SlideShare a Scribd company logo

Security for Healthcare Devices - Will Your Device Be Good Enough?

Download as PPTX, PDF
R
Rio Valdes

Learn which elements must be considered when designing healthcare devices Why security challenges for wearables are greater than for an endpoint in a fixed location Elements to consider when adopting security-by-design product Cybersecurity, FDA digital health requirements Medical Wearables Use Case Studies

Engineering
1 of 31
Security for Healthcare Devices – Will Your Device Be Good Enough? Meet FDA and CE requirements, and avoid embarrassing and expensive security breaches
AGENDA 2 The Concern: Devices in Healthcare • Cybersecurity and privacy issues have been on the increase Security for Wearables is More Important • FDA digital health requirements Security By Design for Healthcare Devices • How to start security by design and get it right
The Concern: Devices in Healthcare 3 Medical Systems Hacks Are Scary, but Medical Device Hacks Could Be Even Worse Harvard Business Review, 2017 Medical Devices Are the Next Security Nightmare Wired, 2017
of health care organizations have been the victim of a cyberattack Source: SANS Institute94% Critical medical devices can be hacked, potentially creating life threating patient safety issues Notable attacks on smart devices and infrastructure St. Jude Medical pacemakers vulnerable to hacking – 465,000 devices recalled – fear that hackers can deplete batteries or even alter patient’s heartbeat (Source: The Guardian) Owlet’s Baby Heart Monitor vulnerable to exploits – unencrypted network, no authentication required (Source: CBS News) 20172016 TRENDnet Webcam hacking – hackers posted live feeds of 700 cameras to the web – failure to secure IP addresses, unencrypted log in, not password protected (Source: TechNewsWorld) 2012 4
Consumer product companies are open to lawsuits 5 Quick Facts: • Recent Incident: December 2019 • Hackers broke into Ring security cameras of two families • Hackers used device speakers to broadcast racial slurs • Ring advised customers to enable two-factor authentication, use strong passwords on their accounts (Source: Vice) Now: • Ring has faced growing criticism over its security practices • Two couples who had their devices hacked initiated class action lawsuits against Ring (Source: Business Insider)
Ring Class Action Lawsuit 6 What is it about? Multiple class action lawsuits have been filed against the Amazon-owned company, Ring. The suit accuses Ring of negligence, breach of implied contract, invasion of privacy, etc. They claim Ring has failed to implement “even the most basic” security measures to protect its customers. Who is affected? Anyone who owns a Ring home security device. What could the class action do? Force Ring to put stronger safeguards in place to protect user’s privacy and award money to device owners. (Source: ClassAction.org)
What Now? Ask Questions. 7 • What elements must be considered when designing healthcare devices? • Why security challenges for wearables are greater than for an endpoint in a fixed location. • How to do security by design?
Security challenges for wearables are higher than an endpoint in a fixed location 8 Why? The device may not be the correct device. The wearer can wander around and be almost anywhere. The device may be used by the wrong person.
How to determine if it’s authorized to send data? 9 Fall detection capabilities Take the Apple watch for example. The Apple Watch Series 4 and its key features were cleared by FDA in the US. 3 new heart monitoring capabilities • Low heart rate alert • Heart rhythm detection • Personal electrocardiogram (ECG) monitor Apple Watch Series 4 as a serious medical device: (Source: Forbes)
How to determine if it’s authorized to send data? 10 So, the API requires the Apple Watch to: The Apple Watch does not have the UI to grant data authorization. (Source: Learning Swift) Let the user know they need to grant that permission on the iPhone. Prompt the user with the health authorization dialog on the iPhone. Make the call once the authorization is complete on the iPhone. Handle the result of the authorization from the iPhone on the Apple Watch.
Other Questions to Think About 11 Has it been spoofed? Is there a different device sending data? Is the device sending the right data? Is the device sending data accurately? Was data taken at the right time? 1 2 3 4
Security Regulations for Wearables are Changing 12 Food and Drug Administration’s (FDA) Digital Health Requirements Issued on Oct. 18, 2018 Defined by FDA “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” Final release is still pending Non-biding later guidance is advisable for use Security requirements Draft guidance only 2014 version applies for now
FDA requirements 13 Higher level of security if 1. Device connects to another product or network (wired or wirelessly) 2. A cybersecurity incident could directly result in harm to multiple patients Tier 1 Standard security Tier 2
Tier 1 recommends the following: 14 Authentication Encryption IdentificationAuthorization Correction
Medical Devices Needing High Security, Based on NIST Cybersecurity Framework 15 Tier 1 recommends the following: Prevent unauthorized use • Limit access to trusted users and devices only • Authenticate and check authorization of safety-critical commands Ensure trusted content by maintaining code, data, and execution integrity Maintain confidentiality of data Design the device to detect cybersecurity threats in a timely fashion A B C Design the device to respond to and contain the impact of a potential cyber security incident Design the device to recover capabilities or services that were impaired due to a cyber security incident E D F
16 Cryptographic Verification and Authentication Secure Configuration Cybersecurity BOM (CBOM) Patches and Updates (Rapid verification, validation testing, and deployment) Autonomous Functionality Session Time Out Intrusion Detection System Routine Security and Antivirus Scanning Forensic Evidence Capture Vulnerability Analysis Breach Notification Retention and Recovery Other Resilience Measures Other Tier 1 design recommendations include:
17 but items may be ignored if a risk-based rational shows they are not appropriate. Tier 2 has the same recommendations,
18 Separate from security, but you must have security to meet HIPAA. Patient data security is very serious. HIPAA – Patient Data Privacy
HIPAA is focused on the user HIPAA Requirements 19 Requires end-to-end security • From device to database • Physical access control at database If data is transmitted without patient ID, no privacy concern • Match a code with the patient name at the database
CE Security Requirements 20 CE requirements are not as specific as FDA guidance, but have similar requirements. Devices must be safe, effective, and secure. There is a focus on data protection (see GDPR), which is more strict than U.S. patient data requirements. Documents that apply: • Annex I of the Medical Device Regulations (MDR) • EN62304 on software • EN14971 on hazard analysis
CE Security Required Practices 21 Security managementPractice 1 Specification of security requirementsPractice 2 Secure by designPractice 3 Secure implementationPractice 4 Security verification and validation testingPractice 5 Management of security-related issuesPractice 6 Security update managementPractice 7 Security guidelines - documentationPractice 8
22 CE Security Requirements It is the manufacturers’ responsibility to determine the minimum requirements for the operating environment as regards IT network characteristics and IT security measures that could not be implemented through the product design. From MDCG 2019-16 Guidance on Cybersecurity for medical devices
Elements to consider when adopting a security-by-design approach 23 The only way to meet FDA and CE requirements Benefits: Effective and early security flaws removal Built-in rather than bolt-on security Reduced risk of liabilityMore resilient systemsLower costs
How to do security by design? 24 Identify requirements before starting product design. Be aware of regulatory requirements. Design security as part of the product design. Test to ensure the requirements are met.
Medical wearable design Factors to keep in mind when designing a medical wearable, Part 1 25 Choice of Technology Are you building your wearables on proven technology? Technology Weaknesses Does the technology platform have known exploits? System Design Where are the risks in the system? Data at rest has different vulnerability than data in flight. Risk Assessment Overall Risk should be broken down into individual items each with risk and effort required. Cryptography What level of cryptography is needed? Too high requires more power and more time Encryption Encryption is not just protecting the data with an encryption algorithm. Key management is actually more important.
Medical wearable design Factors to keep in mind when designing a medical wearable, Part 2 26 Threat Detection How can one detect a threat before any damage is done? Penetration testing Ethical hackers hired to attempt to attack a system. Developers Are they involved in threat modeling? Are they aware of your organization's security-by-design practice? Maintainability Are requirements for maintainability and tools to measure it in place? Privacy by Design Is privacy included in your approach (HIPAA and GDPR)? Further Improvements How can you continuously improve device development? Security will get more challenging during the life of the product.
Security By Design for A Consumer Product 27 Product Feature: XEEDA cryptocurrency hardware wallet and integrated app Voler completed the challenging design on-time and on-budget. About the Product: It allows for access, exchange, and management of bitcoins and other digital currency assets directory from a smartphone. About the Client: XEEDA is a blockchain and transactions startup company.
Voler’s security by design at every step of product development 28 Voler developed the device with very high security (EAL Level 5), using multi-factor authentication and built-in biometric security features. Fingerprint sensor and passcode Other security features of cold storage cryptocurrency device: Secure microcontroller for private keys Encrypted links within and outside the unit OLED display for secure storage – password is not displayed on the phone
Secure Microcontroller Features 29 Advanced Physical Level Security that wipes data upon tamper True Random Number Generator AES, DES, and SHA accelerators Modulo Arithmetic Accelerator for common crypto algorithms Secure Boot Loader - allows only authorized code to run on the processor Fault detection – detects tampering with the hardware Supports EAL level 5 security
Choosing Security by Design 30 • Have you mapped your technical and commercial requirements against available technical capabilities? • There are many technologies with widely varying capabilities, cost, and availability. • Voler can help select the right security design for your device. • We design medical, IoT, and wearable devices.
Let Voler Help You Succeed! Voler designs IoT and wearable devices with expertise in wireless communication and sensors •Walt Maclay, Voler Systems •Walt@volersystems.com •408-245-9844 ext 101 Quality Electronic Design & Software Wearable Devices | Sensor Interfaces | Wireless | Medical Devices

Recommended

Intel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthIntel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthrcnossen
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidancePam Gilmore
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devicesSafisSolutions
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of ThingsThe Security of Things Forum
 
Aeroscout Wwt Wireless Mobilityin Hc Webcast
Aeroscout Wwt Wireless Mobilityin Hc WebcastAeroscout Wwt Wireless Mobilityin Hc Webcast
Aeroscout Wwt Wireless Mobilityin Hc WebcastMarc
 

Recommended

Intel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthIntel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthrcnossen
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidancePam Gilmore
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devicesSafisSolutions
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of ThingsThe Security of Things Forum
 
Aeroscout Wwt Wireless Mobilityin Hc Webcast
Aeroscout Wwt Wireless Mobilityin Hc WebcastAeroscout Wwt Wireless Mobilityin Hc Webcast
Aeroscout Wwt Wireless Mobilityin Hc WebcastMarc
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the FogThe Security of Things Forum
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityDr Dev Kambhampati
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Nathan Wallace, PhD, PE
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentCybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentOnward Security
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control SystemsEric Andresen
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices IJECEIAES
 
02 ibm security for smart grids
02 ibm security for smart grids02 ibm security for smart grids
02 ibm security for smart gridsIBM Italia Web Team
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfICS
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 

More Related Content

What's hot

Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityDr Dev Kambhampati
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Nathan Wallace, PhD, PE
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentCybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentOnward Security
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control SystemsEric Andresen
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices IJECEIAES
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 

What's hot (19)

Securing the Fog
Securing the FogSecuring the Fog
Securing the Fog
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare CybersecurityCollaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentCybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT Equipment
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control Systems
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
 
02 ibm security for smart grids
02 ibm security for smart grids02 ibm security for smart grids
02 ibm security for smart grids
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 

Similar to Security for Healthcare Devices - Will Your Device Be Good Enough?

Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfICS
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Securing IoT medical devices
Securing IoT medical devicesSecuring IoT medical devices
Securing IoT medical devicesBenjamin Biwer
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityEMMAIntl
 
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...JustinFinch11
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devicesFlaskdata.io
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceValdez Ladd MBA, CISSP, CISA,
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical DevicesSuresh Mandava
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesHealthegy
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODSierraware
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverThe Security of Things Forum
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 

Similar to Security for Healthcare Devices - Will Your Device Be Good Enough? (20)

Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Securing IoT medical devices
Securing IoT medical devicesSecuring IoT medical devices
Securing IoT medical devices
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on Cybersecurity
 
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
 

Recently uploaded

Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 

Recently uploaded (20)

Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 

Security for Healthcare Devices - Will Your Device Be Good Enough?

  • 1. Security for Healthcare Devices – Will Your Device Be Good Enough? Meet FDA and CE requirements, and avoid embarrassing and expensive security breaches
  • 2. AGENDA 2 The Concern: Devices in Healthcare • Cybersecurity and privacy issues have been on the increase Security for Wearables is More Important • FDA digital health requirements Security By Design for Healthcare Devices • How to start security by design and get it right
  • 3. The Concern: Devices in Healthcare 3 Medical Systems Hacks Are Scary, but Medical Device Hacks Could Be Even Worse Harvard Business Review, 2017 Medical Devices Are the Next Security Nightmare Wired, 2017
  • 4. of health care organizations have been the victim of a cyberattack Source: SANS Institute94% Critical medical devices can be hacked, potentially creating life threating patient safety issues Notable attacks on smart devices and infrastructure St. Jude Medical pacemakers vulnerable to hacking – 465,000 devices recalled – fear that hackers can deplete batteries or even alter patient’s heartbeat (Source: The Guardian) Owlet’s Baby Heart Monitor vulnerable to exploits – unencrypted network, no authentication required (Source: CBS News) 20172016 TRENDnet Webcam hacking – hackers posted live feeds of 700 cameras to the web – failure to secure IP addresses, unencrypted log in, not password protected (Source: TechNewsWorld) 2012 4
  • 5. Consumer product companies are open to lawsuits 5 Quick Facts: • Recent Incident: December 2019 • Hackers broke into Ring security cameras of two families • Hackers used device speakers to broadcast racial slurs • Ring advised customers to enable two-factor authentication, use strong passwords on their accounts (Source: Vice) Now: • Ring has faced growing criticism over its security practices • Two couples who had their devices hacked initiated class action lawsuits against Ring (Source: Business Insider)
  • 6. Ring Class Action Lawsuit 6 What is it about? Multiple class action lawsuits have been filed against the Amazon-owned company, Ring. The suit accuses Ring of negligence, breach of implied contract, invasion of privacy, etc. They claim Ring has failed to implement “even the most basic” security measures to protect its customers. Who is affected? Anyone who owns a Ring home security device. What could the class action do? Force Ring to put stronger safeguards in place to protect user’s privacy and award money to device owners. (Source: ClassAction.org)
  • 7. What Now? Ask Questions. 7 • What elements must be considered when designing healthcare devices? • Why security challenges for wearables are greater than for an endpoint in a fixed location. • How to do security by design?
  • 8. Security challenges for wearables are higher than an endpoint in a fixed location 8 Why? The device may not be the correct device. The wearer can wander around and be almost anywhere. The device may be used by the wrong person.
  • 9. How to determine if it’s authorized to send data? 9 Fall detection capabilities Take the Apple watch for example. The Apple Watch Series 4 and its key features were cleared by FDA in the US. 3 new heart monitoring capabilities • Low heart rate alert • Heart rhythm detection • Personal electrocardiogram (ECG) monitor Apple Watch Series 4 as a serious medical device: (Source: Forbes)
  • 10. How to determine if it’s authorized to send data? 10 So, the API requires the Apple Watch to: The Apple Watch does not have the UI to grant data authorization. (Source: Learning Swift) Let the user know they need to grant that permission on the iPhone. Prompt the user with the health authorization dialog on the iPhone. Make the call once the authorization is complete on the iPhone. Handle the result of the authorization from the iPhone on the Apple Watch.
  • 11. Other Questions to Think About 11 Has it been spoofed? Is there a different device sending data? Is the device sending the right data? Is the device sending data accurately? Was data taken at the right time? 1 2 3 4
  • 12. Security Regulations for Wearables are Changing 12 Food and Drug Administration’s (FDA) Digital Health Requirements Issued on Oct. 18, 2018 Defined by FDA “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” Final release is still pending Non-biding later guidance is advisable for use Security requirements Draft guidance only 2014 version applies for now
  • 13. FDA requirements 13 Higher level of security if 1. Device connects to another product or network (wired or wirelessly) 2. A cybersecurity incident could directly result in harm to multiple patients Tier 1 Standard security Tier 2
  • 14. Tier 1 recommends the following: 14 Authentication Encryption IdentificationAuthorization Correction
  • 15. Medical Devices Needing High Security, Based on NIST Cybersecurity Framework 15 Tier 1 recommends the following: Prevent unauthorized use • Limit access to trusted users and devices only • Authenticate and check authorization of safety-critical commands Ensure trusted content by maintaining code, data, and execution integrity Maintain confidentiality of data Design the device to detect cybersecurity threats in a timely fashion A B C Design the device to respond to and contain the impact of a potential cyber security incident Design the device to recover capabilities or services that were impaired due to a cyber security incident E D F
  • 16. 16 Cryptographic Verification and Authentication Secure Configuration Cybersecurity BOM (CBOM) Patches and Updates (Rapid verification, validation testing, and deployment) Autonomous Functionality Session Time Out Intrusion Detection System Routine Security and Antivirus Scanning Forensic Evidence Capture Vulnerability Analysis Breach Notification Retention and Recovery Other Resilience Measures Other Tier 1 design recommendations include:
  • 17. 17 but items may be ignored if a risk-based rational shows they are not appropriate. Tier 2 has the same recommendations,
  • 18. 18 Separate from security, but you must have security to meet HIPAA. Patient data security is very serious. HIPAA – Patient Data Privacy
  • 19. HIPAA is focused on the user HIPAA Requirements 19 Requires end-to-end security • From device to database • Physical access control at database If data is transmitted without patient ID, no privacy concern • Match a code with the patient name at the database
  • 20. CE Security Requirements 20 CE requirements are not as specific as FDA guidance, but have similar requirements. Devices must be safe, effective, and secure. There is a focus on data protection (see GDPR), which is more strict than U.S. patient data requirements. Documents that apply: • Annex I of the Medical Device Regulations (MDR) • EN62304 on software • EN14971 on hazard analysis
  • 21. CE Security Required Practices 21 Security managementPractice 1 Specification of security requirementsPractice 2 Secure by designPractice 3 Secure implementationPractice 4 Security verification and validation testingPractice 5 Management of security-related issuesPractice 6 Security update managementPractice 7 Security guidelines - documentationPractice 8
  • 22. 22 CE Security Requirements It is the manufacturers’ responsibility to determine the minimum requirements for the operating environment as regards IT network characteristics and IT security measures that could not be implemented through the product design. From MDCG 2019-16 Guidance on Cybersecurity for medical devices
  • 23. Elements to consider when adopting a security-by-design approach 23 The only way to meet FDA and CE requirements Benefits: Effective and early security flaws removal Built-in rather than bolt-on security Reduced risk of liabilityMore resilient systemsLower costs
  • 24. How to do security by design? 24 Identify requirements before starting product design. Be aware of regulatory requirements. Design security as part of the product design. Test to ensure the requirements are met.
  • 25. Medical wearable design Factors to keep in mind when designing a medical wearable, Part 1 25 Choice of Technology Are you building your wearables on proven technology? Technology Weaknesses Does the technology platform have known exploits? System Design Where are the risks in the system? Data at rest has different vulnerability than data in flight. Risk Assessment Overall Risk should be broken down into individual items each with risk and effort required. Cryptography What level of cryptography is needed? Too high requires more power and more time Encryption Encryption is not just protecting the data with an encryption algorithm. Key management is actually more important.
  • 26. Medical wearable design Factors to keep in mind when designing a medical wearable, Part 2 26 Threat Detection How can one detect a threat before any damage is done? Penetration testing Ethical hackers hired to attempt to attack a system. Developers Are they involved in threat modeling? Are they aware of your organization's security-by-design practice? Maintainability Are requirements for maintainability and tools to measure it in place? Privacy by Design Is privacy included in your approach (HIPAA and GDPR)? Further Improvements How can you continuously improve device development? Security will get more challenging during the life of the product.
  • 27. Security By Design for A Consumer Product 27 Product Feature: XEEDA cryptocurrency hardware wallet and integrated app Voler completed the challenging design on-time and on-budget. About the Product: It allows for access, exchange, and management of bitcoins and other digital currency assets directory from a smartphone. About the Client: XEEDA is a blockchain and transactions startup company.
  • 28. Voler’s security by design at every step of product development 28 Voler developed the device with very high security (EAL Level 5), using multi-factor authentication and built-in biometric security features. Fingerprint sensor and passcode Other security features of cold storage cryptocurrency device: Secure microcontroller for private keys Encrypted links within and outside the unit OLED display for secure storage – password is not displayed on the phone
  • 29. Secure Microcontroller Features 29 Advanced Physical Level Security that wipes data upon tamper True Random Number Generator AES, DES, and SHA accelerators Modulo Arithmetic Accelerator for common crypto algorithms Secure Boot Loader - allows only authorized code to run on the processor Fault detection – detects tampering with the hardware Supports EAL level 5 security
  • 30. Choosing Security by Design 30 • Have you mapped your technical and commercial requirements against available technical capabilities? • There are many technologies with widely varying capabilities, cost, and availability. • Voler can help select the right security design for your device. • We design medical, IoT, and wearable devices.
  • 31. Let Voler Help You Succeed! Voler designs IoT and wearable devices with expertise in wireless communication and sensors •Walt Maclay, Voler Systems •Walt@volersystems.com •408-245-9844 ext 101 Quality Electronic Design & Software Wearable Devices | Sensor Interfaces | Wireless | Medical Devices