High level overview of current security issues in medical device security, what is being hacked by security researchers, who are the major security players, hacking predictions, FUD vs. Reality.
Medical device security presentation - Frank SiepmannFrank Siepmann
Since I am not presenting (due to personal reasons) at the Medical Device Security conference 25/26 July 2016 in Arlington, VA I thought I post my slides about the current problems with Medical Device security and what can be done on a tactical level and what is needed at a strategic level.
Network Connected Medical Devices - A Case StudySophiaPalmira
In this session, we welcome Shankar Somasundaram, CEO of Asimily, Priyanka Upendra, Quality Compliance Director at Banner Health, and Carrie Whysall. Director of Managed Security Services at CynergisTek.
Together, they will discuss medical device security, covering all you need to know from medical device assessments to remediation efforts. Attendees will leave this session knowing how to apply what they have learned about medical device security in real life.
Breakout Session: Cybersecurity in Medical DevicesHealthegy
Presentation by PwC at Medtech Conference 2016.
Participant:
Geoff Fisher, Director – PwC
Powered by:
Healthegy
For more healthcare innovation
Visit us at Healthegy.com
Due to advancement of technology and incorporation of sofrtwares and microchips, vulnerability increased for medical devices.
Outsiders are hacking the devices by advanced technologies.
In the new world of connected healthcare, medical device manufacturers are challenged with cybersecurity issues to comply with the new FDA regulations. We examine the 5 domain areas of cybersecurity which apply to IoT HealthCare Vendors/ Providers.
Medical device security presentation - Frank SiepmannFrank Siepmann
Since I am not presenting (due to personal reasons) at the Medical Device Security conference 25/26 July 2016 in Arlington, VA I thought I post my slides about the current problems with Medical Device security and what can be done on a tactical level and what is needed at a strategic level.
Network Connected Medical Devices - A Case StudySophiaPalmira
In this session, we welcome Shankar Somasundaram, CEO of Asimily, Priyanka Upendra, Quality Compliance Director at Banner Health, and Carrie Whysall. Director of Managed Security Services at CynergisTek.
Together, they will discuss medical device security, covering all you need to know from medical device assessments to remediation efforts. Attendees will leave this session knowing how to apply what they have learned about medical device security in real life.
Breakout Session: Cybersecurity in Medical DevicesHealthegy
Presentation by PwC at Medtech Conference 2016.
Participant:
Geoff Fisher, Director – PwC
Powered by:
Healthegy
For more healthcare innovation
Visit us at Healthegy.com
Due to advancement of technology and incorporation of sofrtwares and microchips, vulnerability increased for medical devices.
Outsiders are hacking the devices by advanced technologies.
In the new world of connected healthcare, medical device manufacturers are challenged with cybersecurity issues to comply with the new FDA regulations. We examine the 5 domain areas of cybersecurity which apply to IoT HealthCare Vendors/ Providers.
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
One of the major pillars of the current Industry 4.0 is Automation. Indeed, technology is intervening in almost every domain to “automate” the workforce and make human life easier and better. In the present age, machines are getting integrated with the Internet of Things, Cloud Computing, and Artificial Intelligence with the data flow being transferred and processed via the Internet. These changes indeed catalyze the overall productivity, but also expose data to the public
domains.
In cases of continuous data transfers and exposition, Cybersecurity becomes a pivotal element where it not only protects the data but also proactively provides mechanisms to defend against malicious attacks and malware. In the case of medical devices that include sensitive medical data flows and software-controlled hardware devices like heart implants or Continuous Glucose Monitoring (CGM) devices, Cybersecurity becomes an important factor for contributing towards system safety and quality...
Let Medigate inventory all of your connected devices, assign them clinically-based risk scores, generate risk assessment reports, and provide actionable remediation and mitigation insights to keep your patients, PHI and network safe. Learn more: Let Medigate inventory all of your connected devices, assign them clinically-based risk scores, generate risk assessment reports, and provide actionable remediation and mitigation insights to keep your patients, PHI and network safe. Learn more: https://www.medigate.io/
EU cybersecurity requirements under current and future medical devices regula...Erik Vollebregt
Presentation delivered at Q1 MEDICAL DEVICE CYBERSECURITY RISK MITIGATION conference in Washington on 25 July 2016 concerning EU cybersecurity requirements under current and future medical devices regulation
Security for Healthcare Devices - Will Your Device Be Good Enough?Rio Valdes
Learn which elements must be considered when designing healthcare devices
Why security challenges for wearables are greater than for an endpoint in a fixed location
Elements to consider when adopting security-by-design product
Cybersecurity, FDA digital health requirements
Medical Wearables
Use Case Studies
Nearly one in five healthcare CIOs have had a security breach within the past 12 months. Learn how TCS can help you keep sensitive patient data secure and protected.
Killed by code - mobile medical devicesFlaskdata.io
There is a perfect storm of consumer electronics, mobile communications and customer need - the need to help people manage chronic disease like Parkinson, diabetes and MSA and sustain life with pacemakers and ICDs
DR. STEVEN GORIAH,
Vice President of Information Technology & CISO
Westchester Medical Center Health Network
The U.S Healthcare system is seeing a
staggering amount of security breaches each
year. In this session, you’ll learn about the role
of a cybersecurity framework, best practices in
choosing a framework, and which framework
best fits your organization and why. Dr. Goriah
will also speak on implementation, roles and
responsibilities and why it's essential to create
a culture of privacy and security
So - guess what? Safety is not cyber security!
Managing cyber security for medical devices is a challenge for medical device vendors and regulatory consultants who are accustomed to estimating patient safety risk without having to explain and understand a complex, rapidly changing and interconnected environment of vulnerabilities, attackers, attacker entry points and zero-day threats.
In this updated version of a talk I gave 5 years ago - I show how to use threat modeling in order to provide a prioritized security countermeasure plan that will cost the medical device vendor the least amount of money and save him the grief of trying to deal with cyber threats in his safety risk analysis.
Privacy and Security by Design Spotlight Presentation at HIMMS Privacy and Security Forum, December 5th 2016. Presented by Jeff R. Livingstone, PhD, Vice President and Global Lead, Life Sciences & Healthcare, Unisys Corporation.
ybersecurity is an increasing
concern for many in the
medical cybersecurity and
information technology
professions. As computerized
devices in medical facilities
become increasingly networked
within their own walls and
with external facilities, the risk
of cyberattacks also increases,
threatening confidentiality,
safety, and well-being. This
article describes what health
care organizations and
imaging professionals should
do to minimize the risks.
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
One of the major pillars of the current Industry 4.0 is Automation. Indeed, technology is intervening in almost every domain to “automate” the workforce and make human life easier and better. In the present age, machines are getting integrated with the Internet of Things, Cloud Computing, and Artificial Intelligence with the data flow being transferred and processed via the Internet. These changes indeed catalyze the overall productivity, but also expose data to the public
domains.
In cases of continuous data transfers and exposition, Cybersecurity becomes a pivotal element where it not only protects the data but also proactively provides mechanisms to defend against malicious attacks and malware. In the case of medical devices that include sensitive medical data flows and software-controlled hardware devices like heart implants or Continuous Glucose Monitoring (CGM) devices, Cybersecurity becomes an important factor for contributing towards system safety and quality...
Let Medigate inventory all of your connected devices, assign them clinically-based risk scores, generate risk assessment reports, and provide actionable remediation and mitigation insights to keep your patients, PHI and network safe. Learn more: Let Medigate inventory all of your connected devices, assign them clinically-based risk scores, generate risk assessment reports, and provide actionable remediation and mitigation insights to keep your patients, PHI and network safe. Learn more: https://www.medigate.io/
EU cybersecurity requirements under current and future medical devices regula...Erik Vollebregt
Presentation delivered at Q1 MEDICAL DEVICE CYBERSECURITY RISK MITIGATION conference in Washington on 25 July 2016 concerning EU cybersecurity requirements under current and future medical devices regulation
Security for Healthcare Devices - Will Your Device Be Good Enough?Rio Valdes
Learn which elements must be considered when designing healthcare devices
Why security challenges for wearables are greater than for an endpoint in a fixed location
Elements to consider when adopting security-by-design product
Cybersecurity, FDA digital health requirements
Medical Wearables
Use Case Studies
Nearly one in five healthcare CIOs have had a security breach within the past 12 months. Learn how TCS can help you keep sensitive patient data secure and protected.
Killed by code - mobile medical devicesFlaskdata.io
There is a perfect storm of consumer electronics, mobile communications and customer need - the need to help people manage chronic disease like Parkinson, diabetes and MSA and sustain life with pacemakers and ICDs
DR. STEVEN GORIAH,
Vice President of Information Technology & CISO
Westchester Medical Center Health Network
The U.S Healthcare system is seeing a
staggering amount of security breaches each
year. In this session, you’ll learn about the role
of a cybersecurity framework, best practices in
choosing a framework, and which framework
best fits your organization and why. Dr. Goriah
will also speak on implementation, roles and
responsibilities and why it's essential to create
a culture of privacy and security
So - guess what? Safety is not cyber security!
Managing cyber security for medical devices is a challenge for medical device vendors and regulatory consultants who are accustomed to estimating patient safety risk without having to explain and understand a complex, rapidly changing and interconnected environment of vulnerabilities, attackers, attacker entry points and zero-day threats.
In this updated version of a talk I gave 5 years ago - I show how to use threat modeling in order to provide a prioritized security countermeasure plan that will cost the medical device vendor the least amount of money and save him the grief of trying to deal with cyber threats in his safety risk analysis.
Privacy and Security by Design Spotlight Presentation at HIMMS Privacy and Security Forum, December 5th 2016. Presented by Jeff R. Livingstone, PhD, Vice President and Global Lead, Life Sciences & Healthcare, Unisys Corporation.
ybersecurity is an increasing
concern for many in the
medical cybersecurity and
information technology
professions. As computerized
devices in medical facilities
become increasingly networked
within their own walls and
with external facilities, the risk
of cyberattacks also increases,
threatening confidentiality,
safety, and well-being. This
article describes what health
care organizations and
imaging professionals should
do to minimize the risks.
Gradually we are all becoming more and more dependent on machines, we will be able to live longer with an increased quality of life due to machines integrated into our body. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device can have fatal consequences. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and how this has forced her to become a human part of the "Internet-of-Things".
Finnish Information Security Cluster meeting on March 21st in Helsinki. IoT in healthcare and the various current and emerging cyber security risks IoT brings into healthcare environment, especially hospitals, and their security requirements and frameworks; includes some examples of dark web activity.
TIPPSS for Enabling & Securing our Increasingly Connected World – Trust, Iden...PacificResearchPlatform
Securing Research Data: A Workshop on Emerging Practices in Computation and
Storage for Sensitive Data - August 22, 2019
Florence Hudson, Founder and CEO, FDHint LLC
NSF Cybersecurity Center of Excellence, Indiana University - Special Advisor
Northeast Big Data Innovation Hub, Columbia University – Special Advisor
IEEE Engineering in Medicine and Biology Society – Standards Committee
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...warezjoe
Mid-Atlantic CCDC 2012 presentation at John Hopkins Applied Physics Laboratory: Wireless Data Exfiltration - Air Intercepted Messaging & Electronic Espionage
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Black Duck by Synopsys
This week in open source, hidden threats are learning in otherwise secure software stacks, open source software won't ensure election security, machine learning and open source. Plus three reasons cybersecurity may never catch up to cybercrime, 465k pacemakers are recalled and software teams have something to learn from building radar detectors.
[Infographic] Healthcare Cyber Security: Threat PrognosisFireEye, Inc.
Data breaches cost the healthcare industry $6 billion a year. Learn how you can justify the cost for better healthcare cyber security in this infographic. For more information, visit https://www.fireeye.com/solutions/healthcare.html
PYA Principal Barry Mathis presented “Hot Topics in Privacy and Security,” at the Florida Hospital Association's 14th Annual Health Care Corporate Compliance Education Retreat.
The presentation explored:
• Changes in the privacy and security ecosystem.
• Emerging technology risks and hot topics.
• What happens to hacked data.
• How to best protect data.
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Raw and Unbridled Truth: Healthcare APIs
Jasmine M. Jackson, Senior Application Security Engineer at Disney
Nina Alli, Biohacking Village, Executive Director at Villageb.io
Running head Information security threats 1Information secur.docxwlynn1
Running head: Information security threats 1
Information security threats 7
Information security threats
Khaleem Pasha Mohammad
Campbellsville University
Introduction
The development of technology has been greatly embraced in hospitals, saved innumerable lives, and improved the quality of care provision. Not exclusively has technology changed patients knowledgeable and of their families but further consideration has had a significant impact on the strategy and practices of practitioners. One in every five of the areas that have greatly embraced technology is care data. Technology has helped inside the treatment of care records through the introduction of electronic health records, that's exchange paper records. With the availability of electronic care record (EHR) systems, a nurse can merely check for patients’ allergies, case history, weight, age, and prescription through the press of a button. However, the most quantity as institutions are clasp technology to stay up their health records, there are series of risks associated with these technologies. Since the start of technology inside the upkeep of care records, the care trade has been a primary target for cyber crimes. The motives behind cyber-attacks on care are clear as insurance firms, hospitals, care clinics, and totally different care suppliers keep health records that contain valuable information. The use of America Department of Health and Human Services for Civil Rights has acknowledged that over 100 million people square measure suffering from care data security breach. Gregorian calendar month 2015 was a foul month for electronic data jointly of the most important hacks on health care records on Anthem Blue Cross resulting in over seventy-eight million patients’ health data was taken. The cyber-attack scarf sensitive data that contained social securities, names, and residential addresses of people. Constant year, Premera Blue Cross reported that a cyber-attack has exposed medical information of over eleven million customers. Back in 2011, over 4.9 million health records were taken electronically from Science Application International Corporation. These are few cases of a care data breach with sensitive data falling into the hands of third parties. In guaranteeing that there are privacy and security in care records, bureau insurance mobility and responsibility (HIPPA) is providing legislation that hospital and totally different institutions that handle patient’s data to adopt in guaranteeing that varied security measures are enforced in protecting data.
HIPPA and Security Compliance
As much as institutions are clasp technology in storing care data, it is vital for institutions like HIPPA to regulate these bodies to substantiate that shopper rights are protected. The HIPAA Security Rule provides that electronic records of patients got to be protected in any respect times from any unauthorized access nonetheless the information being at rest or in transit.
While mobile devices have improved efficiency and patient engagement while lowering costs, they’ve dramatically increased security risks. How can mHealth be safely implemented? View this slide show and learn:
• How mHealth increases security risks
• Where the greatest vulnerabilities lie
• How to improve mHealth security
While mobile devices have improved efficiency and patient engagement while lowering costs, they’ve dramatically increased security risks. How can mHealth be safely implemented? View this slide show and learn:
• How mHealth increases security risks
• Where the greatest vulnerabilities lie
• How to improve mHealth security
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
1. Medical Device Security: State of The Art Shawn Merdinger Network Security Analyst University of Florida & Shands Hospital Academic Health Center NoConName, Barcelona 16 September, 2011
2. Thoughts so far…. I’m very excited to speak at NoConName again Did VoIP phone security talk in 2006 A big thank you to Nico Cons take a lot of work and organization Done out of PASSION and not for $$$$ Important work that builds global connections, research opportunities and friendships
3. Obligatory Speaker Slide Doing security for 10 years Started at Cisco, did internal product hacking Also worked at TippingPoint, and a few other places… Did some private consulting Now: work and school in academic health center University of Florida Hospital, medical school, dentistry, pharmacy, nursing, etc. Network operations, some research on medical devices Getting 2nd master’s degree in Public Health Conference talks and travel when I can
4. Talk Overview What are medical devices How bad are the risks Who is doing research How you can get involved Trends and predictions Resources
5. Talk Goals You will have…. A better idea of medical device security risks Real world versus FUD and media hype Learned about current research Players, trends Gained insight for your own research, career Ideas / targets for vuln research, conference talks Learned useful medical device security resources Industry knowledge, Keep up to date, follow changes
6. What is a Medical Device? Some are obvious Implants, Infusion Pump, Radiation Many grey areas EMR (electronic medical record) Software Apps (iPad, etc.)
7. SCADA for the Human Body Parallels with SCADA security challenges Specialized devices Built on top of COTS (i.e. Windows, SQL, Java, etc.) Long operational timelines No downtime, critical operations Not designed to be patched Vendor maintained “Black Box” “Lost decade” Missed the opportunity to secure DigitalBondblog post
14. Security Risks to Medical Devices Software Quality Many software recalls already! Vendors not ensuring product security Always an afterthought “Bolt security on, not bake it in” Complexity Hard enough just to make devices “work” Now we must “secure” it? Integration into IT infrastructure = more attack surface Interference in wireless frequencies among devices
15. Security Risks Now part of integrated information systems Electronic Medical Record, data collectors Lack of FDA and FCC regulation and oversight Increasing, especially medical apps FDA Proposal July, 2011 Who owns (pays) for the problem (and fix)? Vendor, integrator, consultant, doctor, patient
16. It will get worse before it gets better But how do we really know how bad? Formal reporting incidents complex and tedious Lots of anecdotal reports Is it a software flaw? A bug? An attack? Identification of actual hacking is a huge challenge Few formal processes today Expect lots and lots of
17. It will get worse before it gets better Cyber STUXNET-like attack targeting medical devices Nation-state / terrorism / secondary attack Competitors hacking each other’s devices Evil blackhats, hacktivists, disgruntled employees Possible, but doubtful. FUD alert!!!
18. So how bad is the risk? It depends…. 1st biggest risk today is poor software design Errors, crashes, bad user interfaces 2nd biggest risk is “collateral damage” COTS software Pwnd by virus, trojans, bots Complexity of environment 3rd biggest risk is disgruntled, evil or stupid employees Other risks Competitors, industrial sabotage Terrorism, nation-state, “Cyber” Growing “hacker” and security researcher interest Sexy topic, esoteric new gear, very personal, hot area
19. Real world threat: Power Outage San Diego Blackout (Arizona + Mexico) 1 person made a mistake 300km away sub-station Yuma, AZ
20. Real world threat: Imposter Florida hospital Obtained legitimate I.D. Pwnd How? Wanted more access Activity raised questions Weird statements Strange background Impersonated COP Difficult situation Underage, Juvenile Background check Wanna be? Frank Abagnale
21. Real world threat: Evil Employee Ghostexodus… Security guard “Hacked” hospital HVAC Posted on forums Youtubed his “hack” Pwned by Wesley McGrew
22. Poor Software: Therac-25 First major failed medical device (1980s) Radiation treatment -- linear accelerator Software bug Race condition Result in too much radiation (125 x normal dose)
24. Secure from What? How do you define “secure” Proving a negative = impossible How do you prove “secure” Cannot prove that a device is secure Can only prove resistance to tested attacks VS.
25. MedDev Security is Hot! Pacemakers in 2008 BlackHat and DEFCON Public exposure US Congress involved meh.
26. MedDev Security is Not New “Best Practices” Documents Several Working Groups, Consortiums Good info, but no power or stick to drive change “Work together with vendors…blah, blah” HIMSS medical device security workgroup in 2004 University HealthSystem Consortium Medical Device Security effort in 2005 Formal FDA Statements FDA guidance for COTS software published in 2005 Addresses patching for vulnerabilities
31. Academic Researchers Dr. Kevin Fu, University Massachusetts Heart pacemaker (2008) Dr. Tadayoshi Kohno, University Washington Heart pacemaker (2008) Dr. Mark Gasson, University Reading Infected RFID tag in hand Dr. Nathanael Paul, Oak Ridge National Lab Insulin pump (2010) Steve Hanna, UC Berkeley Automated External Defibrillators BobakMortazavi, UC Los Angeles Pulse Oximeter
33. Security Research Predictions What will we see in the next 2 years? More of what security researchers can get… Personal medical devices (hacking their own) Low-end medical equipment (Ebay) Pharmacy dispenser cabinets (device aftermarket) Home medical equipment (grandmother’s box) Other medical equipment (defibrillator)
34. Hacker Access to Medical Devices Access to MedDev Documentation Hackers love documentation MedDev vendors have tight document control Very difficult to find and download Restricted information, Non-disclosure agreement Access to Devices Difficult to acquire in many cases US Federal Law restricts sale of some devices US aftermarket is a very grey area
35. Ebay & Medical Devices Medical pharmacy cabinets, patient monitoring, diagnostics systems, data storage, COW (Computer on Wheels), etc. Ebay search results: medical ethernet
36. Security Research Predictions Apps, Apps, Apps 17,000 medical apps Many types Personal health monitoring Specialty (PACS Dicom, Electronic Medical Record) Connected to medical devices (diabetic insulin pumps) Month of Medical App Bugs? Need this for Med Apps -> DerbyCon (30 Sept., 2011)
37. Trends to Watch Expect big industry and gov’t fight What is a medical device? Who has regulatory control? Lobby money, politics, etc. Who owns the problem? Who is legally liable? US Supreme Court “Medtronic ruling” impact? Limits vendor liability if FDA approved device Lots and lots more FUD Fear, Uncertainty, Doubt Media sensationalism
38. Trends to Watch:Stifled Security Research Researchers are reluctant to name vendors Why? Fear of getting sued by companies Research scares powerful people Media coverage adds to fear Academics want research funding Jerome Radcliff = Public fighting with Medtronic Stay tuned to this…. “Cone of Silence”
39. Careers and Job Outlook Expect growth and demand for security pros Will accelerate in next 1-3 years Industry is building a new ecosystem Vendors, device manufacturers, consultants, hospital IT Hot security areas Healthcare IT Security Hospitals, vendors, consulting Medical mobile apps security analysis Expect a certification process from FDA Big security firms (McAfee, Symantec, etc.) Boutique firms (Fishnet)
40. Want to hack? Target Mobile Medical Apps. Why? Cheap, accessible platform Ties into other medical devices = broad attack surface Research, attack tools and docs available Security evaluation of multipleapps Development set-up for iPhone / Android Look at marketplace, target popular apps When hacking, look for Personal information disclosure Read, write, modify, destroy data Crash + execute + exploit Send your bugs to CERT/CC and FDA and FCC Write whitepapers, talk at security conferences
41. Resources USENIX HealthSec Conference http://www.usenix.org/event/healthsec11 http://www.usenix.org/event/healthsec10 Draft Guidance - Mobile Medical Applications (July, 2011) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf IEC 80001‐1: Application of Risk Management for IT‐Networks Incorporating Medical Devices http://www.iso.org/iso/catalogue_detail.htm?csnumber=44863 Getting Started with IEC 80001: Essential Information for Healthcare Providers Managing Medical IT‐Networks http://www.aami.org/publications/Books/80001‐GS.html HITSP – Health Information Technology Standards http://www.hitsp.org
42. Resources Medical Device Security Center www.secure-medicine.org Medical Device Isolation Architecture Guide, Department of Veterans Affairs http://www.himss.org/Content/files/VA_VLAN_Guide_040430.pdf FDA: Cybersecurity for Medical Devices is a Shared Responsibility http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm FDA Medical Device related databases http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Databases/default.htm
43. Resources HIMSS Manufacturer Disclosure Statement for Medical Device Security – MDS2 (2004) MDISS - Medical device Innovation, Safety and Security Consortium www.mdiss.org North Carolina Healthcare Information & Communications Alliance Vendor Security Matrix (2003) Killed by Code: Software Transparency in Implantable Medical Devices http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html Therac-25 http://www.bowdoin.edu/~allen/courses/cs260/readings/therac.pdf http://sunnyday.mit.edu/papers/therac.pdf http://www.ircrisk.com/blognet/?tag=/cancer
44. Thanks! MedSec group on LinkedIn – please join Twitter: @shawnmer shawnmer@ufl.edu shawnmer@gmail.com
Editor's Notes
Points:I’m very excited to speak at NoConName againDid VoIP phone security talk in 2006 A big thank you to NicoCons take a lot of work and organizationDone out of PASSION and not for $$$$Important work that builds global connections, research opportunities and friendships
Doing security for 10 yearsStarted at Cisco, did internal product hackingAlso worked at TippingPoint, and a few other places…Did some private consultingNow: work and school in academic health centerUniversity of FloridaHospital, medical school, dentistry, pharmacy, nursing, etc.Network operations, some research on medical devicesGetting 2nd master’s degree in Public HealthConference talks and travel when I can
What are medical devicesHow bad are the risksWho is doing research – academic, hackers, companiesHow you can get involved – ideas for your own hacking funTrends and predictionsResources
After this talk, you will hopefully have…. Abetter idea of medical device security risksReal world versus FUD (fear uncertainty, doubt) and media hype Learned about current researchPlayers, trendsGained insight for your own research, careerIdeas / targets for vuln research, conference talksLearned useful medical device security resourcesIndustry knowledge, Keep up to date, follow changes
Points:Some devices are classified as medical devices, some are not.There is a lot of “Grey Area” – for example with a iPad is not a medical device by itself, but if a iPad is used to view a medical image like the picture on the right, then does it become a medical device? It is unclear from a government and regulation position RIGHT NOW….but that will likely change.
Points:Medical devices are in many ways like SCADA systems.SpecializedBuilt on top of COTS – commercial off the shelf systemsLong operational timelinesNo downtime, critical operationsNot designed to be patchedVendor maintained “Black Box”The “Lost Decade” is a reference to a blog post by Dale Peterson at DigitalBond. The main point is that we have let vendors “off the hook” as far as holding them responsible and pushing for more secure SCADA software. We are at more risk than ever, and we really had a chance to make a difference but we blew it…
Points:Notice all of the computers and medical equipment. Most of that is running on Windows, or maybe an embedded Linux.In the near future we will see more devices. We will also see more remote access – specialist doctors will operate from hundreds of kilometers away
Points:Medical networks are very complicated. There are many different devices, operating systems, protocols (including wirelesss)The core network is the same old stuff we are used to – switches, routers, etc.Pay attention to the BAN – Body Area Network – this is going to be a growth area and new personal health devices will now be connecting to the network. Perhaps someday nano sensors in bloodstream – each with a ipv6 address!
And you thought he didn’t have any “heart” (looking for a Spanish word that fits “heart” in this context)It is true, Dick Cheney has no heartbeat. The pump makes a “whhhiirrrr” noise!
This is a scary picture. Marketing guys like this one a lot.But it is a good example of how most people see this technology and how it fits.
Some examples of medical devices that are for personal use.
Grandma’s got a new computer! And it hooks up to her blood pressure machine!This is a Intel product and is in clinical trials and testing.Will provide video conferencing, connection to medical devices like blood pressure, glucose monitors, etc.Will provide medication reminders, alerts, appointment reminders.I predict this will be the first big solution for home medical use. We *might* see this at Defcon 20 ;-)
Software Quality is not great in medical devices and there have been many software recalls alreadyVendors not ensuring product security and it is the “same old story” of security being a afterthought and having to later “Bolt security on, not bake it in” from the beginningMedical devices are complex and it is hard enough just to make devices “work” -- now we must “secure” it?The integration into IT infrastructure means a wider attack surfaceMore devices can lead to interference in wireless frequencies among devices
Points:Now part of integrated information systemsLack of FDA and FCC regulation and oversight, this is changingWho owns the problem? Who pays for the fix? What are the costs and for who?Vendor, integrator, consultant, doctor, patient?
Points:It will get worse before it gets betterToday, there are problems with how we measure and track vulnerabilities in medical devicesRely on medical people to report bugs. Lot of informal reports and stories of bugs, exploitsWe are at the early stages of medical device forensics, being able to recognize a attack or a bugExpect lots of “facepalms” because it is frustrating and we will see a lot of stupid bugs and attacks happen that should have no chance.It is like 1995 as far as security and medical devices. We have not even seen the “ping of death” yet!
Points:A real nightmare possibility is a Stuxnet attack targeting medical equipment – like a radiation machineWho would do this? TerroristsCompetitors trying to hurt each other in the marketEvil hackers, hactivists, disgruntled employeesThis is what the media likes to sensationalize. It is “sexy” and scares people.Reality is this is possible, but not very likely to happen SOON. But we will see this in the next 2-5 years.
Points:So what are the biggest risks to medical devices today?bad softwareWindows box that medical device runs on gets Pwned with a virus/wormEvil or stupid employee – for example, checking webmail account with the browser of a medical device PC….yes, it happens all the time!Other risks are what I talked about in the slide before.
Points:What will hurt you?Things like power outages caused by one guy 300 kilometers away.And of course the back-up generators failed at two hospitals.Had to move people from Intensive Care Unit (most severe ill people) to other hospitals – transport, movement, stress
17 year old student in Florida obtained legitimate I.D.He was discovered because he wanted more access to hospital areas and this raised questions – he also made some weird statements (undercover police office on secret case)These are difficult situation with people this young. Hard to do background check.Maybe he thought he was Frank Abagnale from the movie “Catch me if you can?”
Points:The security guard infected hospital computers with his own special botnet.He also hacked the hospital HVAC (heating and AC)Bragged online about a “Fire Sale” -- same line as from Die Hard 4 and the cyberattack that “everything must go.” This got a lot of attention.Tracked down and busted online by Wesley McGrew.Now in Texas prison for 9 years. And there is no Air Conditioning in Texas prisons.
Points:This was the first major medical device failure caused by a software bug.Killed several people. Injured many others.Root cause was a race condition programming error that would give 125 times normal dose.
Points:McAfee software update put many PCs into a non-bootable state. Each PC had to physically be worked on to recover.This affected many hostpitals.Great example of how complexity is the enemy of security. This is supposed to protect you and instead hurts you!
Points:Kind of a philosophical slide What does it mean to be secure?How can you prove something is secure? You cannot do this!If someone tells you “it is secure” the first question you should as is “secure from what?” In computer security, you can only prove that it resists tested attacks.
Points:Because of academic research and recent hacker conference presentations, medical device security is now HOT.I’m not overly impressed. MEH.
Points:Medical device security may be HOT now, but it has been around for years, at least since 2003.Lots of meetings, best practices documents, “we have to work together”In 2005, FDA provided info on how and when should add patches. The problem with patching medical devices is that if there are changes to the function, it has to go through FDA re-certification, which is expensive, complex and takes time.
Points:This should be the scariest slide. Why? Because this says there is no one really regulating software.FDA does not regulate software. It regulates medical devices.We are back to the question of “what is a medical device?”
Points:But FDA does do some good things, like have reporting databases like MAUDEThis provides tracking of issues, and there are several security-related categories to search
Points:This is an example free-text search for “buffer overflow” and the resulting 10 records.
Points:Will talk about who the “players” are in the field these days.
Points:All of these people have university web pages, papers, etc. online.
Medical device presentations from 2011 Blackhat and Defcon 19Jerome Radcliff – hacked his own insulin pumpTim Elrod and Stephan Morris - Fishnet security guys. Working on Dicomfuzzing tools. See the Fishnet website for more information.
Points:What will we see in the next 2 years?More of what security researchers can get…Personal medical devices (hacking their own)Low-end medical equipment (Ebay)Pharmacy dispenser cabinets (device aftermarket)Home medical equipment (grandmother’s box)Other medical equipment (defibrillator)
Points:Hackers love documentation. It allows them to learn all about the software. Medical device companies typically have VERY tight document control.You will not typically be able to easily find technical manuals, admin guides, etc. Access to devices can be hard. US laws restricts the sale of some types of devices – you have to be a legitimate medical providoe, doctor, etc.There is a very grey aftermarket. If you look hard enough for a device, you can probably find it.Exceptions would be implantable devices…those are very hard to get.
Points:Here are some examples of what I found on US Ebay doing search for “medical ethernet”If I wanted to start targeting devices, I would buy them off of Ebay, and start doing network attacks.If it has a network interface, it’s a target for full port scans, nessus, fingerprinting, etc. Look for any listening services and go after them. Will probably see telnet, etc.Pro Tip: passive sniff the network interface using a hub when you first boot up device. Does it “phone home” over the network?
Points:There are many medical apps available for Apple and Android.Some are just for entering data, like tracking blood pressure and manual data entry.Others apps are viewers for special images like x-raysI think we need a Month of Medical App Bugs to raise awareness. Even better would be a quarter of bugs – that is 90 days, with a bug on a different app for each day.Look at what is happening to SCADA. DerbyCon is a new hacker conference. 100 SCADA bugs in 100 days presentation.
Points:Trends to watchWe are going to see industry and government conflict over medical devicesWhat is a medical device? Who has the power to regulate?Expect politics and lobby money to influence. The medical device industry spends lots of money to lobby politicians.The biggest question of all: Who is legally liable? Who can get sued if something bad happens.US Supreme court ruled that if the device is passed by FDA, then there is “limited liability” – this means the company might have to pay for damages, but not as much as if the damage was because of negligence.We can expect more Fear, Uncertainty, Doubt and Media sensationalism – making the story seem a bigger threat than it really is in the real world.
Points:Notice that in almost all of the research the companies and specific products are not named. If there was full-disclosure a lot more information and company name would be made public.I believe this is because many researchers are afraid of getting sued by companies.Also, University academic researchers want funding money, so they do not want to make companies and industry angry.It is different with some researchers. Jerome Radcliff at first did not name the company in his Blackhat presentation because he was working with them. However, the company Medronic and he have different opinions on fixes and other issues, and now to put more pressure on Medtronic, Jerome has made more information public.This is a situation to watch.
Points:Healthcare security is a hot area. Demand will grow for security professionals in the next few years.Why? Because of new technology (like Electronic Medical Record) and new risks.You have choices where to go: vendors / device makers, be a consultant, work in hospital ITWatch the big security players and medical IT – they are really trying to get into the market!Some cool boutique firms like Fishnet as well.
Points:If you want to do some hacking, why not do a security evaluation of medical apps.Remember there are so many at around 17,000I recommend finding bugs in multiple apps, and publish a “month of medical app bugs”Build a test environment on your PC – use Apple and Android developer kits.What to look for in App bugs?Personal information hidden in AppTry to read, write, modify/change, or destroy data in the AppCrash and get executable code l33tBe a Whitehat hacker and send your bugs to CERT/CC, FDA and FCCWrite a whitepaper, publish your tools, talk at security conferences
Points:Some helpful resources.USENIXHealthSec has papers and some video of talks. Very good resource. Only been going for 2 years, so you know this is a new topic.
Points:Medical Device Security Center – mostly academics here, but some good papersIsolation Guide is how the US department of veteran's affairs handles medical device security – they have 50,000 devices and have created 3,500 separate VLANs. This is a good start, but there is a lot of overhead with managing changes, both in network and new device features.
Points:MDISS – has a very useful question paper to give to medical device vendors – asks them about security in the product in a technical fashion. This document is old and needs updating, but it is a start.North Carolina has a better technical questionnaire document to give to vendors. Use this with the MDISS document and you have a good set of questions.“Killed by code” – is a paper advocating open source code in medical devices. Lots of alwyers in this organization and it is one to watch as more vulnerabilities come to public attention and the lawyers get involved more.Therac-25 – some documents on the first really bad medical device failure that killed people.
Points:I started MedSec on LinkedIn about 2 years ago. The group now has over 200 people. Many of the academic people I mentioned are in the group, and also people from big companies, medical device vendors, consultants, etc. Please send a request to join the group and I will add you. A lot of the information comes from me posting news, papers, talks, research, etc. It is also a good way to contact other researchers and companies.You can email me at shawnmer@ufl.edu or shawnmer@gmail.com