Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Standarding the Secure Deployment of Medical Devices


Published on

Talk on the OWASP Secure Medical Device Deployment Standard given in the 2017 Defcon Biohacking Village

Published in: Devices & Hardware
  • Hello! I do no use writing service very often, only when I really have problems. But this one, I like best of all. The team of writers operates very quickly. It's called ⇒ ⇐ Hope this helps!
    Are you sure you want to  Yes  No
    Your message goes here

Standarding the Secure Deployment of Medical Devices

  2. 2. Free PowerPoint Templates
  3. 3. Free PowerPoint Templates
  4. 4. WANNACRY Ransomware Attack of Pandemic Proportions
  5. 5. WannaDie??? A whole new and wholly unacceptable meaning of denial of service
  7. 7. FDA GUIDANCE • FDA released pre and post market guidance on cybersecurity recommendations for medical devices • Guidance is a huge step in the right direction, but is currently non-binding • Even if all manufacturers comply tomorrow it will take years before all in place medical devices are replaced with more secure models
  8. 8. SECURING THE NOW??? • How do healthcare institutions ensure that their current device deployments are done securely? • Even a device with all the security features in the world will be insecure if it is not deployed in a secure manner. What constitutes a secure medical device deployment?
  9. 9. OWASP STANDARD • OWASP makes available a Secure Medical Device Deployment Standard •
  10. 10. PURCHASING CONTROLS • The best way to prevent risks from impacting your environment is to prevent them from being introduced in the first place • Security Audit • Privacy Audit • Support • List of software components
  11. 11. PERIMETER DEFENSES • Medical devices should be denied access to the outside world wherever feasible • Firewalls • Network Intrusion Detection • Proxy/Web Filter
  12. 12. NETWORK SECURITY CONTROLS • Do these devices really need to communicate with every other device on your network? The answer is NO!!! • Network Segmentation • Internal Firewalls • Internal NIDS • Syslog Server • Log Monitoring • Vulnerability Scanning • DNS Sinkholes
  13. 13. DEVICE SECURITY CONTROLS • Change default credentials • Account Lockout • Enable Secure Transport • Spare copy of firmware • Backup of device configs • Baseline configurations • Encrypt Storage • Different User Accounts • Restrict Access to Management Interface • Update Mechanisms • Compliance Monitoring • Physical Security • Asset Management What are the security controls that should be configured on the devices themselves?
  14. 14. INTERFACES AND CENTRAL STATIONS • Computers and servers are often used to collect data and transmit data to other systems in the environment. These need to be secures as well. • OS Hardening • Encrypted Transport • Message Security • Updates
  15. 15. SECURITY TESTING AND INCIDENT RESPONSE • Prove your deployments are secure and that you can really respond to an issue if it arises • Pen Tests • Incident Response Plan • Mock Incidents
  16. 16. GROWING ADOPTION • Standard Covered in publications such as CSO Magazine, IAPP Privacy Perspectives, HelpNet Security, Health System CIO • Turkish Language translation recently donated by Erdal Yildiz
  17. 17. OWASP ANTI-RANSOMWARE GUIDE • A defense in depth based guide consisting of 45 suggested controls in the following categories • Perimeter Defenses • Network Defenses • Endpoint Defenses • Server Side Defenses • SIEM and Log Management • Backup and Recovery • Awareness Training • Incident Response • IoT
  18. 18. QUESTIONS • Thanks to Liz Belousov, Tony Alas, Bev Corwin, Erdal Yildez