SlideShare a Scribd company logo

Securing Medical IoT Devices

B
Benjamin Biwer

The document provides an overview of securing medical devices. It begins by outlining the objectives of understanding current device security, vulnerabilities, and considerations for securing systems. It then discusses what constitutes a medical device and why connectivity is important but introduces risks. Several risk scenarios are described, such as device hacking, data breaches, and DIY modifications. Specific examples of insulin pump and pacemaker hacks are given. The document then provides strategies for improving security, including identifying risks, using strong identities and cryptography, monitoring for issues, and securing various aspects of systems from the hardware to communications to applications. It acknowledges barriers to security but emphasizes doing as much as possible and understanding what is at stake.

Business
1 of 52
Download to read offline
Securing IoT Medical Devices John Bailey Co-Founder and Chief Maker DevMode
Objectives That this session is most informative 45 minutes since lunch today. That attendees walk away: ● understanding the current state of medical device security (how we got here) ● knowing the key points of vulnerability in a medical device system ● with a punch-list of considerations and decision points for securing a medical device system And maybe to scare you a little. Then make you feel a bit better.
Disclaimer We have NDAs. We’ll discuss general patterns based on publicly available information.
What do we mean by medical device? Something that detects, treats or cures a medical condition. ● Fitness and general health monitoring ● Clinic/hospital equipment ● Therapy monitoring and administration We’re focused on medically-critical portable monitors, therapy, and implantable devices.
What do we mean by medical device? ● The physical device ● Data systems/services that receive, transmit, or store device related data ● Secondary devices used for programming the physical device ● Mobile and web applications used to display or manipulate device data
Pop Quiz - What's the most effective strategy for keeping a medical device secure? Don’t connect it. Good luck with that!
Why connect devices? ● Improve patient outcomes ● Upgrade products using same hardware ● Resolve issues with firmware/software ● Reduce recall costs ● Answer FDA concerns ● Business process improvement
Why connect devices? It may not be optional any longer. ... The FDA wants medical devices to have mandatory monitoring and built-in update mechanisms. FDA Guidance Changes FDA Medical Device Safety Action Plan
Who benefits? ● Manufacturers - Upgrade products using same hardware, Reduce recall costs, Answer FDA concerns, Business process improvement ● Patients - Improve patient outcomes ● Clinicians - Improve patient outcomes ● Insurers - Business process improvement
Who is at risk? Patients take on the majority of the risk.
What’s at stake? In short, people's lives…
What are some risk scenarios? ● Device hacking ● Personal data breaches ● DIY Device Mods
How real are these concerns? They’re real, but don’t take my word for it.
Medical Device Hacks - Pacemaker In 2008 an IEEE paper outlined a wireless vulnerability with implantable cardioverter defibrillator (ICD). ● Unencrypted wireless communication ● Reverse engineered command protocol ● Intercepted patient data ● Capable of disrupting heart function IEEE Pacemaker hack story Dick Cheney Terrorist Threat
Medical Device Hacks - Insulin Pump In October 2016, Johnson & Johnson went public warning their patients of a potential health risk caused by a cyber security vulnerability. ● First manufacturer disclosure of this type ● Unencrypted wireless communication ● Potential for creating insulin overdose ● Access to patient data ● Similar vulnerabilities discovered in other big players J & J Insulin Pump Vulnerability
Barnaby Jack Renowned hacker among industry experts for his influence in the medical and financial security fields. ● Demonstrated hacking an insulin pump from a distance of up to 90 metres using the high-gain antenna ● Demonstrated the ability to assassinate a victim by hacking their pacemaker. ● Developed software that allowed him to remotely send an electric shock to pacemakers within a 50-foot radius
Data Privacy Breaches ● Majority come from healthcare providers ○ In 2017, 477 healthcare breaches reported to (HHS) ○ Affected over 5 million patient records ● Hacking has become the predominant cause of major breaches ● Connected devices create a new vector for data hacking
DIY Device Mods Dana Lewis hacked into her Continuous Glucose Monitor and collected data which was in turn used to directly control her insulin pump. ● Creating an artificial pancreas ● Utilized unprotected data transmissions ● Developed a closed-loop therapy not approved by the FDA at the time ● Created #OpenAPS and #DIYPS Making an Artificial Pancreas
DIY Device Mods
DIY Device Mods Just a few weeks ago the vulnerability in the Nintendo Switch’s Tegra X1 bootROM. I know, I know, this is not a medical device, but it illustrates an interesting problem. ● Vulnerability in the hardware layer itself ● Likely unresolvable via software or firmware updates ● Imagine what the FDA’s response to a similar issue in a connected medical device…. Nintendo Switch Exploit
FDA Guidance Arrived Late “There's a fairly significant fleet of devices that have back-door vulnerabilities built in” “As we learn more, we want to incrementally raise the expectations for the security of devices” “It is important to us that manufacturers build security and develop a program through the lifetime of the device for maintenance” Modern Healthcare, January 2018
So where can we go from here? 1. Identify the specific risks for a given system
So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people)
So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control
So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control 4. Leverage modern cryptography
So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control 4. Leverage modern cryptography 5. Verify firmware/software authenticity
So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control 4. Leverage modern cryptography 5. Verify firmware/software authenticity 6. Monitor, track and react
IoT Connection Strategies
Other Systems In Play Things get pretty wild!
Points of Vulnerability ● Physical device ● Communication ● Data at rest ● Firmware/software exploits ● Web or mobile applications ● Humans!
How do we start eliminating all this risk? Start with a solid foundation based on modern security patterns.
Public Key Infrastructure ● The foundation of a secure architecture ● Utilize strong cryptography - long keys ● All systems own and never share their keys ● Protect the certificate authorities ● Have a plan for certificate life-cycles - keep ‘em short ● Leverage certificate expiration and revocation practices ● Key up-to-date on cipher suites and key algorithms
Identity, Identity, Identity ● Everything in your platform needs an identity ● Leverage cryptographic identities for devices and infrastructure ● Establish trust between parties within your system ● Control access inter-system access ● Create a data chain of custody ● Detect bad actors and isolate or eliminate access
Securing the Hardware ● Utilize a hardware based security modules / coprocessor (HSM, TPM) ● Trusted Execution Environments ● Digitally sign and encrypt the firmware/software ● Validate firmware/software on boot (Secure Boot) ● Protect data storage ● Tamper protection ● Disable JTAG or similar programming interfaces (remove, blow fuse, etc)
Securing Wireless - Bluetooth ● Never operated with plain text data packets ● BLE 4.2 if possible - allows strong encryption and key exchange (ECDH) ● Use secure connections ● Use the strongest possible pairing method the hardware supports to avoid MITM attacks - Out of Band, Numeric Comparison - Something called “Just Works” probably isn’t gonna cut it. ● Consider additional encryption at the software and/or firmware layer
Communication - Wired/Cellular/WIFI (MQTT, AMQP, HTTP, etc) ● Never operate with plain text data packets ● Use TLS 1.2 or greater on all connections ● Consider Mutual TLS (mTLS) where possible ● Consider VPN Tunnelling for low powered embedded systems ● Secure your networks
Code Signing ● Developer utilizes certificate from a code signing authority ● Signing firmware/software ○ Generate one way hash of binaries ○ Encrypt hash with code signing identity private key ● Distribute binaries with certificate and hash ● Verification process ○ Decrypt provided hash ○ Generate one way hash of binaries ○ Compare decrypted and generate hashes
Firmware/Software Updates ● Periodically update firmware/software ● Resolve defects and/or security flaws ● Provide a secure mechanism to transfer firmware/software to device ● Leverage a secure boot mechanism to establish binary trust ● Provide a “no brick” mechanism to update
Data at Rest ● Sensitive data should be encrypted at rest - Required for HIPAA compliance ● Prefer higher-layer encryption if possible ● Applies to all aspects of the architecture
Securing Mobile and Web Applications ● Use modern authentication solutions such as OAuth or OpenID ● Keep session lengths short ● Leverage biometric security ● Consider multi-factor authentication ● Critically consider which data to show ● Proxy devices and their software require extra care Do you pass the phone-left-at-the-coffeeshop test?
Device Management ● Take inventory of devices ● Monitor usage and traffic patterns ● Manage firmware/software versions ● Use the data collected to detect and diagnose potential security problems
Whoa! - Do I need ALL of this? It is not possible to do everything perfect, and you aren’t alone.
Survey SAYS....
What’s in your way? ● Operational needs ● Budget ● Hardware ● User Experience
What’s in your way? “We have to get to market and we don’t have time for all these security changes.”
What’s in your way? “These extra security modules won’t fit in our per-unit budget.”
What’s in your way? “Our wireless module only supports BLE 4.0 and can’t sacrifice battery life for extra encryption.”
What’s in your way? “We can’t require our users to do some complex pairing process.”
Game Plan 1. Understand your specific risks 2. Evaluate the strategies and patterns that best apply within your constraints 3. Do as much as you possibly can 4. Never forget what’s at stake
Conclusions Connected devices are a reality. Security is a must. Smart patterns exist. Hire a pro.
Thank You. John Bailey DevMode.com john@devmode.com
Blockchain? - because we know someone will ask If a public distributed ledger makes sense to secure your identities and audit your devices, then… maybe. ● Identities ● Audit trails ● Access management

Recommended

Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Rio Valdes
 
How Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityHow Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityGreat Bay Software
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
 
Unlock Security Insight from Machine Data
Unlock Security Insight from Machine DataUnlock Security Insight from Machine Data
Unlock Security Insight from Machine DataNarudom Roongsiriwong, CISSP
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data PrivacyNarudom Roongsiriwong, CISSP
 

Recommended

Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Rio Valdes
 
How Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityHow Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityGreat Bay Software
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
 
Unlock Security Insight from Machine Data
Unlock Security Insight from Machine DataUnlock Security Insight from Machine Data
Unlock Security Insight from Machine DataNarudom Roongsiriwong, CISSP
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data PrivacyNarudom Roongsiriwong, CISSP
 
AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDSCondition Zebra (CONZebra)
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...Felipe Prado
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
The Harsh Reality of Slow Movers
The Harsh Reality of Slow MoversThe Harsh Reality of Slow Movers
The Harsh Reality of Slow MoversThe Security of Things Forum
 
Overcoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAOvercoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAMatt Moneypenny
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Think Your Network Is Safe? Check Your Printers
Think Your Network Is Safe? Check Your PrintersThink Your Network Is Safe? Check Your Printers
Think Your Network Is Safe? Check Your Printersscoopnewsgroup
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
RamData Protect - "When Can't Afford to Lose Your Data"
RamData Protect - "When Can't Afford to Lose Your Data"RamData Protect - "When Can't Afford to Lose Your Data"
RamData Protect - "When Can't Afford to Lose Your Data"efrid630
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 shawn_merdinger
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
IS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyIS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyJan Wong
 
Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Walt Maclay
 

More Related Content

What's hot

[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...Felipe Prado
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
Overcoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAOvercoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAMatt Moneypenny
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Think Your Network Is Safe? Check Your Printers
Think Your Network Is Safe? Check Your PrintersThink Your Network Is Safe? Check Your Printers
Think Your Network Is Safe? Check Your Printersscoopnewsgroup
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
RamData Protect - "When Can't Afford to Lose Your Data"
RamData Protect - "When Can't Afford to Lose Your Data"RamData Protect - "When Can't Afford to Lose Your Data"
RamData Protect - "When Can't Afford to Lose Your Data"efrid630
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 shawn_merdinger
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 

What's hot (19)

AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDS
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...
DEF CON 23 -COLLIN ANDERSON and TOM CROSS - export controls on intrusion soft...
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
The Harsh Reality of Slow Movers
The Harsh Reality of Slow MoversThe Harsh Reality of Slow Movers
The Harsh Reality of Slow Movers
 
Overcoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAOvercoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRA
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
Think Your Network Is Safe? Check Your Printers
Think Your Network Is Safe? Check Your PrintersThink Your Network Is Safe? Check Your Printers
Think Your Network Is Safe? Check Your Printers
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
RamData Protect - "When Can't Afford to Lose Your Data"
RamData Protect - "When Can't Afford to Lose Your Data"RamData Protect - "When Can't Afford to Lose Your Data"
RamData Protect - "When Can't Afford to Lose Your Data"
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurity
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 

Similar to Securing Medical IoT Devices

Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
IS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyIS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyJan Wong
 
Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Walt Maclay
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?Jose L. Quiñones-Borrero
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
Cyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyCyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyChristoanSmit
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerProduct of Things
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Lumension
 
Take the First Steps Toward Endpoint Security Protection
Take the First Steps Toward Endpoint Security ProtectionTake the First Steps Toward Endpoint Security Protection
Take the First Steps Toward Endpoint Security ProtectionVTECH SOLUTION
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)sandhibhide
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceValdez Ladd MBA, CISSP, CISA,
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical DevicesSuresh Mandava
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Chapter 13
Chapter 13Chapter 13
Chapter 13bodo-con
 

Similar to Securing Medical IoT Devices (20)

Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
IS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyIS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and Privacy
 
Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
Cyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyCyber Security and GDPR Made Easy
Cyber Security and GDPR Made Easy
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Regan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&akRegan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&ak
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...
 
Take the First Steps Toward Endpoint Security Protection
Take the First Steps Toward Endpoint Security ProtectionTake the First Steps Toward Endpoint Security Protection
Take the First Steps Toward Endpoint Security Protection
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
Unit v
Unit vUnit v
Unit v
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Chapter 13
Chapter 13Chapter 13
Chapter 13
 

Recently uploaded

Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...noida100girls
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 

Recently uploaded (20)

Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 

Securing Medical IoT Devices

  • 1. Securing IoT Medical Devices John Bailey Co-Founder and Chief Maker DevMode
  • 2. Objectives That this session is most informative 45 minutes since lunch today. That attendees walk away: ● understanding the current state of medical device security (how we got here) ● knowing the key points of vulnerability in a medical device system ● with a punch-list of considerations and decision points for securing a medical device system And maybe to scare you a little. Then make you feel a bit better.
  • 3. Disclaimer We have NDAs. We’ll discuss general patterns based on publicly available information.
  • 4. What do we mean by medical device? Something that detects, treats or cures a medical condition. ● Fitness and general health monitoring ● Clinic/hospital equipment ● Therapy monitoring and administration We’re focused on medically-critical portable monitors, therapy, and implantable devices.
  • 5. What do we mean by medical device? ● The physical device ● Data systems/services that receive, transmit, or store device related data ● Secondary devices used for programming the physical device ● Mobile and web applications used to display or manipulate device data
  • 6. Pop Quiz - What's the most effective strategy for keeping a medical device secure? Don’t connect it. Good luck with that!
  • 7. Why connect devices? ● Improve patient outcomes ● Upgrade products using same hardware ● Resolve issues with firmware/software ● Reduce recall costs ● Answer FDA concerns ● Business process improvement
  • 8. Why connect devices? It may not be optional any longer. ... The FDA wants medical devices to have mandatory monitoring and built-in update mechanisms. FDA Guidance Changes FDA Medical Device Safety Action Plan
  • 9. Who benefits? ● Manufacturers - Upgrade products using same hardware, Reduce recall costs, Answer FDA concerns, Business process improvement ● Patients - Improve patient outcomes ● Clinicians - Improve patient outcomes ● Insurers - Business process improvement
  • 10. Who is at risk? Patients take on the majority of the risk.
  • 11. What’s at stake? In short, people's lives…
  • 12. What are some risk scenarios? ● Device hacking ● Personal data breaches ● DIY Device Mods
  • 13. How real are these concerns? They’re real, but don’t take my word for it.
  • 14. Medical Device Hacks - Pacemaker In 2008 an IEEE paper outlined a wireless vulnerability with implantable cardioverter defibrillator (ICD). ● Unencrypted wireless communication ● Reverse engineered command protocol ● Intercepted patient data ● Capable of disrupting heart function IEEE Pacemaker hack story Dick Cheney Terrorist Threat
  • 15. Medical Device Hacks - Insulin Pump In October 2016, Johnson & Johnson went public warning their patients of a potential health risk caused by a cyber security vulnerability. ● First manufacturer disclosure of this type ● Unencrypted wireless communication ● Potential for creating insulin overdose ● Access to patient data ● Similar vulnerabilities discovered in other big players J & J Insulin Pump Vulnerability
  • 16. Barnaby Jack Renowned hacker among industry experts for his influence in the medical and financial security fields. ● Demonstrated hacking an insulin pump from a distance of up to 90 metres using the high-gain antenna ● Demonstrated the ability to assassinate a victim by hacking their pacemaker. ● Developed software that allowed him to remotely send an electric shock to pacemakers within a 50-foot radius
  • 17. Data Privacy Breaches ● Majority come from healthcare providers ○ In 2017, 477 healthcare breaches reported to (HHS) ○ Affected over 5 million patient records ● Hacking has become the predominant cause of major breaches ● Connected devices create a new vector for data hacking
  • 18. DIY Device Mods Dana Lewis hacked into her Continuous Glucose Monitor and collected data which was in turn used to directly control her insulin pump. ● Creating an artificial pancreas ● Utilized unprotected data transmissions ● Developed a closed-loop therapy not approved by the FDA at the time ● Created #OpenAPS and #DIYPS Making an Artificial Pancreas
  • 20. DIY Device Mods Just a few weeks ago the vulnerability in the Nintendo Switch’s Tegra X1 bootROM. I know, I know, this is not a medical device, but it illustrates an interesting problem. ● Vulnerability in the hardware layer itself ● Likely unresolvable via software or firmware updates ● Imagine what the FDA’s response to a similar issue in a connected medical device…. Nintendo Switch Exploit
  • 21. FDA Guidance Arrived Late “There's a fairly significant fleet of devices that have back-door vulnerabilities built in” “As we learn more, we want to incrementally raise the expectations for the security of devices” “It is important to us that manufacturers build security and develop a program through the lifetime of the device for maintenance” Modern Healthcare, January 2018
  • 22. So where can we go from here? 1. Identify the specific risks for a given system
  • 23. So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people)
  • 24. So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control
  • 25. So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control 4. Leverage modern cryptography
  • 26. So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control 4. Leverage modern cryptography 5. Verify firmware/software authenticity
  • 27. So where can we go from here? 1. Identify the specific risks for a given system 2. Everything needs an identity (devices, servers, software, people) 3. Expose the minimum data/control 4. Leverage modern cryptography 5. Verify firmware/software authenticity 6. Monitor, track and react
  • 29. Other Systems In Play Things get pretty wild!
  • 30. Points of Vulnerability ● Physical device ● Communication ● Data at rest ● Firmware/software exploits ● Web or mobile applications ● Humans!
  • 31. How do we start eliminating all this risk? Start with a solid foundation based on modern security patterns.
  • 32. Public Key Infrastructure ● The foundation of a secure architecture ● Utilize strong cryptography - long keys ● All systems own and never share their keys ● Protect the certificate authorities ● Have a plan for certificate life-cycles - keep ‘em short ● Leverage certificate expiration and revocation practices ● Key up-to-date on cipher suites and key algorithms
  • 33. Identity, Identity, Identity ● Everything in your platform needs an identity ● Leverage cryptographic identities for devices and infrastructure ● Establish trust between parties within your system ● Control access inter-system access ● Create a data chain of custody ● Detect bad actors and isolate or eliminate access
  • 34. Securing the Hardware ● Utilize a hardware based security modules / coprocessor (HSM, TPM) ● Trusted Execution Environments ● Digitally sign and encrypt the firmware/software ● Validate firmware/software on boot (Secure Boot) ● Protect data storage ● Tamper protection ● Disable JTAG or similar programming interfaces (remove, blow fuse, etc)
  • 35. Securing Wireless - Bluetooth ● Never operated with plain text data packets ● BLE 4.2 if possible - allows strong encryption and key exchange (ECDH) ● Use secure connections ● Use the strongest possible pairing method the hardware supports to avoid MITM attacks - Out of Band, Numeric Comparison - Something called “Just Works” probably isn’t gonna cut it. ● Consider additional encryption at the software and/or firmware layer
  • 36. Communication - Wired/Cellular/WIFI (MQTT, AMQP, HTTP, etc) ● Never operate with plain text data packets ● Use TLS 1.2 or greater on all connections ● Consider Mutual TLS (mTLS) where possible ● Consider VPN Tunnelling for low powered embedded systems ● Secure your networks
  • 37. Code Signing ● Developer utilizes certificate from a code signing authority ● Signing firmware/software ○ Generate one way hash of binaries ○ Encrypt hash with code signing identity private key ● Distribute binaries with certificate and hash ● Verification process ○ Decrypt provided hash ○ Generate one way hash of binaries ○ Compare decrypted and generate hashes
  • 38. Firmware/Software Updates ● Periodically update firmware/software ● Resolve defects and/or security flaws ● Provide a secure mechanism to transfer firmware/software to device ● Leverage a secure boot mechanism to establish binary trust ● Provide a “no brick” mechanism to update
  • 39. Data at Rest ● Sensitive data should be encrypted at rest - Required for HIPAA compliance ● Prefer higher-layer encryption if possible ● Applies to all aspects of the architecture
  • 40. Securing Mobile and Web Applications ● Use modern authentication solutions such as OAuth or OpenID ● Keep session lengths short ● Leverage biometric security ● Consider multi-factor authentication ● Critically consider which data to show ● Proxy devices and their software require extra care Do you pass the phone-left-at-the-coffeeshop test?
  • 41. Device Management ● Take inventory of devices ● Monitor usage and traffic patterns ● Manage firmware/software versions ● Use the data collected to detect and diagnose potential security problems
  • 42. Whoa! - Do I need ALL of this? It is not possible to do everything perfect, and you aren’t alone.
  • 44. What’s in your way? ● Operational needs ● Budget ● Hardware ● User Experience
  • 45. What’s in your way? “We have to get to market and we don’t have time for all these security changes.”
  • 46. What’s in your way? “These extra security modules won’t fit in our per-unit budget.”
  • 47. What’s in your way? “Our wireless module only supports BLE 4.0 and can’t sacrifice battery life for extra encryption.”
  • 48. What’s in your way? “We can’t require our users to do some complex pairing process.”
  • 49. Game Plan 1. Understand your specific risks 2. Evaluate the strategies and patterns that best apply within your constraints 3. Do as much as you possibly can 4. Never forget what’s at stake
  • 50. Conclusions Connected devices are a reality. Security is a must. Smart patterns exist. Hire a pro.
  • 52. Blockchain? - because we know someone will ask If a public distributed ledger makes sense to secure your identities and audit your devices, then… maybe. ● Identities ● Audit trails ● Access management