systemic management of medical device cybersecurity march 2, … · 2017-07-20 · systemic...

© 2016 The MITRE Corporation. Approved for Public Release; Distribution Unlimited. Case Number 15-4031.

Systemic Management of Medical Device Cybersecurity

March 2, 2016 Suzanne Schwartz, FDA CDRH Associate Director for Science and Strategic Partnerships

Margie Zuk, Sr. Principal Cybersecurity Engineer, The MITRE Corporation


Conflict of Interest

Suzanne Schwartz, MD, MBA Margie Zuk, B.S., M.S.

Have no real or apparent conflicts of interest to report.


Agenda

• The Learning Objectives

• The Problem

• FDA and Cybersecurity

• The Stakeholder Engagement Study

• Gap Areas and Emerging Efforts

• What Healthcare Delivery Organizations Can Do Today to Improve Medical Device Cybersecurity


Learning Objectives

• Describe the challenges facing medical device cybersecurity from the device vendor (medical device manufacturer), Healthcare Delivery Organization (HDO), and cybersecurity researcher perspectives

• Identify steps your organization can take to help improve its cybersecurity posture, particularly with respect to medical device cybersecurity

• Recognize the current collaborative, cross sector effort to raise the cybersecurity maturity of medical devices in clinical environments


Improve

Patient Safety

Through coordinated

disclosure and

vulnerability sharing

Reduce the # of

PHI Breaches

Through improved medical

device cybersecurity

vulnerability

management


The Problem: Medical Devices

• Increasingly rely upon computers,

software, and networking

• Often incorporate third-party

software

• Are subject to regulation,

which can impact the ability

to patch and reconfigure

• Undergo limited clinical trials

• Are often developed without secure

development techniques


The Problem: Medical Devices in the Clinical Environment

• The health care and public health (HPH) critical infrastructure sector represents the largest attack surface for national security today

• Connected medical devices, like all other computer systems, incorporate software that are vulnerable to threats

• We are aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations

• When medical device vulnerabilities are not addressed and remediated, they can serve as access points for entry into hospital/health care facility networks


VA Cath Lab temporary closure (1/10) due to malware infecting computers used during interventional cardiac procedures

“Hacking” of implantable insulin pump (Radcliffe, 8/11)

Security researchers present FDA with cyber vulnerabilities of medical devices due to hardcoded passwords (Rios & McCorkle, 4/13)

Vulnerabilities identified in PCA and other Infusion Pumps (Rios, 5/14-6/15)

The Problem: Incidents & Researcher-Demonstrated Examples


Executive Orders (EO), Presidential Policy Directives, and Framework to Strengthen Critical Infrastructure Cybersecurity

Presidential Policy Directive 8 (PPD-8): National Preparedness Post-Katrina: “federal departments and agencies to work with the whole community to develop a national preparedness goal and a series of frameworks and plans related to reaching specified goals.”

PPD-21: Critical Infrastructure Security and Resilience

Executive Order 13636: Improving Critical Infrastructure Cybersecurity a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure

NIST Cybersecurity Framework: Voluntary risk-based framework to help organizations manage cyber risk

Executive Order 13691: Promoting Private Sector Cybersecurity Information Sharing


FDA Goals

• Meet our mission: safe and effective devices

• Raise cybersecurity awareness

• Promote safety and security by design through establishing clear regulatory expectation

• Promote coordinated vulnerability disclosure & proactive vulnerability management

• Minimize reactive approaches

• Foster ‘whole of community’ approach


FDA Public Workshops: Collaborative Approaches for Medical Device and Healthcare Cybersecurity

• Goals:

• Catalyze collaboration among all Healthcare and Public Health sector stakeholders

• Identify barriers that impede efforts towards promoting cybersecurity

• Advance the discussion on innovative approaches for building securable medical devices

• First workshop October 21-22 2014

• Co-sponsored with HHS and DHS

• Second workshop January 20-21 2016

• Co-sponsored with NH-ISAC, HHS and DHS

• Broad range of stakeholders


Timeline of Key FDA Activities

Began coordination with Department Homeland Security Industrial Control Systems Cyber

Emergency Response Team (DHS-ICS-CERT) in response to security researchers reporting

of vulnerabilities

2013 Issued Safety Communication on shared ownership and shared responsibility among

stakeholders, cyber hygiene

Engaged in outreach, education, and building collaboration

Executed Memorandum of Understanding with the National Health Information Sharing &

Analysis Center (NH-ISAC)

2014 Final Premarket Cybersecurity Guidance Released

Convened workshop, ‘Collaborative Approaches for Medical Device and Healthcare

Cybersecurity’

Ongoing coordination with DHS-ICS-CERT, medical device manufacturers and security

researchers on reported medical device vulnerabilities

2015 Fostered collaboration with multiple stakeholder groups across the ecosystem

Issued product-specific safety communications on medical device vulnerabilities

2016 Draft Postmarket Cybersecurity Guidance Released

Convened workshop, ‘Moving Forward: Collaborative Approaches for Medical Device and

Healthcare Cybersecurity’


Key Principles of Premarket Cybersecurity Guidance

• Shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices

• Address cybersecurity during the design and development of the medical device

• Establish design inputs for device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g)


Key Principles of Postmarket Management of Cybersecurity in Medical Devices

• Collaborative approach to information sharing and risk assessment

• Articulate manufacturer responsibilities by leveraging existing Quality System Regulation and postmarket authorities

• Align with Presidential EOs and NIST Framework

• Incentivize the “right” behavior

• Risk-based approach to assuring risks to public health are addressed in a timely fashion


Postmarket Cybersecurity Guidance – DRAFT • Cybersecurity Risk Management programs should include

– Understanding, assessing and detecting presence and impact of a vulnerability;

– Establishing and communicating processes for vulnerability intake and handling;

– Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;

– Adopting a coordinated vulnerability disclosure policy and practice; and

– Deploying mitigations that address cybersecurity risk early and prior to exploitation


Medical Device Cybersecurity Risk Management

• Assessing Exploitability of the Cybersecurity Vulnerability

• Assessing Severity Impact to Health

• Evaluation of Risk to Essential Clinical Performance


FDA and MITRE

• MITRE helping to advance the FDA medical device cybersecurity vision

– Handshake portal for community discussion

– Medical device cybersecurity stakeholder engagement study and gap analysis

– Tailoring the Common Vulnerability Scoring System for healthcare

– Participating in medical device vulnerability and threat information sharing activities


MITRE Handshake Site: Medical Device and Healthcare Cybersecurity

• Virtual collaboration space for HPH sector to continue discussion from public workshop

• Over 170 participants

• FAQ with rules of engagement

• [email protected] – Individual requests account

– MITRE sends invitation

– Individual responds and creates account

– Individual joins Handshake

mailto:[email protected]


Medical Device Ecosystem

Industry

Patients

Researchers

Regulators

Payers

Venture

Capitalists

Health Care

Providers

Professional

Societies

Medical

Device

Ecosystem


The Stakeholder Engagement Study

Industry

Patients

Researchers

Regulators

Payers

Venture

Capitalists

Health Care

Providers

Professional

Societies

Medical

Device

Ecosystem

• Conducted stakeholder study

– Met with over 75 stakeholders across the medical device ecosystem

– Understand stakeholder perspectives

– Understand cybersecurity gaps and challenges


HDO Perspective

• Highly diverse: “If you’ve seen one hospital, you’ve seen one hospital”

• On the front lines to ensure patient safety, and ultimately responsible

• Medical device security is important, but one of many problems

• Management of medical devices different than IT devices

• Boards, C-suite, and doctors do not consider security a priority

• Difficult to convince manufacturers to fix discovered issues in existing product lines

• Uncoordinated vulnerability disclosures are disruptive


Medical Device Manufacturer Perspective

• Manufacturers are driven by

– Speed to market

– Regulatory emphasis on safety and privacy

• Manufacturers do not have sufficient knowledge of contested hospital environments

• HDOs do not provide security requirements in a consistent way

• Manufacturers view cybersecurity vulnerability researchers as disruptive

• Manufacturer size is a factor

– Smaller manufacturers can be more agile but have fewer resources to apply to security

– Larger manufacturers have adopted better practices but struggle with larger code bases


Cybersecurity Researcher Perspective

• Cybersecurity researchers include individuals, patients, and consultants

• Varying motivations and experience levels

• Many vendors are unprepared to receive vulnerability reports

• Lack of awareness about the clinical environment

• Often new to operating within a regulatory environment

• Find it difficult and/or expensive to gain access to devices


Cross Stakeholder Themes

• Patient safety is the highest priority

• Lack of trust across stakeholders

• NDAs between stakeholders reduces information sharing across the community

– HDOs can’t share internal evaluations with other HDOs

– Researchers can’t share information learned when under contract with an HDO/MDM

• Lack of tools to assess clinical impact and risk of vulnerabilities

• Some fear that real change might not occur until there is a patient death


Gap Areas

• Lack of alignment of goals between stakeholders

• Limited information sharing of threats, vulnerabilities, and best practices

• Lack of cybersecurity baselines for medical device classes

• Need cybersecurity solutions for large and small organizations

• Lack of clear association of technical impact of cybersecurity vulnerabilities to patient safety

• Lack of cybersecurity testing/certification of medical devices

• Lack of a systems engineering view across the lifecycle

• Need to develop incentives and business cases


Emerging Efforts

• Diabetes Technology Society Security Standard for Connected Diabetes Devices (DTSec)

• NIST National Cybersecurity Center of Excellence (NCCoE) Health IT Initiatives

• MDISS NH-ISAC Partnership for medical device vulnerability coordinated disclosure and sharing


DTSec • Developing a cybersecurity standard and evaluation process

• Focus on four device classes

– Blood Glucose Monitors (BGM)

– Continuous Glucose Monitors (CGM)

– Insulin Pumps (IP)

– Artificial Pancreas (AP)

• Established a technical community composed of clinicians, manufacturers, cybersecurity experts, academia, and government members

• Completed draft DTS Cybersecurity Standard and Protection Profile for Connected Diabetes Devices in December 2015


National Cybersecurity Center of Excellence (NCCoE)

Mission: Collaborate with innovators to provide standards-based

cybersecurity capabilities that address today’s business needs

• Partnership among industry, academics and government

• Example solutions to businesses’ most pressing cybersecurity

challenges in health and other sectors of the U.S. economy

– Securing Wireless Infusion Pumps – draft out Aug 2016

– Mobile Device Security for EHRs – guide published Sep 2015

– Data Integrity – white paper published Dec 2015


MDISS NH-ISAC Partnership

• Establish medical device information sharing council

• Include participants from the medical device ecosystem

– Healthcare delivery organizations

– Medical device manufacturers

– Cybersecurity tool and service vendors

– Vulnerability researchers

• Develop vulnerability handling process

• Inform healthcare community through NH-ISAC communications

• Piloting effort underway


Adopt a Cybersecurity Culture

– Robust cybersecurity cultures exist across multiple economic sectors including the financial, utility, and defense sectors.

– Risk mitigation during total product life cycle from conception to obsolescence

– Information sharing (with all stakeholders)

– Identify, protect, detect, response, recover

– Integrate and Iterate

– Hire/contract with appropriate personnel

– Security first; implement design features as well as compensating controls

– Cyber hygiene (configuration, access control, etc.)


Coordinated Vulnerability Disclosure

• Vulnerabilities are ubiquitous

• Vulnerability finders are not adversaries

• Shared interest in protecting against harm

• Coordinated disclosure relies on mutual respect and understanding of each party’s needs and constraints

• Leverage informational standards:

– ISO/IEC 29147 Vulnerability Disclosure

– ISO/IEC 30111 Vulnerability handling Processes

• Vulnerability Coordination Maturity Model (VCMM)

https://hackerone.com/blog/vulnerability-coordination-maturity-model









Key Takeaways

• Establish a Cybersecurity Risk Management Program

• Make cyber hygiene paramount

• Create a trusted environment for information sharing

• FDA seeks to foster a ‘whole of community’ approach

• Software updates for cybersecurity do not require pre-market review or recall (there are some exceptions)

• FDA will not be prescriptive with risk analyses

• Vulnerability disclosure policy, coordinated disclosure, and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole


FDA CDRH Future Vision

Regulatory clarity

• Premarket expectations

• Post market

expectations

Enable a platform for

maintaining cybersecurity

awareness –

Intentional and

unintentional threats

Post market surveillance

Stakeholder collaboration

• Device industry

• Healthcare organization

• Federal partners

• Researchers & experts


Summary

• It is a very complex ecosystem

• The ecosystem is evolving rapidly

• All stakeholders are working toward safer medical devices

• Collaboration is key

• The device we make safer today, may be in you tomorrow


Improve

Patient Safety

Through coordinated

disclosure and

vulnerability sharing

Reduce the # of

PHI Breaches

Through improved medical

device cybersecurity

vulnerability

management


Questions

• Suzanne Schwartz, FDA

[email protected]

• Margie Zuk, MITRE

[email protected]

available at the

Cybersecurity Command Center

Booth 9908 in Exhibit Hall G



systemic management of medical device cybersecurity march 2, … · 2017-07-20 · systemic...

Documents