Industry and Food and Drug Administration Staff”. It proposes cybersecurity controls should be incorporated into vulnerable medical devices that are connected via wireless, Internet and wired networks. The documentation for this mainly contained in the Premarket Notification (510(k) and approval process for new medical devices. Illustration 2: (Gollakota)
  • 5. In addition to the draft guidance, the FDA published a FDA Safety Communication. It was addressed to medical device manufacturers and their engineers. It was intended for our nation’s hospitals, clinics, and other health care facilities including their health care information technology (IT), and procurements staff. This was due to increased publications of cybersecurity issues. prominent publication was when the US Government Accountability Office (GAO) issued a report titled, “Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices” on August 31, 2013. (GAO) Later in January 2013 cybersecurity Cylance researchers Billy Rios and Terry McCorkle discovered default embedded passwords for a Phillips, Inc. medical systems. They contacted the company to communicate the vulnerabilities. However when no response came they contacted the US Dept. of Homeland Security. (DHS), the Federal Drug Administration (FDA) and the US Industrial Control Systems Cyber Emergency Response Team (ICS CERT) to persuade Phillips, Inc. to correct the security flaws quickly. In addition Cyberlance's Mr. Rios and Mr. McCorkle examined and discovered vulnerabilities and weak access controls in almost 300 medical devices. An alert published on the US government's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) website, cited research from Billy Rios and Terry McCorkle of the cyber security firm Cylance Inc., who said they have identified more than 300 pieces of medical equipment that are vulnerable to cyber-attacks to their firmware, embedded passwords and weak authentication. They include surgical and anaesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators. 8. ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01, The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). (13 June, 2013). Retrieved from http://www.gao.gov/products/GAO-12-816 Note the public draft has non-binding recommendations open for the public until mid-September after ninety (90) days have passed since its June 13th publication. Final rules would follow and go into effect next year in 2014. The draft itself states that in principle the cybersecurity requirements should be as least burdensome as practical, while still meeting requirements. Patches to medical devices for updating cybersecurity would not require FDA approval unless patient safety is affected. This include Anti-Virus updates. “Manufacturers should develop a set of security controls to assure medical device cybersecurity to maintain the information’s [data] confidentiality, integrity, and availability. This goal of avoiding compromised device functionality implicitly includes data at in-motion on the network and at-rest on the medical devices.” 9. GAO. MEDICAL DEVICES, FDA Should Expand Its Consideration of Information Security for Certain Types of Devices (31 August, 2012). Retrieved from http://www.gao.gov/products/GAO-12-816 10. Marianne Kolbasuk McGee, “Medical Device Security: A New Focus, Former Presidential Privacy Adviser Addresses Mobile Security (15 April, 2012) - http://www.healthcareinfosecurity.com/interviews/medical-device-security-new-focus-i-1882 11. Abiy Desta, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Draft Guidance for Industry and Food and Drug Administration Staff" (14 June 2013) - http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf 12. Op. Cit GAO 13. Darren Pauli, "Patient Data Revealed in Medical Device Hack", (17 Jan 2013) - http://www.scmagazine.com.au/News/329222,patient-data-revealed-in-medical-device-hack.aspx 14. Ransdell Pierson, Jim Finkle.,"FDA urges protection of Medical Devices from Cyber Threats" (13 June 2013) - http://www.reuters.com/article/2013/06/14/us-devices-cybersecurity-fda-idUSBRE95C1IB20130614
  • 6. Prior FDA Cybersecurity guidance: Since medical devices that were not originally designed with networking capabilities were isolated from the growing number of hospitals with local area networks (LAN) running TCP/IP their usefullnes was seen as diminished. Hospitals wanted more capabilities without buying totally new expensive medical devices. Manufacturers responded by connecting their medical devices with computer workstations running TCP/IP. This was important as the use of digital imaging of patient radiological (X-Ray & CT) and ultrasound images became more prominent. The FDA responded with it draft report the "Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software,” issued on January 14, 2005. It noted that manufacturers would generally not be reportable as a correction or removal under 21 C.F.R. part 806, “because most software patches are installed to reduce the risk of developing a problem associated with a cybersecurity vulnerability and not to address a risk to health posed by the device". The FDA was setting boundaries on liability for software patches to enhance safety without penalty to medical device manufacturers. It was an important and needed step for medical device cybersecurity. Risk Analysis: Below is a list of the risk analysis that the FDA's cybersecurity was invoking using many of the concepts found in the NIST special publications for cybersecurity. Note the documentation requirements are generic to many risk analysis at the design stage. Building security into a product at the design stage is always considered cheaper, more reliable and manageable. Bolting on security solutions or compensating controls after a product launch is more expensive and difficult to defend against highly skilled hackers. Under FDA 21 CFR 820.30(g) the risk analysis includes three requirements. First Identification of assets, threats, and vulnerabilities and the impact assessment of their exploit probability. Next the determination of risk levels and suitable compensating controls. Finally the residual risk assessment and risk acceptance criteria for the medical device must be included to complete the risk analysis. - Intentionally left blank -
  • 7. Security Capabilities Access Controls • Remove “hardcoded” passwords (those that can not be changed) • Limit Access to Trusted Users who are authenticated with multi-factor authentication • Employ role based access control with time limited user sessions • Physical locks on devices must be used and on their communication ports when possible 15. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments /UCM356190.pdf Incident Response Ensuring Trusted Content is another requirement. Trusted software or firmware updates with strong authentication is the foundation for this functionality. This leads to software whitelisting, blacklisting (anti-virus), and secure software code signing becoming part of the security design. This will also require secure data transfers to and from the medical device using encryption and with authentication, authorization and accounting (AAA). While people and processes are listed as parts within the scope of the solution. The creation of a customer notification system that is standarized, procedurized and accessible to the hospital IT staff so that authorized users can download the correct dentifiable software and firmware updates from the manufacturer in cases of incident responses. Note that the range of security for existing devices and their current design will limit their security capabilities. For example implantable medical devices use simple PIN codes similar to a bank ATM. Smartphone and tablets have more computing power and can support encryption with authentication, authorization and accounting (AAA). Use Fail-Safe and Recovery Features The FDA specifice the mplementation of fail-safe device features that protect the device’s critical functionality, even when the device’s security has been compromised. These features allow for security breaches to be recognized, logged, and acted upon. Also it provide methods for forensic retention and recovery of device configuration by an authenticated system administrator. This allows the medical technician, or clinical staff to ramp down a treatment or examination for patient safety when notified of a security breach.
  • 8. Logging Today major diagnostic and radiological examination devices are often remotely monitored by medical device manufacturers for maintenance purposes. Mobile medical devices will need added capacity for logging more diagnostic data. While medical implants such as pacemakers and insulin pumps have very limited logging capabilites. Therefore forensic investigation using device logging will vary depending on the medical devices. 16. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments /UCM356190.pdf Forensics Forensics data and evidence now must be captured within the medical device manufacturer's Hazard Report which will be produced when any medical device incident occurs. This is an existing standard report. So, the forensics will only need to be appended to the medical manufacturer's FDA complaint handling processes. This will drive demand for greater numbers of medical device forensic specialist by manufacturer's. HIPAA Privacy rules many be in conflict with the forensic rules unless addition compensating privacy controls are put into place. Cybersecurity Design Documentation The 501(K) premarket submission by the medical device manufacturers should provide attestment with supporting documentaton of the cybersecurity design of their medical device. Rather than going over each requirements which is highly redundant; we will highlight the most critical areas not covered earlier. This will better serve the reader. 1. Hazard analysis, mitigations, and design This documentation considers both intentional and unintentional cybersecurity risks associated with the medical device under review. This is an important liability issue as the definition for unintentional risks will need clarification in the future. Does the principal of unintended consequences (R. Merton) come into scope? Every Security design is a trade off between usability and security. How will the FDA judge this as unintend risks are not the ones intended by the medical device's purposeful design elements? 17. Merton, Robert K."The Unanticipated Consequences of Purposive Social Action". American Sociological Review 1 (6): 895. August 21, 2013. http://www.d.umn.edu/cla/faculty/jhamlin/4111/2111-home/CD/TheoryClass/Readings/MertonSocialAction.pdf
  • 9. 2. Security Requirements Traceability Matrix The key document for the Hazard analysis, mitigations, and design process will be the Traceability Matrix (Security Requirements Traceability Matrix ) document. It will link the actual intentional and unintentional cybersecurity controls to the cybersecurity risks that were considered at the time of design. The security requirements traceability matrix (STRM) should identify all IT security requirements for the medical device's design per the FDA. In addition it will map the the requirements to the existing IT security policy framework of the medical device manufacturer. Lastly it should serve as an IT policy assessment checklist for internal and external auditors. 18. The Institute of Internal Auditors (2008). 12 Steps to IT Security Compliance. Gap News,3(1). Retrieved from http://www.theiia.org/gap/index.cfm?act=GAP.printa&aid=2464 Anti virus (AV) The FDA has called for an end to the tug-of-war between hospitals and medical device manufacturers over anti virus software. Higher pricing for customized anti virus software from manufacturers was justified by FDA safety mandates per manufactures to avoid damage to the device's operation while patients are being treated. However many hospitals and clinics have had their own anti virus contracts under theirr own central administration. Now the FDA is mandating that detailed instructions for the end-user operations and product specifications related to recommended anti-virus (AV) software and any device firewall settings. This includes both the manufacturer's recommended use of anti-virus software safely. It also includes how the hospital should use and operate their own anti-virus software safely equally. Again the issue of liability in case of an AV infection by a hospital using the manufacturer's instructions for third party AV software will have to be resolved by the FDA or a court of law later. Summary: The FDA's guidance raises the standard for cybersecurity and risk management for the medical devices. Newer devices sold starting in 2014 and afterward when the final cybersecurity guidance takes effect will over time phase out older less secure networked medical devices. The FDA's goal of managing the medical device's cybersecurity product life-cycle from design to operation to disposal is timely and needed. Overtime this standard may become de facto for purchasers world wide of networked medical devices. PAINS, (privacy, availability, authentication, integrity, non-repudiation and safety) will become key components of the medical devices security risk analysis. It will serve to reinforce the scope of patient and device risks. It can be expected that the FDA cybersecurity guidance will strengthen the HIPAA Privacy Rule and Security Rule in the areas of risk analysis and mitigation also. Though a work in progress it presents another avenue of reducing the attack surface of the medical operations for hospitals and clinics. Therefore the increased cybersecurity of medical devices that the FDA is working on in its draft guidance is a positive for reducing risk to patients and their privacy. Hospitals and medical device manufacutrers will have to establish new processes and procedure to communicate and work together to create a successful transformation. This convergence of security, risk management and secure product design may be seen as a future model of cybersecurity for other regulated industries.
  • 10. 19.”FDA Safety Communication: Cybersecurity for Medical Devices and hospital Networks”, (6 June 2013) - http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm 20. Sloane, Elliot B. (PAINS) “Medical Device Security HITECH-AARA and FDA related Security Issues”-NIST/OCR HIPPA Conference, (11, 12 May 2010) – http://csrc.nist.gov/news.../HIPAA.../1-4-health-devices-sloane-drexel.pdf