1
Vulnerability Information Sharing: Challenges, Methods and Impact
Medical Device Security Symposium - Session 4, February 19, 2017
Stephen L Grimes, FHIMSS FACCE FAIMBE
Principal Consultant
Strategic Healthcare Technology Associates, LLC
Marty Edwards,
Director, ICS-CERT
DHS NCCIC
Axel Wirth, CPHIMS, CISSP, HCISPP
Distinguished Healthcare Architect
Symantec Corp.
2
Speaker Introduction
Marty Edwards Director ICS-CERTDHS NCCIC
Stephen L. Grimes, FACCE FHIMSS FAIMBEPrincipal ConsultantStrategic Healthcare Technology Associates, Inc.
Axel Wirth, CPHIMS, CISSP, HCISPPDistinguished Healthcare ArchitectSymantec Corp.
3
Marty Edwards
Director, ICS-CERTAssistant Deputy Director, National Cybersecurity and Communications Integration Center (NCCIC)
Mr. Edwards has over 25 years of experience and brings a strong industrial control system industry focus to DHS. Before coming to the ICS-CERT, Mr. Edwards was a program manager focused on control systems security work at Idaho National Laboratory. Prior to his work at the laboratory, Mr. Edwards held a wide variety of roles in the instrumentation and automation fields, including field service, instrument engineering, control systems engineering and project management.
Mr. Edwards has also held various positions in nonprofit organizations, including Chairman of the Board for one of the automation communities’ largest user group conferences. Mr. Edwards holds a diploma of technology in Process Control and Industrial Automation (Magna cum Laude) from the British Columbia Institute of Technology (BCIT), and in 2015 received their Distinguished Alumni Award. In 2016, Mr. Edwards was recognized by FCW in their “Federal 100 awards” as being one of the top IT professionals in the federal government.
The ICS-CERT is the recipient of the 2013 SC Magazine Security Team of the Year award and was named as a finalist in the Community Awareness category in the 2015 Government Information Security Leadership Awards (GISLA)
4
Stephen L Grimes, FHIMSS FACCE FAIMBE
Principal Consultant, Strategic Healthcare Technology Associates, LLCMr. Grimes is recognized as one of the industry’s first and most prominent experts on the issue of medical device security. He originally drew the industry’s attention to the growing risks associated with medical device security compromises through a series of articles, presentations and national symposia beginning in 2001. In 2004, Mr. Grimes authored the ACCE/ECRI Information Security for Biomedical Technology: A Compliance Guide … the industry’s first definitive guide for healthcare delivery organizations (HDOs) on identifying and mitigating medical device security risks. Also in 2004, he conceived of and managed the development of the Manufacturer’s Disclosure Statement for Medical Device Security(MDS2) while chairing HIMSS’ Medical Device Security Task Force. He later participated on the NEMA standards committees that led to the adoption of the 2005 and 2013 versions of the MDS2 as formal industry standard. He also served as a member of the US/TAG to ISO/TC 215 HEALTH INFORMATICS and Joint Working Group 7 that developed the 2010 ISO/IEC/AAAMI standard IEC 80001-1: Application of risk management for IT-networks incorporating medical devices.
Over the years to the present, Mr. Grimes has continued to speak and write on how healthcare delivery organizations (HDOs) need to address the evolving medical device security threat. During his eight-year tenure (2007-2015) at ABM Healthcare Support Services in the capacity of Chief Technology Officer and senior consultant, he has also developed programs, procedures and tools for that organization’s 300+ clients (with medical device inventories totaling over 500,000) that addressed data security management in the device life cycle.
5
Axel Wirth, CPHIMS, CISSP, HCISPP
Distinguished Healthcare Architect, Symantec Corp.
As Solutions Architect, Axel Wirth provides strategic vision and technical leadership within Symantec’s Healthcare Vertical, serving in a consultative role to healthcare providers, industry partners, and health technology professionals.
Drawing from over 25 years of international experience in the industry, Mr. Wirth is supporting Symantec’s healthcare customers to solve their critical security, privacy, compliance, and IT management challenges. He is an active participant in industry organizations and a frequent speaker at conferences, forums, and webcasts on subjects such as cybersecurity, medical device security, mobile health infrastructure, compliance automation, IT infrastructure optimization, and other healthcare-specific topics.
His extensive background in the healthcare IT and medical device industries includes engineering leadership as well as strategic business development and marketing roles with Siemens Medical, Analogic Corp., Mitra Inc., Agfa Healthcare, and currently Symantec Corp. His education includes a BS Electrical Engineering degree (EE) from Fachhochschule Düsseldorf and an MS Engineering Management degree (MSEM) from The Gordon Institute of Tufts University.
6
Conflict of Interest
Marty Edwards
Has no real or apparent conflicts of interest to report.
Stephen L. Grimes, FHIMSS FACCE FAIMBE
Has no real or apparent conflicts of interest to report.
Axel Wirth
Has no real or apparent conflicts of interest to report.
7
Vulnerability Information Sharing: Challenges, Methods and Impact
Session DescriptionThis session will explain
• different types of vulnerabilities in medical devices
• how they are identified
• how device use case impacts the actual risk
• how vulnerabilities in third party libraries or components can be linked to
devices, assessed, mitigated and shared
8
Learning Objectives
• Identify the different types of cyber vulnerabilities
• Describe the purpose and function of the NIST vulnerability database
• Discuss how medical device ISAO will link published third party
vulnerabilities to medical devices
• Illustrate the coordinated disclosure process for medical devices
Explain how medical device researchers evaluate a device for vulnerabilities
9
An Introduction of How Benefits Were Realized for the Value of Health ITSatisfaction:• Avoid downtime and patient / staff frustration
Treatment / Clinical:• Maintain clinical operations
• Improve patient safety
Electronic Secure Data:• Enable medical device integration while
maintaining security and compliance
Patient Engagement and Population Management:• Maintain patient trust
Savings:• Avoid costly downtime, fines, and impact on reputation
10
Agenda
1. Cybersecurity Introduction – state of cyber threats
2. Medical Device Security – risk scenarios and examples
3. Vulnerability Enumeration – how to describe and classify
4. NIST Vulnerability Database – introduction and benefits
5. Medical Device Vulnerability Sharing – benefit to the stakeholders
6. Medical Device ISAO – illustration of the process
11
Fame Fortune Cyberwarfare Political Goal
Individuals Cybercriminals Nation StatesHackers for Hire
Attacks have become increasingly sophisticated, stealthy, and targeted
Computers InformationInfrastructure &
ServicesSocieties & Economies
Adversary
Motivation
Target
Changing motivation is driving participating adversaries
As targets are changing, so do risk and impact
Intellectual stimulus
Underground Economy
Espionage & Sabotage
Subversion & Destruction
Objective
Changing goals are creating more complex consequences
Understanding Today’s Adversaries & Objectives
12
Medical Devices Security vs. Traditional Risk View
Vulnerability
ThreatAsset
Value
Risk Management yet Regulatory Disjuncture
Manufacturer Focus
→ IEC14971 & TIR57
Provider Focus
→ ISO/IEC 80001
Patient Safety requires both!
Risk = Threat + Vulnerability
+ Asset Value
Risk Analysis = Risk + Impact +
Likelihood
Risk
Assessment =Acceptable or not
FDA:
• Safety and Effectiveness
• Cybersecurity Risk
Management (Guidance)
HIPAA:
• Confidentiality, Integrity,
and Availability of ePHI
• Risk Management (ePHI)
13
Medical Device Risks – Direct & Indirect
Patient Safety Risks
• In the context of intended and
unintended use
• Misdiagnosis, treatment errors
• Potential of injury or death
Clinical Operations and
Care Delivery Risks
• Downtime due to equipment
availability
• Impact on hospital operations -
Reduced ability to deliver care
Indirect Risks
• Reputation
• Revenue / Referrals
• Accreditation
• Law suits / fines
• Stock value
• Patient trust
• Patient treatment
decisions
Privacy Risks
• Information (PHI, PII)
• Data breach (transmission
intercept, device loss or theft)
• Intellectual property (clinical
trials & research)
Security Risks
• Device used as means for
intrusion - Beachhead
• Network performance, e.g.
alarm delays
• DDoS (cause of or impacted by)
14
Medical Device Vulnerabilities
Design / Process
(specific vulnerability)
• Hardcoded / default passwords
• Poor design practices
• Misconfigured / open ports
• Lack of encryption & authentication
• Poor vulnerability management
• Insecure remote access
• Poor manufacturing cyber-hygiene
Supply Chain
(general vulnerability)
• “Inherited” vulnerabilities
• 3rd Party Software Of Unknown
Provenance (SOUP)
• EOL software
– Commercial Off-The-Shelf (COTS)
– Open Source
15
Medical Device Vulnerabilities
Supply Chain / 3rd Party Vulnerabilities – are they different?
• Yes and no ….
• In the end, they are just another exploitable vulnerability, but …
– Use case dependent.
– Limited knowledge of Medical Device BOM (and layers of BOM).
– General (3rd party) vulnerabilities are typically widely known.
– May be exploited because they fit an attack target profile, not
because they are a targeting a device.
BOM = bill of material
16
Medical Device Vulnerabilities - ExampleSecurity Research• Milestones:
– Pacemaker (2008, Kevin Fu)
– Insulin Pump (2011, Jay Radcliffe, Barnaby Jack)
– Many more: Billy Rios, Mayo, DHS, ….
• “The least secure device I ever laid hands on”
• Hacks that could kill – but research only, so far (and TV shows)
• Where manufacturers fail:– The problem does not go away by ignoring it
• Where hackers fail:– The old “bug bounty” approach does not work,
can’t fix within 90 days
– Is this really a risk in normal clinical setting?
17
User & Patient Scenarios
• Drug abuse
• Personal email / web on QC workstation
• Service tech introduces malware via USB:
– Shutdown of 6 cathlabs
– Shutdown of 100s med cabinets
• IT Misconfiguration
(AV, patch deployment, …)
• Recharge mobile phone on
anesthesia device
• Patient / next of kin / insider risks
Medical Device Vulnerabilities - Example
18
Medical Device Vulnerabilities - Example
Data Breach / Privacy Risks
• Lost or stolen device
• Unencrypted transmission of clear text
(e.g. HL7) messages
• Poor EOL management:
– Device data not purged
– PHI but also network credentials
– Poor management but also poor design
• Specific concern: leased / loaned
devices
19
Medical Device Vulnerabilities - Example
Device as Means for an Attack
• Beachhead and hiding point
• Demonstrated in 3 hospitals in 2015
• Found in 60+ hospitals since then (Bloomberg)
• Blood Gas, X-Ray, PACS, MRI, Defib, Fluro, …
• Current and legacy malware (incl. ransomware
and botnet exploits)
• Traced back to Russian crime server
• Well-orchestrated APT attacks
• Medical devices a “near perfect target”
• Evolved attack strategy in recognition of medical
device vulnerabilities (2016)
20
Closing Thoughts
• Traditional risk and security paradigms will fail:
– Change from “intended use risk” to “use case risk”
– Cyber risks are “non-linear” and unpredictable – tomorrow will be different
– Can’t fix a medical device vulnerability in 90 days.
• We are still “pre-event” – how will the discussion change after a patient incident?
– Do we need to panic? No – but we do need to proceed with a sense of urgency.
– Are we improving fast enough? Who is moving faster, us or the bad guys?
• Complexity is part of the problem:
– 10,000s of devices, 100s of types and manufacturers, …
• We need to recognize the problem beyond its pure technical scope.
21
Vulnerability Management
• Identify the different types of cyber vulnerabilities
• How to describe, enumerate and classify vulnerabilities
• Linking vulnerabilities in third party libraries or components to devices
• Vulnerability assessment, mitigation and sharing
• Purpose and function of the NIST vulnerability database - introduction
and benefits
22
Medical Device Vulnerability Sharing
Stakeholders including manufacturers, healthcare delivery organizations (HDOs), independent security researchers, regulatory agencies, etc.
Benefits – Sharing of
reports on known vulnerabilities
vetting and evaluation of vulnerabilities
details of actions taken by others to mitigate vulnerabilities
medical device cybersecurity education, best practices, mitigation strategies
NH-ISAC’s Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)
23
MD-VIPER Vulnerability Report for Manufacturers
The MD-VIPER Vulnerability Report is designed to serve as an alternate reporting process to FDA’s requirements for 21 CFR Part 806 (correction & removal) reporting if cybersecurity vulnerabilities are involved.
Manufacturers are not held to 21 CFR Part 806 reporting requirements if:*
the manufacturer is a active participant in an ISAO (such as NH-ISAC)
the manufacturer is conducting a correction/removal to address a cybersecurity vulnerability
the cybersecurity vulnerability in question has not led to any known serious injuries or deaths
the manufacturer will meet the timeline criteria for communicating to its customers and
then validating and distributing the deployable fix such that the residual risk is brought
to an acceptable level
* = based on FDA Postmarket Guidance
24
MD-VIPER Vulnerability Report Flow – High-Level Submission Flow
MD-VIPER
Membership
Manufacturer
Vulnerability
Report
3rd Party
Vulnerability
Report
Review MD-VIPER
DB
Notification (ISAO Members)
Mfr.
approval
Notification (FDA, CERTs, ISACs)
Review
ok
ok
clarification
clarification
notification
Data
redaction;
mitigation
okreview
acknowledgement
acknowledgement
25
MD-VIPER Vulnerability Report for Manufacturers
The MD-VIPER Vulnerability Report is designed to serve as an alternate reporting process to FDA’s requirements for 21 CFR Part 806 reporting if cybersecurity vulnerabilities are involved.
Questions 1-6 and 8-13 on the MD-VIPER report closely map to the questions in Part 806 reports
Question 7 on the FDA’s 806 report asks for a description of events leading the report and any actions taken while question 7 on the MD-VIPER report asks for details about the cybersecurity aspects of the vulnerability
Question 14 has been added to the MD-VIPER report to request that those responses to report questions containing information that could be exploited be treated as Protected Critical Infrastructure Information and therefore kept confidential
26
MD-VIPER Vulnerability Report for Manufacturers
27
MD-VIPER Vulnerability Report for Manufacturers
28
MD-VIPER Vulnerability Report for Manufacturers
29
MD-VIPER Vulnerability Report for Manufacturers
30
MD-VIPER Vulnerability Report for Manufacturers
31
MD-VIPER Vulnerability Report for Manufacturers
32
MD-VIPER Vulnerability Report for Manufacturers
33
MD-VIPER Vulnerability Report for Manufacturers
34
MD-VIPER Vulnerability Report for Manufacturers
35
MD-VIPER Summary
Vulnerability reporting to enable meaningful and controlled sharing
Fulfill requirements from FDA Postmarket Guidance (Dec. 2016)
Parallels and eliminates need for 806 reporting if manufacturer meets
FDA conditions
Enable efficient and trusted mitigation
Encourages stakeholder collaboration
36
An Introduction of How Benefits Were Realized for the Value of Health ITSatisfaction:• Avoid downtime and patient / staff frustration
Treatment / Clinical:• Maintain clinical operations
• Improve patient safety
Electronic Secure Data:• Enable medical device integration while
maintaining security and compliance
Patient Engagement and Population Management:• Maintain patient trust
Savings:• Avoid costly downtime, fines, and impact on reputation
37
Questions
Speaker Contact Info
• Marty Edwards
• Steve Grimes
• Axel Wirth
Remember to Complete Online Session Evaluation