Industry sign banking north carolina memorandum of understanding secure
allowing me to come in and talk for a few minutes this afternoon I'll tell you a fun fact about me I actually have 14 children at home so medical device security is nothing compared to 14 kids it's basically when two of them are teenage boys and they will you know in terms of electronics and games and hacking they'll keep you on your toes so a little bit about medical devices this afternoon real quick I'll try not to bore you guys but this is an interesting topic you know the medical device care and feeding back at our health system was done by our biomedical engineering group and they will tell you and I will tell you that they are woefully understaffed and I think there is a and recognition of that fact and there's definitely going to be a lot more resources put towards the cybersecurity recognition of medical devices in our environment on a go-forward basis so I'm looking forward to - what their future holds so let's see the definition of what the FDA calls a medical device an instrument apparatus implement machine contrivance implant in vitro reagent or other similar or related article including a component part or accessory which is recognized in the official natural formulary or the United States pharmacopoeia or any supplement to them intended for use in the diagnosis of disease or other conditions or in the cure mitigation treatment or prevention of disease and man or other animals or intended to affect the structure or any function of the body of man or other animals and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes and so from the FDA website you know medical devices range from simple tongue depressors and bedpans to complex programmable pacemakers with microchip technology and and laser surgical devices if a product is labeled promoted or used in a manner that meets the following definition in Section 201 H of the Federal Food and Drug and Cosmetic Act it will be regulated by the FDA it has a medical device and is subject to pre marketing and post marketing regulatory controls so not getting into the breakdown of the FDA classes you guys probably know there's class one two and three devices and as you progress through the classes there's different requirements more stringent requirements from the FDA as you go up the class level so let's kind of talk about some of the hacking that's happened with medical devices in the past in 2008 we saw Kevin foo demonstrate a pacemaker hack and if you guys don't know about that or didn't read about it basically he was able to program it and shut it down basically or to have it deliver an electrical charge to the patient that could be lethal and so that is rather significant he also was able to glean personal patient data from the device just by sniffing the traffic that was coming from it and he's dropping on that in 2011 Jerome Radcliffe at the black hat conference demonstrated an insulin pump Act 2013 we had vulnerabilities that were discovered in a wide range of devices including surgical and annotate anesthesia devices ventilators and fusion pumps defibrillators patient monitors and lab equipment and that was from Billy Rios in 2014 we had multiple alerts that came out from government agencies about medical device issues including ics-cert and the FBI and FDA and homeland security as well in 2015 we had trap X and Pro tippity that demo straighted medical devices were actively being exploited by cyber criminals as entry points into hospitals and then in 2014 also 2016 we saw the FDA cybersecurity guidance for pre market submission and post market management released and those are some requirements that I'm going to talk more about here in a few minutes and then of course this year you guys all know what happened with wanna cry and the health systems that were shut down in Great Britain very significant issues going on in terms of that so some of the challenges that we face one of the biggest ones is Asset Management the sheer volume of devices that we have which is north of 30,000 not all connected to the network I have you but the the numerous issues around tracking these devices is is difficult mainly because they're so small and mobile and so you can imagine how how difficult it is to have a good handle on asset management when it comes to these devices and I'm going to show in a few minutes some of the ways we're trying to resolve that issue updates from vendors on vulnerabilities have been difficult so we're we are a member of the nhi sac and part of the nhi sac is a medical device listserv which my team monitors and gets regular updates that are they're coming out to that listserv about vulnerabilities and issues that are talked about our bio that engineering group is a member of another listserv from a group called re and then we really need to have vendors work on proper sdlc in terms of developing their applications so that when they develop apps that are medical devices they do it in a proper way that's not going to require a user to be running on the machine with admin rights that's a desktop management issue if you will but it's definitely one that we see on medical devices as well and vendors are historically now they're getting better but historically not very focused on security risks when it comes to medical devices so if there's an FDA certification involved it's very expensive to get that device recertified and so I think the the cost of that is one of the the driving factors that that drives these vendors not to want to go through the recertification process but you know there was also rumors that if it's if it's an FDA certified devices you can't patch it well that's that's not exactly true but we know in the past that they have prevented patching of systems that are FDA certified so that's been a problem for us and then vendors often will dictate if they need to access your network in order to support that device they'll often dictate the method that the remote access is going to to occur so if you don't play by their rules then you don't get to be a part of the game which is you know difficult for us if they're the only vendor in the in the space that provides that so we have to negotiate those things with vendors some additional challenges you know getting them to assess the risks around their devices I've been just as an example I've been back and forth over the last few weeks with two different vendors over contracts because as the contracts come across my desk and I get to review them I start asking questions we actually have a security questionnaire that we send to all our vendors that does sort of a risk assessment on the on the vendor and the application but in talking to the vendors you know a lot of them will tell you that they've got an FDA certification on their device but we don't really care about security on our corporate network we're not really going to care about patch management we're not going to do mul nur ability scanning we're not going to do penetration testing we don't really care about security on our corporate network but our device is FDA certified so you can trust us we're all good so that that that gives me a lot of consternation and had had some difficult conversations in the last few weeks with vendors about I mean if your software development is going on at your corporate office and you don't really care about security there and a hacker gets onto your network I mean how difficult is it going to be for them to implant a backdoor or some malicious code in that application that still is going to end up on my network so it's a difficult difficult conversation and I'm trying to spur these guys these guys on to ever-increasing usefulness around that getting them to manufacture devices that can be updated without chip replacement is a challenge vulnerability testing of production devices is not favorable and when I when I talk about this testing I'm talking about in my environment so if I've already got a medical device that's in production it's it's not only risky for me to do a volcanic s that device especially if it's attached to a patient but you know trying to find the test equipment to do it in an offline manner it's also challenging so you can see how vulnerability testing of these devices is a challenge wireless devices present challenges because you can't create a VLAN that for a device it's going to run between multiple buildings and you're going to mix the risk levels you're going to have something needs to be really secure mixed in with something that roams over to a user VLAN where it's a very unsecure or not as secure network segment so many wireless devices present a challenge wireless radios and these devices are not nearly as strong as you might find in a laptop so getting them to to connect is often challenging telemetry devices is supposed to be protected banned that these devices use often we see that there's overlap and this causes interference with some of our telemetry devices because of that overlap where it's supposed to be a protected band so we have we have issues around that updates the devices can be very manual just for example a vital sign monitor you have to download the update test it on a test device find production devices to update when they're not in use and then manually transfer the update so you can see how labor-intensive it is for a device like that to actually be updated it takes a long time when you have hundreds different firmware versions on the same model device can cause software issues so if you've got the same make and model of a device in two different instances and it's running there they're running the same software version but different firmware versions that can cause issues and so these these questionnaires that I mentioned earlier that we send out it's like a paper or risk assessment basically well I would refer to it as a non-technical assessment but they reveal such issues that we found on some of these devices like default passwords the need for proper sentences ation or disposal of the old devices the need for unique user accounts some of them don't support that and then the need for session timeouts and then also password complexity these are some of the sort of non-technical things that we see so we've got a number of agencies that are trying to help in this area want to cover some of that real quick so you guys can see what what resources are out there for you all if you happen to be in this industry the NCC OES a national cybersecurity Center of Excellence and they released a draft of the NIST cybersecurity practice guide on securing Wireless and fusion pumps in the healthcare delivery organizations on on May 8th of this year the ekor Institute I mentioned earlier is one of the listservs they also have a medical device safety report you can get that from from their website the FDA released final guidance on the post market management of cybersecurity and medical devices and this is something I mentioned earlier you know this this guidance recommends that manufacturers actively participate in information sharing and analysis organization such as the nhi sac which I mentioned that we we are a member of active participation includes sharing vulnerability information with the ice owl and having documented processes for assessing and responding to vulnerability and threat intelligence information received from the ice ow so that's a big help to us the third thing is they've got a fact sheet that talks about patching of these medical devices and I mentioned earlier how there was a myth going around that you could never patch a medical device because it would it would fall out of compliance with FDA well this is from their fact sheet right here it says medical device manufacturers can always update a medical device for cybersecurity in fact the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity so that's straight from from the FDA so that's that's good to know recently there's been a Memorandum of Understanding between the FDA the nhi sac and an organization called MD MD ISS is the medical device innovation safety and security consortium this collaboration is encouraging the the sharing of cyber security vulnerabilities it's helping to develop an awareness of framework for improving critical infrastructure cyber security and then it's encouraging innovative strategies to assess and mitigate vulnerabilities that affect their products and I'll talk about how they're doing that in the next few slides the one at the top of the list is something called MD VIPRE stands for medical device vulnerability intelligence program for evaluation and response so MD VIPRE is going to support FDA's post-market guidance it's going to provide medical device vulnerabilities sharing which I talked about it's going to create an open community of medical device cybersecurity stakeholders it's promoting a consensus and consistency of vulnerability reporting and information sharing approach and process and then contribute significantly to medical device cybersecurity education and then number six is going to foster situational awareness of medical device cybersecurity threats best practices and mitigation strategies and that that last bullet leads into the next slide which talks about this national cybersecurity safety and surveillance network there's three components to it it's the MD wrap the MD sati and the MD visi and you can see with those those acronyms stand for basically the MD wrap is going to give a standardized risk assessments a platform for multiple methodologies data collections scoring and reporting and then crowd-sourced data sharing the MD sati which is more about surveillance and threat intelligence is going to collect malware and intrusion experience it's going to have incident alerts and it's going to have a threat indicator information the MD visi is going to give us real-time requirements for manufacturers it's going to collect device and model vulnerabilities it's going to incorporate data from the national vulnerability database so those three things you can see from those surveillance security safety and surveillance network are really going to be beneficial for us to move forward in this discussion that we're having today on medical device security something else has just been released this month June 2017 there was a task force commissioned what's called the health care industry cyber security task force 21 individuals on this task force from multiple verticals including HHS so the government's involved in this as well but a lot of private industry folks are on this task force so the report on improving cybersecurity came out this month they have recommendations underneath the imperatives that they came out with the second imperative in this document is specific to medical devices and in increasing the security and resilience of those medical devices and underneath each one of these recommendations that I'm about to list out are many many action items that organizations can take to help advance the cybersecurity efforts in their organizations so the first recommendation secure legacy systems the second one was improve manufacturing and development transparency among developers and users third thing was to increase adoption and rigor of the secure development lifecycle and the development of medical devices require strong authentication to improve Identity and Access Management for healthcare workers patients and medical devices the fifth one to employ strategic and architectural approaches to reduce the attack surface for medical devices EHRs and the interfaces between these products the sixth one was to establish a medical computer emergency readiness team to coordinate medical device specific responses to cybersecurity incidents and vulnerability disclosures so you can see how that will be very beneficial especially the the action items that are listed under each of those recommendations and I encourage you guys to go out and look at that document this list the links there on the bottom and I'll share the slides with anybody that wants them so what are we d
ing in our organization obviously the the castle strategy is something everybody's familiar with the big big stone structure with the moat around it lots of layers of defense one of the things that I'm doing is really trying to inject myself into the procurement process for our medical devices to make sure that I get to review those contracts as they come through and that we're looking for the the proper things that we want these vendors to be doing one of those things is a form called the MDS - form and if you're familiar with medical devices you might be familiar with this form but it basically asks the vendor a lot of questions about how they are protecting that device what controls they've implemented on the device to actually allow for the proper security controls on the device itself so I'll show you a sample screenshot of what this form looks like in just a second Wireless tracking is one thing that we're doing for our devices we have four devices that don't inherently have a wireless radio we have installed wireless tags on these devices so that we can track them from a triangulation standpoint the system that we developed is called fetch it's a homegrown system that it uses the blink protocol to track those devices segmentation obviously is is crucial that goes into the castle strategy I was talking about but obviously keeping these devices segmented onto a private VLAN or behind a firewall as that is the most important thing that we can do from a security standpoint initially before we take other steps passive vulnerability scanning is something that that we are about to start we have purchased a device that is going to settle the network and listen to the traffic as it goes by and look for vulnerabilities and this this device is really intended for more traditional vulnerabilities it's not specific to medical devices but we are hoping that we're going to be able to find some issues that that need to be remediated by sniffing that traffic with this passive scanner and I'm sure that if we have success with it our vendor will be instantly asking me to do a case study on how all that works and and how well it went so you could hear more about that later we're doing risk assessments obviously of the devices and that's more like I said of a paper assessment it's a questionnaire that goes down a list of questions that we ask to discover you know how the devices communicate and and particularly we prioritize the devices that that communicates to the Internet or if they're going to interface with our EMR with our electronic medical record so we're most definitely going to prioritize those devices on the top of our list to be assessed and then we're going to adopt standards there's an ISO standard eighty thousand and one that specifically relates to medical devices if you guys haven't seen that before you can google that and search for it and find it easily the last thing is we are considering some options for assessing the various electronic emissions that come from medical devices so as you can imagine it's not just Wireless that we're talking about but there's Bluetooth there's radio signals there's all different types of emissions that might come from a medical device and we would like to take steps to evaluate those emissions to see you know are they like we saw in the last example are they are they spitting out passwords and plaintext thing like that we want to to be able to discover those and try to work with the vendors to get those resolved this is the MDS 2 form yet you probably can't read that but it basically shows you at the top the device model manufacturer that's some of the most critical information for me to have from an asset inventory standpoint so that I can know at a point in time that we were running version 1.2 of this software code so when a vulnerability does come out we've got an inventory to bounce that up against to see if we have those devices and and go from there fetch I mentioned earlier is the wireless device tracking system that we've developed internally it's a homegrown system provides real-time tracking for Wi-Fi connected devices on our health system networks and the devices that that don't have internal wireless radios have these little Wi-Fi tags placed on them so that we can track them one of the one of the benefits of fetch is that we could have preventative maintenance schedules that are maintained and fetch and then we we've got an asset database of track devices with a last known location and so this is an example a screenshot of fetch you can see in the top left corner we're tracking right now devices that are smart pumps there's a device called a Wow which is a wireless on wheels wheelchairs bladder scanners and something called a pro pack and then you can see the first column shows this online or offline then we've got a location which I blacked out some of that to protect the innocent a model and a serial number and then you can see in that fourth column there it shows the time that we last talked to that device and so from there we can actually pinpoint on a map of our organization where those devices are you can see little green circle over there on the right hand side this is a broader map of another location of the devices that are green and red which green is online currently red means that's the last known location that that device was seen so if we need to go and try and put hands on it and track it down this is how we go about doing that I think that's my last slide what questions you guys have yes sir well so we you know we obviously got a wireless network throughout the campus and so when the device emits a signal to try to attach to a wireless access point based on where those access points are located we can triangulate the device what else all right guys thanks for your time I appreciate it [Applause]