Uploaded as a courtesy by: Dave Sweigert

1. 1
Medical Device Risk Threat Modeling within the
Healthcare Cybersecurity and Emergency Management Domain
May 2017
Co-authors:
Kristina Freas, M.Sci., RN, EMT-P, CEM
And
Dave Sweigert, M.Sci., CEH, CISA, CISSP, EMT-B, HCISPP, PCIP, PMP, SEC+
ABSTRACT
Medical device cybersecurity risk management for healthcare facilities remains an
unmet need. Lightweight and accurate risk assessments will help healthcare
cyberinfrastructure partners fashion better incident response plans to respond to
and recover from cyber-attacks. Note: this document is scholarly research and
does not present legal, operations or management advice.
Executive Summary
This paper proposes urgent action for
hospitals and healthcare organizations
(HCO) to prevent and protect their
organizations from the next wave of
WannaCry virus activity targeted at
medical devices.
The WannaCry “all clear” signal has not
been sounded. Stage One of the
response addressed security of patient
data as the primary focus. Stage Two
addresses issues related to patient
safety -- vulnerability of medical devices.
For hackers (“cyber adversaries” in polite
company) the cat is now out of the bag,
difficult to patch medical devices with
outdated system and wireless security
our juicy targets for attack.
More troubling, the next wave of
WannaCry could be weaponized.
1
https://www.fda.gov/downloads/medicaldevices/de
Warnings issued by FBI
The FBI has warned of the threat of
ransomware cyber-attacks, specifically
aimed at medical devices, for almost two
years. But, as many medical devices do
not store, transmit or process personally
identifiable information (PII) the breach of
the device, technically, is not a “potential
patient data breach”.
This medical device cybersecurity issue
has been hiding in the regulatory
shadows of the U.S. Food and Drug
Administration (FDA)1. But, WannaCry
has now visibly and dramatically exposed
a macro-level set of vulnerabilities.
In sum, difficult to patch insecure devices
are providing a hacking gateway into the
hospital or HCO “secure” enterprise as
points in pivot attacks. Addressing this
type of threat is the subject of this paper.
viceregulationandguidance/guidancedocuments/uc
m482022.pdf

2. 2
Terms
Per RFC 49492:
Adversary: (1) an entity that attacks a
system, (2) an entity that is a threat to a
system
Threat Tutorial: A threat is a possible
danger that might exploit a vulnerability.
Thus, a threat may be intentional or not:
- "Intentional threat": A possibility of an
attack by an intelligent entity (e.g., an
individual cracker or a criminal
organization), - "Accidental threat": A
possibility of human error or omission,
unintended equipment malfunction, or
natural disaster (e.g., fire, flood,
earthquake, windstorm, and other
causes listed in FP031.
Per Committee on National Security
Systems (CNSS) Glossary:
Threat: Any circumstance or event with
the potential to adversely impact
organizational operations (including
mission, functions, image, or reputation),
organizational assets, individuals, other
organizations, or the Nation through an
information system via unauthorized
access, destruction, disclosure,
modification of information, and/or denial
of service.
Threat Assessment: Process of
formally evaluating the degree of threat
to an information system or enterprise
and describing the nature of the threat.
Per Wikipedia:
Cyber threat hunting: "the process of
proactively and iteratively searching
through networks to detect and isolate
2 https://tools.ietf.org/html/rfc4949
advanced threats that evade existing
security solutions.
Per the book Black Swan (Taleb)3
The Black Swan Theory refers to high-
impact, hard-to-predict, and rare events
beyond the realm of normal expectations.
Unlike the philosophical “black swan
problem,” the “Black Swan Theory”
(capitalized) refers only to events of large
magnitude and consequence and their
dominant role in history. Black Swan
events are considered extreme outliers.
A massive infection of medical devices
would paralyze the healthcare sector and
destroy the public’s confidence in
medicine. It would be a Black Swan
event.
Managing Macro Risk
“Low-probability, high impact”
The key to understanding macro-level
risks is to understand the Natural Hazard
Risk Assessment.
This paper challenges the industry to
initiate the rapid completion of a
nationwide risk assessment of vulnerable
medical devices.
The devices under consideration have a
similar threat surface to those desktops
and Windows devices that were infected
by WannaCry at the system level.
The macro-level societal and strategic
risks involved with this Black Swan threat
require industry-wide coordination with
the government to provide a synergistic
environment to mitigate this vulnerability.
3 The Black Swan: The Impact of the Highly
Improbable

3. 3
Macro-level strategic threats of
widespread cyber infections should
receive macro-level attention.
Threat modeling workshops
Potential threats to the institution’s critical
infrastructure (C.I.) can be identified in a
structured manner.
It is wise to demonstrate an institution
took a disciplined approach to preparing
for WannaCry Black Swan event.
A documented threat modeling workshop
or meeting demonstrates information
gathering and collection to ascertain the
true nature of the threat.
The end-goal in the later stages of a
threat modeling facilitated workshop, is to
identify gaps in cyber response and
recovery.
By focusing the discussion on the
identification of threats, the team begins
working together to develop a common
understanding of the threats. This should
be documented.
While in a threat modeling workshop,
discussions of technical solutions and
alternatives are premature. Rather,
understanding of realistic threats and the
impact with associated downstream
consequences.
Potential threats
T1 Insider threat, disgruntled employee
T2 Infected USB connected to laptop
T3 Fire causes sprinkler activation
T4 Car fire in the ED parking lot
T5 Workforce shortage due to disaster
Facilitating the Workshop
Document why a particular risk
assessment activity was undertaken for
the historical record.
Announce preliminary plans to host a
workshop, providing a description of the
activity, suggesting team composition,
arranging schedules. etc.
Address baseline assumptions:
 Threat modeling not a one-time event
 Keep discussions within realm of
possibility
 Provide baseline vocabulary
Blend different experts and perspectives.
Work towards building internal
partnerships.
Workshop ground rules should be
established to focus on viable external
and internal threats. Brainstorming and
new ideas should not be judged,
criticized or ridiculed.
Brainstorm a wide variety of threats to
warm the group up. Guide the
conversation towards cyber threats.
Record all the threats suggested by the
group.
Attempt to define threats in measurable
and practical terms to foster later
discussions.
Give examples of threats. Capture all
ideas.

4. 4
Example output of workshop
Issue:
Impacts to patient monitoring caused by
threats to Windows-based embedded
medical devices.
A hypothetical team classified three
major threat categories.
1. Impact to HIPAA privacy,
2. Entry point to enterprise network,
3. Unavailability of the device for task.
Create a threat chart, rank threats by
severity. Use teams input. Make a
second or third pass.
T7 USB malware infection
T3 Buggy software patches cause
more problems than they fix
T6 Cyber-adversaries obtain
access to enterprise core
network via device
T9 Attack may disable device, no
patient monitoring
Obtaining group consensus and closure
will be important to create a modular style
report that will feed future processes in
the sequence; e.g.: development of
impact analysis, asset valuation,
counter-measures strategy, etc. There
will be temptations to discard thorny
threats and modify the threat list.
Assets will need to be classified and
mapped to threats, specific device
vulnerabilities should be identified, and
assessment of risks and implementation
of risk mitigation plans will still need to be
worked out.
Note: These follow-on issues will be
addressed in future white papers on this
subject.
Cyber surveillance and threat
intelligence sharing
Active cyber threat hunting is an
emerging area in cyber security which
openly encourages creative pursuit of
threats to the enterprise. This approach
is similar to the Red Team concept of
penetration testing. Cyber threat hunters
are openly encouraged to monitor blogs,
twitter feeds, regulatory agency e-mail
broadcasts, hospital association alerts,
etc.
This is one of the most effective
approaches to the national cyber threat
for organizations with limited manpower
and C.I. counter-measures.
Within the Hospital Incident Command
Systems (HICS) active cyber threat
hunting may fall within the Intelligence
Group of the Plans Section.
Perhaps this group should be renamed to
the Black Swan group.
About the co-authors:
Kristna Freas, RN, EMT-P, CEM, is an
experienced emergency management
professional and Certified Emergency
Manager (CEM) specializing in the public
health and healthcare critical infrastructure
sector.
Dave Sweigert, EMT-B, is a Certified
Ethical Hacker. He holds advanced
emergency management practitioner
status conferred by FEMA and CalOES.
He holds advanced cybersecurity
practitioner status as well. He has written
the Field Operations Guide to Ethical
Hacking to empower cyber security
professionals during emergency incident
response.