Nick Mankovich & Leslie TroutPhilips HealthcareJune 2, 2011

Medical Devices & Cyber Security Protection

Cyber security preparedness via manufacturer programs and international standards.

Philips Healthcare, Nick Mankovich, June 2, 2011 22

Monday’s headlines!

Philips Healthcare, Nick Mankovich, June 2, 2011 3

Medical devices (e.g., monitoring, imaging) are the source of the largest volume of personal health data.

They are used for prevention, diagnosis, and treatment of disease. Often acting as long-term archive (e.g., imaging).

Medical devices are sometimes security compromised – usually as collateral damage in broad cyber security attacks.

There have been rare broad cybersecurity denial-of-service events e.g., Conficker:o January 2010: 10% of Healthcare IT down in Sweden.o December 2010: 15% of Healthcare IT down in New Zealand.

To date, USA HIT has security events but impact is limited, not broad (adequate edge and network protection/isolation).

Medical Device Industry & Security

3

Philips Healthcare, Nick Mankovich, June 2, 2011 4

The medical device industry has been directly addressing security and privacy issues for over 10 years in, e.g.,o The Digital Imaging Communication in Medicine Standard (DICOM)

issued its first Security Profile in 2001 (PS3.1 Part 15).o The industry trade group, NEMA established a Security and Privacy

Committee in 2000 and it has become a USA-European-Japanese

joint committee (NEMA/COCIR/JIRA). http://www.medicalimaging.org/policy-and-positions/joint-security-and-privacy-committee-2/

o Healthcare Information and Management Systems (HIMSS) has focused activities in their:• Privacy and Security Work Group• Patient Identity Integrity Work Group• Medical Device Security Work Group

Involved in the 2010 Sector Annual Report: Healthcare and Public Health Work Group

Medical Device Industry & Security

4

Philips Healthcare, Nick Mankovich, June 2, 2011 5

Businesses

ImagingSystems

Cath Lab

X-Ray

CT

MR

SPECT

SPECT/CT

PET/CT

Home Healthcare Solutions

Sleep Disordered Breathing

Medical Alert Services

Home Cardiac Monitoring

Home Respiratory

Senior Living

Clinical Care Systems

Ultrasound

Cardiac Resuscitation

Ventilation

ECG Solutions

Children’s Medical Ventures

Medical Consumables& Supplies

Emergency Care Services

Healthcare Informatics

Anesthesia Informatics

Cardiology Informatics

Critical Care Informatics

Clinical DecisionSupport Systems

Maternal & PerinatalMonitoring Solutions

Patient Monitoring Systems

Radiology Informatics

Philips Healthcare

Businesses

Services

Site Planning & Project Management

Ambient Experience

Education Services

Performance Services

Managed Services

Equipment Maintenance

Key products and service of Philips HealthcareProviding comprehensive support

Philips Healthcare, Nick Mankovich, June 2, 2011 77

How to organize for product security?

Product Security: The management of products and services that support Philips Healthcare in assisting the healthcare providers in maintaining confidentiality, integrity and availability of protected health information and the hardware/software systems that create and manage it.

Note: In general, we are a business-to-business supplier working for the Health Delivery Organization (hospital, clinic, doctor’s office) providing hardware, software, and services that support their healthcare mission.

Philips Healthcare, Nick Mankovich, June 2, 2011 88

Philips Healthcare Product Security & Privacy Advisory Structure

Philips Healthcare, Nick Mankovich, June 2, 2011 9

Organize Around Compliance

9

Philips Healthcare, Nick Mankovich, June 2, 2011 1010

A way forward emerges

• Tension between hospitals and medical device manufacturers and among hospital organizations (biomed/IT).

• In December 2005, the FDA called for action to address the real harm seen in improperly managed interconnection of medical devices using local hospital IT-networks.

• A proposal was created for a standard and a Joint Working Group (ISO/IEC JWG 7) was formed between ISO and IEC.

PROCESS TRANSFER: moving from the manufacturing world of risk management for safety and effectiveness into the fuller world of safety, effectiveness, and security risk management.

For the first time, security and privacy were put on common ground with safety and effectiveness risk management.

Philips Healthcare, Nick Mankovich, June 2, 2011 1111

IEC 80001-1:2010 (approved September, 2010)

Philips Healthcare, Nick Mankovich, June 2, 2011 1212

80001-1 Roles & Responsibilities

Stakeholder partnerships:

Healthcare Provider / Responsible Organization

Medical Device Manufacturers I.T. Technology Vendors 3rd Party Integrators Risk Management Experts …

… shared vision & mission!

Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 13

1. Analyze Risk Based on Probability and Severity of

harm Harm from reduced safety, effectiveness,

data & systems security

2. Evaluate Risk Based on Pre-defined risk acceptability

criteria Easily acceptable, Certainly

unacceptable, or further evaluation needed

3. Control Risk

4. Determine GO / STOP

Systematic and Documented

Cross-functional team using same process and language

Risk Management Process

Philips Healthcare, Nick Mankovich, June 2, 2011 1414

Conclusion: maturing medical device security

Today, there is no broad, coordinated cyber security planning. Some possibilities:o Create some national scenarios/simulations of

healthcare infrastructure cyber security attack.o Create meaningful scenarios for operation sans IT.

Continue to learn from each other and from actual cyber security events.

Increase deployment of medical device isolation networks.

Debate and decide security capabilities of medical devices (difficult cost discussions, 80001 Security TR).

Philips Healthcare, Nick Mankovich, June 2, 2011 151515