SlideShare a Scribd company logo

Cybersecurity Analysis Method for Medical Devices

Download as PPTX, PDF
B
Ben Berg

This document presents a methodology for assessing cybersecurity threats for medical devices. It involves drawing a component diagram, identifying software components and entry points, relevant software information, hazardous use scenarios, potential harms, and mitigations. The methodology is then demonstrated by working through these steps for a generic EKG device, identifying the management processor, JTAG connector, and software image as relevant, and proposing a hazardous use scenario and potential mitigations. The goal is to satisfy FDA documentation requirements around listing cybersecurity risks and controls.

1 of 26
Cybersecurity Threat Assessment for Medical Devices: A Device Interface Methodology Ben Berg Dec 31, 2015
The analysis methodology presented here is driven by the FDA guidance document: “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct 2014)” Which consists of FDA recommendations for considering cybersecurity risks in medical devices. CybersecurityAnalysisMethodforMedicalDevices
The analysis methodology will specifically address the section: Section 6 Cybersecurity Documentation CybersecurityAnalysisMethodforMedicalDevices
Section 6 Cybersecurity Documentation of the FDA Guidance document states: Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: • A specific list of all cybersecurity risks that were considered in the design of your device; • A specific list and justification for all cybersecurity controls that were established for your device. CybersecurityAnalysisMethodforMedicalDevices
To satisfy these two bullet items, a Device Interface methodology is useful. CybersecurityAnalysisMethodforMedicalDevices
This Device Interface methodology is summarized below: Step 1: Draw Component Diagram of the system. Step 2: Identify SW Components in the system. Step 3: Identify Entry Points i.e. device interfaces in the system. Step 4: Identify relevant SW Information in the SW Components. Step 5: Define Hazardous Use scenarios. Step 6: Define Harm arising from hazardous use. Step 7: Define Mitigations. CybersecurityAnalysisMethodforMedicalDevices
Let’s consider the example of a generic EKG device: Display USB EKG Lead Connector Top View Side View Assumptions: • There is a data storage that holds .PNG image files that can be transferred to a laptop via USB serial connection. • The laptop can also be used to perform SW upgrades on the device. CybersecurityAnalysisMethodforMedicalDevices
Step 1: Draw Component Diagram of the system. To start, generate a “big picture” component diagram of the generic EKG device. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG CybersecurityAnalysisMethodforMedicalDevices
Step 2: Identify SW Components in the system. For each component, identify any software that exists on each. Subsidiary components such DAC’s, RTC, etc. are also considered. For the moment, disregard the likelihood of a particular cybersecurity threat. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG CybersecurityAnalysisMethodforMedicalDevices
Step 3: Identify Entry Points. Now identify device interfaces to the software components. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG CybersecurityAnalysisMethodforMedicalDevices
Step 4: Identify relevant SW Information in the SW Components. For each component, identify SW Information in each component, where ‘Information’ is a data entity that could be considered to be a vehicle for malicious use. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG Time & Date SW Image .PNG Image Files CybersecurityAnalysisMethodforMedicalDevices
Step 5: Define Hazardous Use scenarios. At this point, we have all the items (SW components, Entry Points, SW Information) necessary to start defining hazardous use scenarios. First, let’s define the term “hazardous use” as: 1. Any act, intended or unintended, that would cause the device to harm a patient or clinician. 2. Any act that would harm business interests (reverse engineering SW, intentional device failures, re- processing, etc.). CybersecurityAnalysisMethodforMedicalDevices
Step 5 (continued): Define Hazardous Use scenarios. Like DFMEA’s, the task of defining Hazardous Use scenarios should be conducted by a cross functional team: • R&D SW developers • System Engineers • Reliability Engineers • SWQA Engineers CybersecurityAnalysisMethodforMedicalDevices
Step 5 (continued): Define Hazardous Use scenarios. To apply this methodology, first identify a Component that needs to be analyzed (use the Component diagram from Step 1). Let’s start with the example of the Management Processor (MP) component: CybersecurityAnalysisMethodforMedicalDevices Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG
Step 5 (continued): Define Hazardous Use scenarios. Next we identify an Entry Point. Let’s start with the JTAG connector: CybersecurityAnalysisMethodforMedicalDevices Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG
Step 5 (continued): Define Hazardous Use scenarios. We complete the picture by identifying the SW Information on the management processor. In this case, the device SW image: CybersecurityAnalysisMethodforMedicalDevices Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG SW Image
Step 5 (continued): Define Hazardous Use scenarios. Going back to our definition of Hazardous Use, we ask ourselves the first question: What act, intended or unintended, could cause the device to harm a patient or clinician? CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
Step 5 (continued): Define Hazardous Use scenarios. We need to define this Hazardous Use in the context of our Device Interface methodology, taking into consideration the component (MP), the interface (JTAG) and the SW information (SW image). CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
Step 5 (continued): Define Hazardous Use scenarios. Or more precisely: How could someone gain access to the Management Processor, via the JTAG connector, and alter the SW Image so that it would cause harm to a patient or clinician? CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
Step 5 (continued): Define Hazardous Use scenarios. And we also ask ourselves the 2nd question from our Hazardous Use definition: How could someone gain access to the Management Processor, via the JTAG connector, and alter the SW Image so that it would cause harm to our business interests? CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
Step 5 (continued): Define Hazardous Use scenarios. We have entered the point in the methodology where typical SW FMEA thinking takes over (keep in mind that we are still not addressing the likelihood of a scenario). Let’s try to define some possible hazardous use scenarios… CybersecurityAnalysisMethodforMedicalDevices
Step 5 (continued): Define Hazardous Use scenarios. Defining a hazardous use scenario : CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image JTAG Emulator • Using a laptop and a JTAG emulator, a malicious actor could remove the cover on the device and connect to the JTAG and gain access to the MP. • Using debugging tools on the laptop, this malicious actor could then alter the SW Image to produce erroneous EKG results or to corrupt the SW Image itself. • The malicious user could also copy the SW Image off the MP for the purposes of reverse engineering the SW.
Step 7: Design Mitigations Defining Harm should link to harms defined in your Preliminary Hazard Analysis. In our example, possible harms are easily deduced. CybersecurityAnalysisMethodforMedicalDevices Hazard Harm Using debugging tools on the laptop, this malicious actor could then alter the SW Image to produce erroneous EKG results or to corrupt the SW Image itself. Serious: Not immediately life- threatening; hospitalization or prolongation of hospitalization. The malicious user could also copy the SW Image off the MP for the purposes of reverse engineering the SW. Business harm
Step 7: Design Mitigations We may now consider severity and occurrence of the hazard & harm, so that we may properly consider the Mitigation. We will refrain from defining severity/occurrence in our example. But suffice to say that mitigations for Low severity (minor) hazards may be much different then mitigations for High severity (Catastrophic) hazards. CybersecurityAnalysisMethodforMedicalDevices
Step 7: Design Mitigations Defining the mitigation should consist of design based remedies. Continuing with some mitigations for our example EKG device: CybersecurityAnalysisMethodforMedicalDevices Hazard Mitigation Using debugging tools on the laptop, this malicious actor could then alter the SW Image to produce erroneous EKG results or to corrupt the SW Image itself. • Program SW lock on JTAG after programming MP (SW mitigation). • Sealed Final Form factor (physical mitigation). The malicious user could also copy the SW Image off the MP for the purposes of reverse engineering the SW. • Program SW lock on JTAG after programming MP (SW mitigation). • Sealed Final Form factor (physical mitigation).
Step 7: Design Mitigations After implementation of Mitigations, the severity/occurrence should be re-evaluated to determine if the severity/occurrence has been reduced to “As Low As Reasonably Possible”. This evaluation of should include an explanation as to why the authors believe the risk has been reduced to an acceptable level. Of course, a record of this threat assessment should be entered into the Design History File. CybersecurityAnalysisMethodforMedicalDevices

Recommended

IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET Journal
 
Elements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsElements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsEMMAIntl
 
Review Paper on Recovery of Data during Software Fault
Review Paper on Recovery of Data during Software FaultReview Paper on Recovery of Data during Software Fault
Review Paper on Recovery of Data during Software FaultAM Publications
 
SplunkLive! Houston Improving Healthcare Operations
SplunkLive! Houston Improving Healthcare OperationsSplunkLive! Houston Improving Healthcare Operations
SplunkLive! Houston Improving Healthcare OperationsSplunk
 
Hybrid model for penetration testing
Hybrid model for penetration testingHybrid model for penetration testing
Hybrid model for penetration testingHappiest Minds Technologies
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureDavid Sweigert
 
Redwert Healthcare / Hospital Incident Management
Redwert Healthcare / Hospital Incident ManagementRedwert Healthcare / Hospital Incident Management
Redwert Healthcare / Hospital Incident ManagementRedwertEngineeringLa
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 

Recommended

IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET Journal
 
Elements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsElements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsEMMAIntl
 
Review Paper on Recovery of Data during Software Fault
Review Paper on Recovery of Data during Software FaultReview Paper on Recovery of Data during Software Fault
Review Paper on Recovery of Data during Software FaultAM Publications
 
SplunkLive! Houston Improving Healthcare Operations
SplunkLive! Houston Improving Healthcare OperationsSplunkLive! Houston Improving Healthcare Operations
SplunkLive! Houston Improving Healthcare OperationsSplunk
 
Hybrid model for penetration testing
Hybrid model for penetration testingHybrid model for penetration testing
Hybrid model for penetration testingHappiest Minds Technologies
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureDavid Sweigert
 
Redwert Healthcare / Hospital Incident Management
Redwert Healthcare / Hospital Incident ManagementRedwert Healthcare / Hospital Incident Management
Redwert Healthcare / Hospital Incident ManagementRedwertEngineeringLa
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Risk base effective testing and quality management in the project
Risk base effective testing and quality management in the projectRisk base effective testing and quality management in the project
Risk base effective testing and quality management in the projectStowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
Permission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningPermission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningIRJET Journal
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET Journal
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
 
IRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET Journal
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsIRJET Journal
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxjessiehampson
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
QH-v22.pdf
QH-v22.pdfQH-v22.pdf
QH-v22.pdfQUICK HEAL TECHNOLOGIES LIMITED
 
Literature Review on DDOS Attacks Detection Using SVM algorithm.
Literature Review on DDOS Attacks Detection Using SVM algorithm.Literature Review on DDOS Attacks Detection Using SVM algorithm.
Literature Review on DDOS Attacks Detection Using SVM algorithm.IRJET Journal
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comamaranthbeg113
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comamaranthbeg53
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comamaranthbeg73
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer OverviewScott Suhy
 
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET Journal
 
Cst 630 project 2 incident response
Cst 630 project 2 incident responseCst 630 project 2 incident response
Cst 630 project 2 incident responsepersons20ar
 
IRJET - Different Data Mining Techniques for Intrusion Detection System
IRJET - Different Data Mining Techniques for Intrusion Detection SystemIRJET - Different Data Mining Techniques for Intrusion Detection System
IRJET - Different Data Mining Techniques for Intrusion Detection SystemIRJET Journal
 
IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET Journal
 

More Related Content

What's hot

The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
Permission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningPermission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningIRJET Journal
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET Journal
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 

What's hot (6)

Risk base effective testing and quality management in the project
Risk base effective testing and quality management in the projectRisk base effective testing and quality management in the project
Risk base effective testing and quality management in the project
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoring
 
Permission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningPermission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine Learning
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection System
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 

Similar to Cybersecurity Analysis Method for Medical Devices

Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
 
IRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET Journal
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsIRJET Journal
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxjessiehampson
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Literature Review on DDOS Attacks Detection Using SVM algorithm.
Literature Review on DDOS Attacks Detection Using SVM algorithm.Literature Review on DDOS Attacks Detection Using SVM algorithm.
Literature Review on DDOS Attacks Detection Using SVM algorithm.IRJET Journal
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comamaranthbeg113
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comamaranthbeg53
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comamaranthbeg73
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer OverviewScott Suhy
 
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET Journal
 
Cst 630 project 2 incident response
Cst 630 project 2 incident responseCst 630 project 2 incident response
Cst 630 project 2 incident responsepersons20ar
 
IRJET - Different Data Mining Techniques for Intrusion Detection System
IRJET - Different Data Mining Techniques for Intrusion Detection SystemIRJET - Different Data Mining Techniques for Intrusion Detection System
IRJET - Different Data Mining Techniques for Intrusion Detection SystemIRJET Journal
 
IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET Journal
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET Journal
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...Mark Underwood
 
Operating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportOperating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportAjit Gaddam
 

Similar to Cybersecurity Analysis Method for Medical Devices (20)

Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
IRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docx
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
QH-v22.pdf
QH-v22.pdfQH-v22.pdf
QH-v22.pdf
 
Literature Review on DDOS Attacks Detection Using SVM algorithm.
Literature Review on DDOS Attacks Detection Using SVM algorithm.Literature Review on DDOS Attacks Detection Using SVM algorithm.
Literature Review on DDOS Attacks Detection Using SVM algorithm.
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.com
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.com
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.com
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
 
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
IRJET- Cloud Data Authentication for Health Monitoring System using IoT Techn...
 
Cst 630 project 2 incident response
Cst 630 project 2 incident responseCst 630 project 2 incident response
Cst 630 project 2 incident response
 
IRJET - Different Data Mining Techniques for Intrusion Detection System
IRJET - Different Data Mining Techniques for Intrusion Detection SystemIRJET - Different Data Mining Techniques for Intrusion Detection System
IRJET - Different Data Mining Techniques for Intrusion Detection System
 
IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep Learning
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection System
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
 
Operating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportOperating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability report
 

Cybersecurity Analysis Method for Medical Devices

  • 1. Cybersecurity Threat Assessment for Medical Devices: A Device Interface Methodology Ben Berg Dec 31, 2015
  • 2. The analysis methodology presented here is driven by the FDA guidance document: “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct 2014)” Which consists of FDA recommendations for considering cybersecurity risks in medical devices. CybersecurityAnalysisMethodforMedicalDevices
  • 3. The analysis methodology will specifically address the section: Section 6 Cybersecurity Documentation CybersecurityAnalysisMethodforMedicalDevices
  • 4. Section 6 Cybersecurity Documentation of the FDA Guidance document states: Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: • A specific list of all cybersecurity risks that were considered in the design of your device; • A specific list and justification for all cybersecurity controls that were established for your device. CybersecurityAnalysisMethodforMedicalDevices
  • 5. To satisfy these two bullet items, a Device Interface methodology is useful. CybersecurityAnalysisMethodforMedicalDevices
  • 6. This Device Interface methodology is summarized below: Step 1: Draw Component Diagram of the system. Step 2: Identify SW Components in the system. Step 3: Identify Entry Points i.e. device interfaces in the system. Step 4: Identify relevant SW Information in the SW Components. Step 5: Define Hazardous Use scenarios. Step 6: Define Harm arising from hazardous use. Step 7: Define Mitigations. CybersecurityAnalysisMethodforMedicalDevices
  • 7. Let’s consider the example of a generic EKG device: Display USB EKG Lead Connector Top View Side View Assumptions: • There is a data storage that holds .PNG image files that can be transferred to a laptop via USB serial connection. • The laptop can also be used to perform SW upgrades on the device. CybersecurityAnalysisMethodforMedicalDevices
  • 8. Step 1: Draw Component Diagram of the system. To start, generate a “big picture” component diagram of the generic EKG device. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG CybersecurityAnalysisMethodforMedicalDevices
  • 9. Step 2: Identify SW Components in the system. For each component, identify any software that exists on each. Subsidiary components such DAC’s, RTC, etc. are also considered. For the moment, disregard the likelihood of a particular cybersecurity threat. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG CybersecurityAnalysisMethodforMedicalDevices
  • 10. Step 3: Identify Entry Points. Now identify device interfaces to the software components. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG CybersecurityAnalysisMethodforMedicalDevices
  • 11. Step 4: Identify relevant SW Information in the SW Components. For each component, identify SW Information in each component, where ‘Information’ is a data entity that could be considered to be a vehicle for malicious use. Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG Time & Date SW Image .PNG Image Files CybersecurityAnalysisMethodforMedicalDevices
  • 12. Step 5: Define Hazardous Use scenarios. At this point, we have all the items (SW components, Entry Points, SW Information) necessary to start defining hazardous use scenarios. First, let’s define the term “hazardous use” as: 1. Any act, intended or unintended, that would cause the device to harm a patient or clinician. 2. Any act that would harm business interests (reverse engineering SW, intentional device failures, re- processing, etc.). CybersecurityAnalysisMethodforMedicalDevices
  • 13. Step 5 (continued): Define Hazardous Use scenarios. Like DFMEA’s, the task of defining Hazardous Use scenarios should be conducted by a cross functional team: • R&D SW developers • System Engineers • Reliability Engineers • SWQA Engineers CybersecurityAnalysisMethodforMedicalDevices
  • 14. Step 5 (continued): Define Hazardous Use scenarios. To apply this methodology, first identify a Component that needs to be analyzed (use the Component diagram from Step 1). Let’s start with the example of the Management Processor (MP) component: CybersecurityAnalysisMethodforMedicalDevices Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG
  • 15. Step 5 (continued): Define Hazardous Use scenarios. Next we identify an Entry Point. Let’s start with the JTAG connector: CybersecurityAnalysisMethodforMedicalDevices Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG
  • 16. Step 5 (continued): Define Hazardous Use scenarios. We complete the picture by identifying the SW Information on the management processor. In this case, the device SW image: CybersecurityAnalysisMethodforMedicalDevices Lead Connector ADC Display USB MP Display Driver RTC Audio DAC Data Storage FTDI JTAG SW Image
  • 17. Step 5 (continued): Define Hazardous Use scenarios. Going back to our definition of Hazardous Use, we ask ourselves the first question: What act, intended or unintended, could cause the device to harm a patient or clinician? CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
  • 18. Step 5 (continued): Define Hazardous Use scenarios. We need to define this Hazardous Use in the context of our Device Interface methodology, taking into consideration the component (MP), the interface (JTAG) and the SW information (SW image). CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
  • 19. Step 5 (continued): Define Hazardous Use scenarios. Or more precisely: How could someone gain access to the Management Processor, via the JTAG connector, and alter the SW Image so that it would cause harm to a patient or clinician? CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
  • 20. Step 5 (continued): Define Hazardous Use scenarios. And we also ask ourselves the 2nd question from our Hazardous Use definition: How could someone gain access to the Management Processor, via the JTAG connector, and alter the SW Image so that it would cause harm to our business interests? CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image
  • 21. Step 5 (continued): Define Hazardous Use scenarios. We have entered the point in the methodology where typical SW FMEA thinking takes over (keep in mind that we are still not addressing the likelihood of a scenario). Let’s try to define some possible hazardous use scenarios… CybersecurityAnalysisMethodforMedicalDevices
  • 22. Step 5 (continued): Define Hazardous Use scenarios. Defining a hazardous use scenario : CybersecurityAnalysisMethodforMedicalDevices MP JTAG SW Image JTAG Emulator • Using a laptop and a JTAG emulator, a malicious actor could remove the cover on the device and connect to the JTAG and gain access to the MP. • Using debugging tools on the laptop, this malicious actor could then alter the SW Image to produce erroneous EKG results or to corrupt the SW Image itself. • The malicious user could also copy the SW Image off the MP for the purposes of reverse engineering the SW.
  • 23. Step 7: Design Mitigations Defining Harm should link to harms defined in your Preliminary Hazard Analysis. In our example, possible harms are easily deduced. CybersecurityAnalysisMethodforMedicalDevices Hazard Harm Using debugging tools on the laptop, this malicious actor could then alter the SW Image to produce erroneous EKG results or to corrupt the SW Image itself. Serious: Not immediately life- threatening; hospitalization or prolongation of hospitalization. The malicious user could also copy the SW Image off the MP for the purposes of reverse engineering the SW. Business harm
  • 24. Step 7: Design Mitigations We may now consider severity and occurrence of the hazard & harm, so that we may properly consider the Mitigation. We will refrain from defining severity/occurrence in our example. But suffice to say that mitigations for Low severity (minor) hazards may be much different then mitigations for High severity (Catastrophic) hazards. CybersecurityAnalysisMethodforMedicalDevices
  • 25. Step 7: Design Mitigations Defining the mitigation should consist of design based remedies. Continuing with some mitigations for our example EKG device: CybersecurityAnalysisMethodforMedicalDevices Hazard Mitigation Using debugging tools on the laptop, this malicious actor could then alter the SW Image to produce erroneous EKG results or to corrupt the SW Image itself. • Program SW lock on JTAG after programming MP (SW mitigation). • Sealed Final Form factor (physical mitigation). The malicious user could also copy the SW Image off the MP for the purposes of reverse engineering the SW. • Program SW lock on JTAG after programming MP (SW mitigation). • Sealed Final Form factor (physical mitigation).
  • 26. Step 7: Design Mitigations After implementation of Mitigations, the severity/occurrence should be re-evaluated to determine if the severity/occurrence has been reduced to “As Low As Reasonably Possible”. This evaluation of should include an explanation as to why the authors believe the risk has been reduced to an acceptable level. Of course, a record of this threat assessment should be entered into the Design History File. CybersecurityAnalysisMethodforMedicalDevices

Editor's Notes

  1. DRAFT STATE
  2. DRAFT STATE
  3. DRAFT STATE
  4. DRAFT STATE
  5. DRAFT STATE
  6. DRAFT STATE