This presentation is intended for the customer facing risk managers, sales staff, and IT staff of a medical device manufacturer and their medical doctors and IT hospital and clinical counterparts. It is intended to give an overview and highlight process considerations for incident management and reporting of cybersecurity issues. It is based on the technical paper published by Pam Gilmore and Valdez Ladd in the ISSA Journal in 2014.

1. THE FDA and Medical Device
Cybersecurity Guidance
Valdez Ladd, MBA, CISSP, CISA
Pam Gilmore ISSA Raleigh, NC

2. THE FDA and Medical Device Cybersecurity

FDA’s scope is beyond HIPAA

(Privacy & Security Rule)

Health Informatics-Provisions for Health
Applications on Mobile/Smart Devices.

Application of risk management for IT-networks
incorporating medical devices.

FDA and Wireless Frequency Devices

* Complements HIPAA’s security risk analysis

3. Vulnerability discovery

January 2013

Cybersecurity Cylance researchers Billy Rios and
Terry McCorkle.

Identified 300 pieces of medical equipment
vulnerable to cyber attacks

* firmware , embedded passwords and weak
authentication.

4. 
June 13, 2013 FDA Safety Communication:


Cybersecurity for Medical Devices and Hospital
Networks.

Assure that appropriate safeguards are in place
to reduce the risk of failure due to cyber attacks
for medical devices
Design security into the manufacturing process,
document it and communicate it to hospitals, etc.
THE FDA and Medical Device Cybersecurity

5. THE FDA and Medical Device Cybersecurity

6. Risk Analysis
Beyond C-I-A to Medical PAINS
CIA:
Confidentiality, Integrity, & Availability
PAINS
Privacy, Availability, Authentication, Integrity,
Non-repudiation and Safety

7. Risk and Compliance

8. Security Capabilities

Access controls best practices

Remove “hardcoded” passwords


Limit Access to trusted uses

Role based access with time limitations

Physical locks on devices

9. Incident Response

Use of Fail-Safe and Recovery

- Security features are recognized, logged and
acted upon

- Logging--Devices will need capacity for
logging diagnostic data. Capabilities varies
depending on device design

Forensics--Data captured in Hazard report

10. Incident Response

Ensure trusted Content with strong
authentication and encryption.

Customer notification process.

11. CyberSecurity Design
Document

FDA 501k Premarket Approval submissions by
manufacturer now require cybersecurity risk
analysis and protections in the design of their
medical devices:

1. Hazard analysis, mitigations and design

2. Traceability Mix

3. Antivirus

12. Manufacturer Disclosure Statement
for Medical Device Security (MDS2) v2
Developed by HIMSS and the National Electrical Manufacturers
Association (NEMA)
Since 2013 Medical device manufacturers have to disclose the
cybersecurity features of medical devices they sell to healthcare
providers.
A hospital risk assessment tool to assess the vulnerabilities and risks of
the medical devices.
Allows easy comparison of security features across different devices
and different manufacturers

13. Intrusion Detection is defined as:
"...the act of detecting actions that attempt to compromise the confidentiality,
integrity or availability of a resource."1
More specifically, the goal of intrusion
detection is to identify entities attempting to subvert in-place security controls.
Intrusion Detection and Mobile Devices

14. What are the risks with Health information and mobile devices
Assets: What is valuable in the system and how could it be lost?
Attackers and their motivations: Who would want to do something
bad and why?
What role does compliance, regulations and guidelines play in securing data?
Mobile Devices and health information
Defenses: What more could be done to prevent or mitigate attacks?

15. How can an attacker change the authentication data?
What is the impact if an attacker can read the user profile data?
What happens if access is denied to the user profile database?
*Spoofing vs. authentication……....…...….
*Tampering vs. integrity……………..….......
*Repudiation vs. non-repudiation….....…….
*Information disclosure vs. confidentiality
*Denial of service vs. availability………...
*Elevation of privilege vs. authorization…..
STRIDE MODEL

16. Types of Attacks
Carrier Based Methods
Man in the middle (MiTM) attacks which can steal data
Hijack wireless transmission.
Endpoints based methods
Inject code to tamper with web application or web services
Stealing user sensitive phone contents using Malwares
Wireless interfaces based methods
Stealing data when its in-transit using wireless channel
Exploit access and authentication access
An adversary steals sensitive data by reading SD Card based stored content
An adversary exploits OS level functionalities steal data from device
Rooting or Jailbreaking the phone to access sensitive data from memory

17. APT’s: Advanced Persistent Threats
Detecting APTs To aid in detecting Advanced Persistent Threats (APTs)
*The Splunk platform alerts IT on attempts to remotely access the hospital’s
infrastructure from foreign countries such as Russia. Russia has become well
known for infecting sites with malware.
*Many attack vectors starting with phishing email to infiltrate malware, analysts
can correlate Exchange, antimalware servers and firewall logs for evidence of
questionable downloads.
*“Splunk allows cross-reference of any data, identifying attack patterns and
unauthorized actions that would otherwise go undetected. Search for particular
virus signatures to determine which devices are infected.

19. Wearable Medical Devices

20. 1.) Pacemaker
2.) Insulin pumps
3.) Smart glasses (Google, Vuzix)
4.) Smart watches (Google, Apple)
5.) Smart clothing (RFID tags)
Wearables- Risks & Possible Solutions

21. Middlesex hospital video
Splunk and security (intrusion detection)

22. Success Stories from Healthcare corporations
IRhythm--
Challenges
- iRhythm is a rapidly growing medical device and service company.
- iRhythm required an efficient and effective way to monitor business processes,
- establish baseline performance across their entire operation and continue to
- track that performance as the business evolved.
BUSINESS IMPACT
*Operational intelligence and longterm planning
*Business process monitoring through
every stage of the business model
*Operational intelligence without
investing in a data warehouse
*Secure data management for HIPAA

23. Success Stories—ING--Financial
Ensuring Regulatory Compliance
Financial services companies are subject to an ever increasing
set of regulatory requirements that include Sarbanes-Oxley,
PCI and Basel II, among others.
*Splunk indexes data generated by the technologies that need to
be monitored for regulatory compliance.
*It enables rapid retrieval of log data requested by
IT auditors.
“With Splunk we achieved ROI within 60 days, and we’re able
to better meet compliance mandates and improve auditing and
reporting best practices, despite reducing our compliance staff.”
Legg Mason

24. Splunk and Compliance
• Splunk demonstrates compliance with HIPAA requirements related to
unauthorized access of ePHI records. Splunk software is able to take proactive
measures to pinpoint any security breaches related to ePHI records.
Security Regulations:
• FISMA – For government agencies, Splunk Securely collect, index and store all
your log and Machine Data along with audit trails to meet NIST requirements.
The continuous monitoring process steps in NIST 800- 137 (draft) are listed as:
Define, Establish, Implement, Analyze/ Report, Respond and Review/Update.
•
HIPAA - Splunk instantly assesses reports of EPHI leakage and meets HIPAA’s
explicit log requirements. HIPAA and EPHI security and privacy rules include
explicit requirements for audit trail collection, review, automated monitoring and
incident investigation.

25. Splunk and Compliance
• PCI - Rapid compliance with explicit PCI requirements for log retention/review
and change monitoring, comprehensive reporting on all PCI controls such as
passwords and firewall policy.
• SOX - Splunk search of compliances mandated routine log review easy and
straightforward. For IT controls based on ITIL, COBiT, COSO, ISO 17799, BS-7799
audit and reporting.

26. Conclusion

Since 2014 future devices will have device
cybersecurity product life-cycle from design to
operation to disposal.

Result will be strengthening of HIPPA Privacy
and Security Rule in areas of Risk


Analysis for medical device purchases


27. About the Authors
Valdez Ladd – MBA, CISSP, CISA, COBIT 4.1
ISO/TC 215 - Health informatics, WG 4, Privacy and Security, (2011-2013)
WEDI.org
Cloud Security Alliance
ISACA.org
ISC2.org
contact: www.linkedin.com/in/valdezladd
Pam Gilmore - BS Business Administration Management concentration. Member
of ISSA Raleigh, NC chapter. She has been a key leader for editing of Dex One
company security policy documentation and review. Technical focus is in Incident
Handling, Information Security and Architecture.