39
The Internet of Things: Impacts on Healthcare Security and Privacy Presented by: Amit Garg, CISSP, PMP, MBCI, Director - Berkeley Research Group
The Internet of Things: Impacts on Healthcare Security and Privacy
Presented by: Amit Garg, CISSP, PMP, MBCI, Director
- Berkeley Research Group
AGENDA
• What is the internet of things (IoT)? • IoT in healthcare (medical devices) • What are the security, privacy, regulatory/legal challenges and
opportunities of IoT in healthcare? • How can you minimize risk and maximize benefits of IoT? • Best practices in risk management and compliance • Creating a culture of security awareness and training
3
We are living in an ever-more connected world . . .
People
•Wellness monitoring
•Medical case management
•Social needs
Communities
•Traffic status
•Pollution alerts
• Infrastructure checks
Goods & Services
•Track materials
•Speed distribution
•Product feedback
Environment
•Pollution checks
•Resource status
•Water monitoring
Homes
•Utilities control
•Security monitoring
•Structure integrity
3
With more devices
interacting. . .
2003 2010 2015 2020
World Population 6.3 Billion 6.8 Billion 7.2 Billion 7.6 Billion
Connected Devices 500 Million 12.5 Billion 25 Billion 50 Billion
Connected Devices per Person
.08 1.84 3.47 6.58
Devices surpass people
2010 Devices surpassed people by almost 2:1 Forecasts expect >6:1 ratio by 2020
Source: Domo
The age of information overload!
6
Key characteristics of IoT
Typically IoTs are embedded computing devices that exhibit the following qualities: • Unique identity • Ability to wirelessly communicate • Ability to sense • Ability to be controlled remotely • Data collection and analysis • Leverage mobility, cloud, and big data
Source: http://anandmanisankar.com/posts/IoT-internet-of-things-good-bad-ugly/
7
IoT by the numbers
• 50 billion devices connected to the Internet worldwide by 2020 • 3.5 connected devices per person by 2015 and almost 7 by 2020 • 8 billion mobile broadband access points by 2019 • 4.5 million IoT jobs by 2020 • $14.4 trillion of value over the next decade • $97 billion additional revenue in Medical device industry by 2024 • 70 percent a year growth through 2018 in total sales of clothing and accessories
incorporating computer technology, rising from $3 billion today to $42.5 billion • $3.3 trillion market for 'Smart City’ applications and services by 2025
Source: http://anandmanisankar.com/posts/IoT-internet-of-things-good-bad-ugly/
IoT landscape
9
The drivers behind the IoT growth
• Over the past 10 years
– Cost of sensors have gone down – avg. cost of $1.30 to 60
cents over the past 10 years
– Cost of bandwidth has gone down 40x
– Cost of processing has gone down 60x
• New ways to analyze mountains of data
• Social media
• Cloud computing
• Mobile
• Increased productivity, efficiency, cost savings,
innovation, revenue generation
Source: Goldman Sachs Global Investment Research
10
So what’s the problem?
• Lax security for the growing number of IoTs – appliances, tvs, cars, smart homes, smart cities, industrial applications, healthcare and medical devices, 3D printing, etc.
– Manufacturers are compromising privacy and security for faster time to market
– Cyber risks are evolving from virtual harm to physical harm
• Increased risk of bodily harm from hacked medical devices that send a patient’s information to a doctor or hospital.
– VP Dick Cheney – Received a pacemaker in 2007
– “Homeland” episode in 2012 – fictional VP killed by a compromised pacemaker
11
Examples of connected health and medical devices • Pacemakers
• Insulin pumps
• Continuous glucose monitors
• Hearing aids
• Heart rate patches and wireless scales for monitoring congestive heart failure
• Sensors in shoes to detect falls and gait changes
• Baby monitors with temperature, heart rate, and other sensors
• Patient identification and tracking
• Diabetes care devices and mobile ECGs
12
Medical device security - unique problem set • Highly regulated
• FDA quality system regulations, requiring testing and approval
• Lengthy and complex release process
• Providers need to comply with HIPAA, HITECH, FDA MDDS
• Complex • Systems of systems problem
• 10,000s of devices, 1,000’s of types, 100s of manufacturers
• 5 – 10x of regular IT systems; ownership and responsibility
• Vulnerable • Multiple threat vectors – network, ports, USB, users
• Device breach/infection impact – operational to patient care & safety
• Device may hinder recovery & remediation
• “Weakest link”- can become entry point Source: 2014 Symantec Corp.
Exploitation
• Delay in treatment and care
• Threats to patients’ health and safety
Data Breach
• Loss or destruction of data
• PHI
• PII
• Settings
• Credentials
• Configuration
Business Continuity
• Impact to service
and care delivery
• Device availability
(A,I,C)
• Network
performance
Brand & Reputation
• Loss of trust (patients, referring physician)
• Impact on staff and morale
Revenue/Cost
• Remediation cost
• Downtime impact on
revenue
• Lawsuits
• Fines/Penalties
Patient Safety
Medical device threat scenarios
Risk and Impact
Hacker Attacks
Denial of Service Attacks
Malware Infections Botnet Hijacks Errors in
System Code
Source: 2014 Symantec Corp. 13
14
Issues associated with networked medical devices
• Untested, unpatched, or defective software and firmware
• Theft or loss of networked medical devices (external or portable)
• Lack of standards
• Security and privacy vulnerabilities
• Unauthorized device setting changes, reprogramming, or infection via malware
• Denial-of-service attacks
• Targeting mobile health devices using wireless technology to access patient data, monitoring systems, and implanted medical devices
Source - http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
15
FDA guidance on medical devices
• FDA issued a safety communication regarding cybersecurity for medical devices and hospital networks (June 2013)
• Recommendation that manufacturers and health care facilities determine appropriate safeguards to reduce risk of device failure due to a cyber-attack.
• Specifically, health care facilities should do the following: – Restrict unauthorized access to the network and networked medical devices. – Determine that appropriate antivirus software and firewalls are up-to-date. – Monitor network activity for unauthorized use, evaluate network security. – Protect individual network components through routine and periodic evaluation, including updating
security patches and disabling all unnecessary ports and services. – Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a
medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
– Develop and evaluate strategies to maintain critical functionality during adverse conditions. Source - http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
16
Additional guidance on medical devices
• FDA guidance on med device categories • Class 1 (low risk) – not relied on in decision to take immediate clinical action
• Class 3 (high risk) – sustain human life, prevent impairment, risk of illness/injury
• Trust, Identity, Privacy & Security (TIPS) determined by device class / use case • Low TIPS requirements – e.g., Fitbit, other IOT wearables
• High TIPS requirements – e.g., insulin pump, pacemaker
• Improved security will require everyone to participate – providers, device manufacturers, payers, patients, healthcare facilities
• Defense in depth approach – multiple levels of security & privacy can be developed
Source – Mobile Medical Applications, Guidance for Industry and FDA Staff, Feb 9, 2015
• 80% of damages for Cyberattacks involve breach of privacy related information
– Personally Identifiable Information (41% of breaches)
– Personal Health Information (21%)
– Payment Card Information (19%)
• Privacy breaches are making the news and impacting long term business reputation
• Recent Proof Points: Source: NetDiligence Cyber Claim Study- 2014
Privacy: 80% of Security Breaches
18
Cyber Kill Chain – Framework Cyber Kill Chain - Framework
19
Regulatory and legal
considerations
• While FDA has put forth significant “pre-market and “post-market” guidance on management of cybersecurity in medical devices
• Current guidance is non-binding, and in “draft” form
• Little guidance on post market software updates from medical hardware and software vendors and third party vendors
• Exposure to liability is high if the risks to patient information is not managed properly
Source – Postmarket Management of Cybersecurity in Medical Devices, January 22, 2016
20
Evolving legal landscape
• Currently in the US, a company’s possession and use of consumer data (PII, PHI) is regulated by a myriad of industry-specific federal laws and generally applicable state data protection and/or notification laws.
– Many varying Federal Laws • GLBA
• HIPAA/HITECH ACT
• Fair Credit Transactions Act/Fair Credit Reporting Act
• Telephone Consumer Protection Act
• Child Online Privacy Protection Act
– FTC, FCC, SEC, FDA enforcement
Source: Jones Day
21
State data security laws
• Only three states (CA, MA, TX) have comprehensive written security program
• Data breach notification laws exist for 48 states
– Notice to AG, law enforcement, insurance regulator, credit reporting agencies, and affected individuals
– Written notice with specific disclosures
– Timing requirements
– Varying exceptions (risk of harm and good faith)
• Data-specific protection laws (SSNs, PHI, employee records, etc.)
• Data destruction laws Source: Jones Day
22
Litigation – Oh NO!
• Some state statutes allow affected consumers to bring private actions against companies that fail to protect their personal information
• Laws will allow recovery for victims depending on the standard of care exercised of the company
• After the Target breach was announced, almost 70 lawsuits were filed between December 2013 and January 2014 – Target – cases fell into 3 categories: consumers, financial institutions, and
shareholders
– Sony Pictures – class action lawsuit of former employees
– Anthem – Suits filed in Alabama and California for data breach
– Cahen v. Toyota (included Ford & GM) - class action filed in March 2015 in ND, Cali due to a defect that allows cars to be hacked
Source: Jones Day
23
And more litigation!
• Cottage Healthcare Systems v. Columbia Casualty - “Cottage Healthcare Systems suffered a
data breach due to a hack of their systems. Their insurance company, Columbia Casualty, a division of CNA, alleges that Cottage Healthcare Systems didn’t maintain its security controls, which left the company vulnerable to this cyber attack.” “Columbia argues that its cyber insurance policy language does not require it to pay for losses resulting from this attack because of Cottage’s failure ‘to continuously implement the procedures and risk control identified in the Insured’s application for this insurance.’ ” As a result, Columbia has refused to pay a $4 million claim payout to Cottage Healthcare Systems.
• Federal Trade Commission v. Wyndham Worldwide Corporation: In 2014, “the FTC
brought suit against Wyndham Worldwide Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information […] the “FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury.”
24
And yet even more litigation…
• Travelers Indemnity Co. of America v. Portal Healthcare Solutions LLC: “The insured, Portal Healthcare Solutions, sought coverage for an underlying class action alleging that Portal failed to safeguard the confidential medical records of patients at a Northern Virginia hospital following the inadvertent online disclosure of certain records […] “In doing so, the court rejected each of the insurer’s two defenses—that the disclosure had been inadvertent and that no third-party was alleged to have viewed the confidential records. The court held that the definition of ‘publication’ does not depend upon the would-be publisher’s intent, but rather on whether the information was, in fact, placed before the public.” Likewise, the court found that ‘publication’ does not require actual access by a third party because it occurs at the moment the information is made available. Otherwise, a book that is bound and placed on the shelves of a book store would not be deemed ‘published’ until a customer takes it off the shelf and reads it. […] The inadvertent online disclosure of confidential records was held to constitute a ‘publication;’ triggering the insurer’s duty to defend.” http://www.law360.com/articles/602100/2014-insurance-coverage-litigation-year-in-review
25
Ultimately, it’s all about information management
• Know your data (what, when, where, why, who)
• Map your data (understanding the data flows)
• Classify your data (risk, value, impact)
• Protect your data (information management)
• Enforce regulatory controls (governance, risk, &
compliance)
26
Security and privacy recommendations
• Take a risk based approach
• Incorporate security language into procurement contracts
• Engage all stakeholders – IT, legal, vendors, compliance, clinical users, CIO/CISO level support
• Assess the whole “device family” – follow the data flow
• Conduct security testing
• Develop data map of the PII/PHI
• Go for the low hanging fruit / the “basics”
• Change default passwords
• Patch and update if possible
• Enable encryption
• Limit administrative accounts and remove unneeded accounts
27
Practice proactive security
• Develop a risk management program
• Baseline risk assessment
• Incident response planning and testing
• Penetration testing/vulnerability assessment
• InfoSec program development / review
• Apply industry best practices and standards
• IEC 80001 Series: “Application of risk management for IT networks incorporating medical devices”
• FDA guidance
• MDSS – Manufacturer Disclosure Statement for Medical Device Security
• Industry Orgs: NH-ISAC, MDISS, IHE PCD, AAMI, HIMSS
Cybersecurity Program Template
• Risk Heat Map
• Crisis Planning
• Cyber Budget Priorities
• Business Continuity / Resilience
Information Governance
• Communication Planning / Public Relations
• Regulatory Framework
• Privacy/Record Management
• eDiscovery
Incident Response
• Prepare
• Detect
• Respond
• Transform
Security Awareness
• Cultural Assessment
• Policy Compliance
• IT Security Metrics
• Awareness Campaign
Essential Protection
• Security Ops
• Vulnerability
Management
• Architecture Design
• Technology Solutions
Risk Management
Executive Cybersecurity Strategy
Risk Management
29
RISK HEAT MAP Analyzing business risk due to cyber attack.
Produce heat map of targets for near and long term opportunity.
CRISIS PLANNING Create internal and public communications strategy. Establish escalation process and clear responsibilities.
CYBER BUDGET PRIORITIES Review and modify budget allocations to likely cost centers.
Hold in reserve notification estimate, likely fees, reaction costs.
BUSINESS CONTINUITY / RESILIENCE Develop BCP and Disaster Recovery plan. Align cybersecurity
program with enterprise risk management & business resilience.
Information Governance
30
PRIVACY MANAGEMENT Risk from exposure of PII needs to be assessed.
Process maturity in 18 key areas reduces corporate risk.
REGULATORY FRAMEWORK Review regulatory obligations for overlapping controls.
Establish common IG framework to satisfy requirements.
RECORDS MANAGEMENT Handling internal and customer records requires a strategy.
Defensible Disposition equals reduced risk. Do it right.
eDISCOVERY Optimizing electronic discovery with automation.
Incident Response
31
PREPARATION It is about the “when”, not the “if”.
Start now to assess your ability to detect and respond
DETECTION Early warning is the best defense.
Have the capabilities to detect and collect evidence – the facts
RESPONSE Defending your assets. Assessing damage.
Analyze the source and motive to the breach and communicate
TRANSFORM Apply lessons to the entire organization culture. Close the gaps and harden the security posture.
Security Awareness
32
CULTURE ASSESSMENT Evaluate organizations security behavior.
Develop structure of a High Resilient Security Programs
POLICY COMPLIANCE Audit adherence with regulatory obligations.
Assess compliance with unified framework and industry standards
SECURITY METRICS Collecting evidence based operational security metrics
Enables quality decision making and tracks efficient progress
AWARENESS CAMPAIGN Structure, launch, and manage effective awareness program
across the enterprise e.g. Social Engineering / Phishing
Essential Protection
33
SECURITY OPERATIONS Review daily security operational processes for gaps in detecting
and protection against advanced cyber threats.
VULNERABILITY MANAGEMENT Conduct penetration testing, assess patch management
systems, reduce time to fix detected vulnerabilities.
ARCHITECTURE & DESIGN Comprehensively evaluate enterprise security infrastructure. Design security architecture to improved network resilience.
TECHNOLOGY SOLUTIONS Evaluate security solutions, recommend and implement
chosen technology to detect attack and enforce security policy
Insure for a Catastrophic Cyber Event
• Corporate liability coverage is not enough – All insurers are excluding electronic data loss and privacy breach from the liability policy
– A separate policy for data breach is required
• Cyber policies are a long way from coverage the comprehensive damage – Limitations and common exclusions may be surprising. See the follow two slides
– Negotiate the exclusion language to press your position
• Have an insurance strategy for a catastrophic event. – If the limits of the policy (once you get past the exclusions) is $5M, layer multiple policies
to get to the $ amount of coverage your risk model indicated for annualized loss expectancy (ALE).
• CFO needs to have cash reserves to cover the remainder which may impact quarterly reporting – which is why the financial team needs to be in the planning process
35
Common Cybersecurity Insurance Exclusions
1 Bodily Injury or Damage. These are covered under the general liability policy.
2 Loss of paper files, as they are not electronic.
3 War, Invasion, & Terrorism.
4 Patent and Copy Right infringement. These are normally included in an intellectual property cover policy.
5 Mechanical and electrical breakdown / failure. No kinetic damage.
6 Failure to following basic security best practices.
7 Losses from portable electronic devices, i.e. laptops.
8 Unencrypted data.
9 Data entrusted to third-parties. Third-parties need to have the insurance coverage.
10 Claims/fines brought by government or regulators.
36
Cybersecurity Insurance Best Practices
1 Work with a knowledgeable insurance broker.
2 Read the policy terms with your legal counsel and head of IT.
3 Model the worst case scenario for negative financial impact and purchase a policy limit (and sub-limit) that fits.
4 Shop for an insurer who will take your technical controls and security policies into account when setting premiums.
5 Examine the insurance carrier’s rating, higher ratings indicate a stronger company.
6 Consider retroactive coverage as some policies only include from policy origination date.
7 Be aware of panel provisions that require your outside counsel, consultant, or investigator to be on a preapproved list kept by the insurance carrier.
• The Internet of Things (IOT) is an emerging topic of technical, social, and economic significance but not without its issues.
• All organizations can and must take action. Start small and mature your efforts. – Understand how IoT is being implemented in your organization – Learn how and where the collected data is stored – Understand what happens to the data over time – Follow the emerging standards and educate yourself – Understand the “market” for the data – Be prepared
37
Doomed? Not Quite Yet Final thoughts
Litmos Healthcare
Sophisticated Secure Robust
Award-winning learning management platform Attentive and responsive Sales & Client Care Over 500 courses available Customizable Affordable
Free Trial
