STANDARDIZING THE
SECURE DEPLOYMENT OF
MEDICAL DEVICES
Christopher Frenz

Free
PowerPoint
Templates

Free
PowerPoint
Templates

WANNACRY
Ransomware
Attack of
Pandemic
Proportions

WannaDie???
A whole new and
wholly unacceptable
meaning of denial of
service

HIPPOCRATIC OATH FOR
CONNECTED MEDICAL DEVICES

FDA GUIDANCE
• FDA released pre and post market guidance on cybersecurity recommendations for
medical devices
• Guidance is a huge step in the right direction, but is currently non-binding
• Even if all manufacturers comply tomorrow it will take years before all in place
medical devices are replaced with more secure models

SECURING THE NOW???
• How do healthcare institutions ensure that their current device deployments are
done securely?
• Even a device with all the security features in the world will be insecure if it is not
deployed in a secure manner. What constitutes a secure medical device
deployment?

OWASP STANDARD
• OWASP makes available a Secure Medical Device Deployment Standard
• https://goo.gl/KecNw9

PURCHASING CONTROLS
• The best way to prevent risks from impacting your environment is to prevent them
from being introduced in the first place
• Security Audit
• Privacy Audit
• Support
• List of software components

PERIMETER DEFENSES
• Medical devices should be denied access to the outside world wherever feasible
• Firewalls
• Network Intrusion Detection
• Proxy/Web Filter

NETWORK SECURITY CONTROLS
• Do these devices really need to communicate with every other device on your
network? The answer is NO!!!
• Network Segmentation
• Internal Firewalls
• Internal NIDS
• Syslog Server
• Log Monitoring
• Vulnerability Scanning
• DNS Sinkholes

DEVICE SECURITY CONTROLS
• Change default credentials
• Account Lockout
• Enable Secure Transport
• Spare copy of firmware
• Backup of device configs
• Baseline configurations
• Encrypt Storage
• Different User Accounts
• Restrict Access to Management
Interface
• Update Mechanisms
• Compliance Monitoring
• Physical Security
• Asset Management
What are the security controls that should be configured on the devices
themselves?

INTERFACES AND CENTRAL
STATIONS
• Computers and servers are often used to collect data and transmit data to other
systems in the environment. These need to be secures as well.
• OS Hardening
• Encrypted Transport
• Message Security
• Updates

SECURITY TESTING AND
INCIDENT RESPONSE
• Prove your deployments are secure and that you can really respond to an issue if it
arises
• Pen Tests
• Incident Response Plan
• Mock Incidents

GROWING ADOPTION
• Standard Covered in publications such as CSO Magazine, IAPP Privacy
Perspectives, HelpNet Security, Health System CIO
• Turkish Language translation recently donated by Erdal Yildiz

OWASP ANTI-RANSOMWARE GUIDE
• A defense in depth based guide consisting of 45 suggested controls in the following
categories
• Perimeter Defenses
• Network Defenses
• Endpoint Defenses
• Server Side Defenses
• SIEM and Log Management
• Backup and Recovery
• Awareness Training
• Incident Response
• IoT
https://goo.gl/uOGAtZ

QUESTIONS
• https://www.linkedin.com/in/christopherfrenz/
Thanks to Liz Belousov,
Tony Alas, Bev Corwin,
Erdal Yildez