Post on 08-Jun-2020
transcript
Seth D. Carmody, Ph.D. Center for Devices and Radiological Health,
FDA 13th Medical Device Quality Congress
March 16, 2016
Comprehensive Cyber Security Risk Management:
Know, Assess, Fix
New Draft Guidance
2
• Comment period closes Thursday, April 21, 2016
• New Policy: An framework for assessing security and clinical risk of marketed devices using current regulation
• Continued policy: For cybersecurity routine
updates and patches, the FDA will, typically, not need to conduct premarket review to clear or approve the medical device software changes
Draft Guidance: Postmarket Management of Cybersecurity in Medical Devices – Key Principles
• Align with Presidential EOs and NIST Framework
• Risk-based framework to assuring risks to public health are addressed in a timely fashion
• Articulate manufacturer responsibilities by leveraging existing Quality System Regulation and postmarket authorities
• Collaborative approach to information sharing and risk assessment
• Incentivize the “right” behavior
Slide 3
A Blending of Worlds
4
Security Risk Clinical Risk
We know how to mitigate these
ECP
How do we address clinical risk posed by security vectors?
When do I Assess?
Always
A cybersecurity signal is any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device.
Essential Clinical Performance Defined
6
Essential clinical performance (ECP) means performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer. Compromise of the essential clinical performance can produce a hazardous situation that results in harm and/or may require intervention to prevent harm. • A new concept, derived from IEC 60601
IEC 60601-1:2005, Medical Electrical Equipment – Part 1: General Requirements for Basic Safety and Essential Performance, Section 3.27
Cybersecurity Risk using ISO 14971
7
Vulnerability
Exploit
Annex E, figure E.1. – ISO 14971:2007
Compromised ECP
Controlled or Uncontrolled?
Essential Clinical Performance Matrix
8
Assessing Exploitability with CVSS
9 CVSS – Common Vulnerability Scoring System https://www.first.org/cvss
• Establish a repeatable process by leveraging existing frameworks (e.g. CVSS) Base Scoring (risk factors of the vulnerability) Attack Vector (physical, local, adjacent, network) Attack Complexity (high, low) Privileges Required (none, low, high) User Interaction (none, required) Scope (changed, unchanged) Confidentiality Impact (high, low, none) Integrity Impact (none, low, high) Availability Impact (high, low, none) Temporal Scoring (risk factors that change over time) Exploit Code Maturity (high, functional, proof-of-concept, unproven) Remediation Level (unavailable, work-around, temporary fix, official fix, not defined) Report Confidence (confirmed, reasonable, unknown, not defined)
Assessing Exploitability with CVSS (cont.)
10 CVSS – Common Vulnerability Scoring System https://www.first.org/cvss
Establish a repeatable process by leveraging existing Frameworks (e.g. CVSS) Modified Base Scoring: Risk factors of the vulnerability + organization/device impact – mitigations and/or controls Organization/device impact includes requirements for confidentiality, integrity, and availability (C, I, A) How does CIA relate to the device space? • Map those requirements to essential clinical performance which
could draw upon existing requirements
Assessing Severity
11
ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – 441Application of Risk
Management to Medical Devices:
Common
Term
Possible Description
Negligible Inconvenience or temporary discomfort
Minor Results in temporary injury or impairment not
requiring professional medical intervention
Serious Results in injury or impairment requiring
professional medical intervention
Critical Results in permanent impairment or life-
threatening injury
Catastrophic Results in patient death
Bridge the Security and Safety Worlds
12
Asset CIA ECP Vuln. Threat Model
Risk Level
Control(s) Resid.
1 Integrity COMS Open TELNET
Escalation of privilege
5 Firewall, close TELNET
None
Integrity Therapy Open TELNET
Escalation of privilege
11 Firewall, close TELNET , Device Control 1.1
None
Availability
Confidentiality ?
Assessment Challenges
13
• Calculating exploitability is difficult due to the active adversary. • Does P1 = 1? (assume exploit?) • All systems fail? • “There are as many motivations for hacking as there are people” –
Josh Corman, I Am the Cavalry
• Not all vulnerabilities will have an uncontrolled impact to the essential clinical performance. This is the main differentiation between medical safety and IT security worlds.
• Complications due to vulnerability chaining. Threats may leverage
multiple, possibly low risk vulns. chained together to amplify risk
• What devices are impacted? • Vertical and horizontal analysis • Bill of materials
When do I Fix?
1. Routinely 2. Vulnerability allows compromise 3. Compromise involves Essential Clinical Performance
(ECP) 4. The theoretically compromised ECP poses uncontrolled
risk
Fixing the Expected
• Vulnerabilities are expected • Risks evolve • Active adversary
“It’s math, it’s a language and it’s art.” - On Software, Judy Faulkner, EPIC CEO,
@HIMSS 2016
What Happens if I Fix?
Depends on why you are fixing
1. Improving quality? 2. Is there risk to health? 3. Is there a violation?
See 21 CFR § 806.1(b)(1)
Different Risk: Two Types of Fixes
17
Risk to essential clinical performance
Controlled
Uncontrolled
Device enhancement (fix)
Three criteria: 1. No adverse events 2. Mitigate (fix) in 30 days 3. Participate in an ISAO
No reporting under 806
Yes
Yes
ISAO (Information Sharing and Analysis Organization)
Fixing Challenges 1. Where are my devices? 2. Are my devices patchable? 3. How do I know my devices have been
patched? 4. Can I deliver the patch quickly and
securely? 5. Does the patch mitigate the risk and
not create new risk?
How do I Know?
A cybersecurity signal is any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device. A cybersecurity signal could originate from traditional information sources such as internal investigations, postmarket surveillance, or complaints, and/or security-centric sources such as CERTS (Computer/Cyber, Emergency Response/Readiness Teams), ISAOs and security researchers. Signals may be identified within the HPH Sector. They may also originate in another critical infrastructure sector (e.g., defense, financial) but have the potential to impact medical device cybersecurity.
Information Sharing and Analysis Organizations (ISAO) – What are they?
The ISAO best practice models are intended to be: Inclusive - groups from any and all sectors, both non-profit and for-profit, expert or novice, should be able to participate in an ISAO; Actionable - groups will receive useful and practical cybersecurity risk, threat indicator, and incident information via automated, real-time mechanisms if they choose to participate in an ISAO; Transparent - groups interested in an ISAO model will have adequate understanding of how that model operates and if it meets their needs; and Trusted - participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation.
See: http://www.dhs.gov/isao Slide 20
Did I mention the Draft Guidance?
21
Comment period closes Thursday, April 21, 2016
Defining Responsibility by Knowing
22
Secure Design
Overall Design
Compensating Controls
Device Control ECP
Responsibility Scenarios
23
Example: TELNET access to root account with no authentication Scenario 1: Manufacturer documents purposeful decision to allow TELNET access to root account including why the decision made, risks incurred, and compensating controls to mitigate risk, and communicates how to enact the compensating control. Deployment of the control is now in the hands of the end-user. Scenario 2: Manufacturer has no documentation as to why they’ve decided to violate security tenets of least privilege, access control, etc. or the decision is rationalized after the fact; however, there is no proof including lack of communication to end-users how to protect the device. Outcome: In a worst-case scenario, where a patient is harmed, who is responsible if a threat uses unauthenticated TELNET access? Does the answer change for scenario 1 and scenario 2?
Knowing Challenges
24
• Forensically sound evidence capture:
Would you be able to tell that a death, serious injury, and/or malfunction was a cybersecurity issue or the result of an attack? What are the risks incurred?
• Intrusion and attack detection: Would you be able to detect when you are being attacked or have been attacked?
• Sharing and receiving actionable information • Threat vs. Vulnerability information • Intellectual Property
• What’s on your device and when is it impacted?
Key Message: Knowing how you are being attacked informs your risk analysis triage enabling better resource management
Overcoming Technical Challenges
25
• Available resources are innumerable: pick a standard, pick a process, implement, measure, and improve.
• DHS, FAA, Microsoft, NIST, AAMI, Open Web Application Security Project (OWASP) are all trusted resources.
• Implement a secure software development life cycle and implement a coordinated disclosure policy (see HackerOne coordinated disclosure maturity model)
• For devices in design and development make sure that your device is securable
• For devices in the field, have robust asset management capabilities and leverage the “routine” model discussed in the guidance
• Maturity takes time https://www.microsoft.com/en-us/sdl/default.aspx
https://buildsecurityin.us-cert.gov/articles/knowledge/sdlc-process/secure-software-
development-life-cycle-processes
http://www.nist.gov/cyberframework/
https://hackerone.com/blog/vulnerability-coordination-maturity-model
Timeline of Key FDA Activities • 2013:
– Began coordination with Department Homeland Security Industrial Control Systems Cyber Emergency Response Team (DHS-ICS-CERT) in response to security researchers reporting of vulnerabilities
– Issued Safety Communication on shared ownership and shared responsibility among stakeholders, cyber hygiene
– Engaged in outreach, education, and building collaboration • 2014:
– Executed Memorandum of Understanding with the National Health Information Sharing & Analysis Center (NH-ISAC)
– Final Premarket Cybersecurity Guidance Released http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf – Convened workshop, ‘Collaborative Approaches for Medical Device and Healthcare
Cybersecurity’ • 2015:
– Ongoing coordination with DHS-ICS-CERT, medical device manufacturers and security researchers on reported medical device vulnerabilities
– Fostered collaboration with multiple stakeholder groups across the ecosystem – Issued product-specific safety communications on medical device vulnerabilities
• 2016: – Draft Postmarket Cybersecurity Guidance Released (http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf) – Public Workshop - Moving Forward: Collaborative Approaches to Medical Device
Cybersecurity
Slide 26
Workshop Summary (Jan. 20-21, 2016)
27
Threat landscape - “As many motivations for hacking as there are people” – Josh Corman - “This isn’t about FMEA, this is the active adversary” – Me Current FDA philosophy - Main point: Comprehensive, total-life cycle cybersecurity
risk management under 21 CFR 820
http://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm474752.htm
Workshop Summary (cont.)
28
Information Sharing and Analysis Organizations (ISAO) – breakout - Main question: What does an ISAO look like?
Workshop Summary (cont.)
29
Vulnerability Management – breakout - New old concept: Coordinated Disclosure - “No one likes to be told their baby is ugly” – Katie Moussouris, HackerOne
Workshop Summary (cont.)
30
Manufacturer challenges with increased collaboration - Key message: Culture change is hard and maturity takes time (MS ~15 years) Gaps and action plans – breakout Key message: Must make the business case for addressing gaps (legacy, disclosure, etc.) Current activities, situational awareness Key message: Lots of initiatives moving the space forward, lets not be duplicative Risk assessment tools - Key question: Information abounds; Can we make it actionable? Standards - Key message: Lot’s of standards, pick one and implement
Next Steps
• Development and validation of meaningful tools for assessment of vulnerabilities in the clinical environment is an area of focus going forward
• Definition of the medical device Information Sharing and Analysis Organization model
• Outreach, outreach, outreach
• Consolidated Resource Page
• Internal and external training • How are we ensuring that our policies are effective?
• Postmarket cybersecurity guidance docket open for public comment through Thursday, April 21, 2016
31 Thank You & Questions?