RESPONDING TO CHALLENGES IN MEDICAL DEVICE SECURITY?

Tara Larson - Chief Security Architect CRHF Medtronic

10-May- 2015 HOMELAND SEASON 2, EPISODE 10 – “BROKEN HEARTS” HYPOTHESIZED PACEMAKER HACK

Challenge: Hypothesized “hack”: . Bad guy breaks into the Vice President’s home . Finds VP’s remote monitor . Provides the home monitor serial number to a remote hacker . Hacker remotely and wirelessly adjusts a pacemaker setting using monitor serial number . VP is killed instantly from ventricular fibrillation

Let’s talk about reality and then get back to this one.

2016 MEDEC Regulatory Conference DESIGN FOR SECURITY CHALLENGES . Agenda: . What is the problem?

. How do we solve the challenge? . Design for Security

. How is medical device security different for IT security?

. How are Medical Device Manufacturers Assessing product risk?

. How do Medical Device Manufacturers ensure security for product lifecycle?

2016 MEDEC Regulatory Conference MEDICAL DEVICE SECURITY PROBLEMS

.Protection of therapy systems and services including data from unauthorized modification, destruction or disclosure that can lead to patient harm or loss of customer trust. Protection controls often only present the opportunity to secure at time of manufacturing. Often the device must live inside a human body for the life of the battery.

2016 MEDEC Regulatory Conference CHALLENGES IN MEDICAL DEVICE SECURITY . Security engineering principles . IT Security practices are hard to apply to Medical Devices . Product Security risk assessment . Must be tied to safety and include business risks . Generating actionable & testable cybersecurity requirements . Security Requirements are not positive , hard to test a negative . Understanding Threat Models . Threat models must encompass Common Vulnerability and Product threats . Security risk mitigations from industry applied to medical devices . Applying lessons learned from Industrial, Financial, Government . Mapping of safety risk management terms to security risk management terms and likelihoods

2016 MEDEC Regulatory Conference IT SECURITY VS. MEDICAL DEVICE SECURITY DEVICE SECURITY IS COUPLED WITH SAFETY

2016 MEDEC Regulatory Conference DIFFERENCES IN IT AND MEDICAL DEVICE COMMON ATTRIBUTES APPLIED Security Attribute Conventional IT Medical Device Access No access without Emergency Access Credentials possible without credentials Access Management Centralized Localized to Patient Accessibility Typically accessible Intermittent accessibility and may be inaccessible Product Lifecycle Constant flow of new and Device or platform used revised products for decades Computing Resources Vast and Expandable Sometimes limited and/or power constrained Updates and Monitoring Continuous connectivity More likely to require end- and less likely to require to-end validation end-to-end validation Consequences Economic Safety

2016 MEDEC Regulatory Conference SECURITY PROCESS SECURITY AND SAFETY RISK MANAGEMENT

2016 MEDEC Regulatory Conference DESIGN FOR SECURITY PROCESS

.Phase 1-2 Project Kickoff and Start .Phase 3-4 Requirements definition and design .Phase 5- Security testing and regulatory approval .Phase 6- Post Market Security Support

2016 MEDEC Regulatory Conference COMMON RISKS/THREATS CONSIDERED

• PATIENT SAFETY • LOSS OF SENSITIVE PERSONAL DATA • LOST OR STOLEN DEVICE • RESEARCHERS AKA “HACKERS” • SOCIAL ENGINEERING • INABILITY TO REACH REMOTE MONITORING SYSTEMS • COMPROMISED FIRMWARE • INCOMPLETE OR INACCURATE DATA FROM DEVICE TO INSTRUMENT/FOLLOW SYSTEM • BATTERY DRAIN ATTEMPTS VIA COMMUNICATION PROTOCOLS HACKING • USE OF COMMERCIALLY AVAILABLE HARDWARE/SOFTWARE TO ATTEMPT TO CHANGE THERAPY SETTINGS • COMPROMISE OF COMMUNICATIONS PROTOCOL • LOSS OF PRIVATE KEY • COMPROMISE OF DATA INTEGRITY • SPECIFIC PRODUCT USE CASE THREAT SCENARIOS

2016 MEDEC Regulatory Conference SAMPLE THREAT ANALYSIS

Threat- Hackers Current Controls Overall or Security • Close range wireless Likelihood of Researcher Proximity to “sting” exploitation- device to enter into • Attacker attempts to Hazard- programmable state Implanted change therapy • Multi-Layer settings in device Inappropriate Device Encryption Security using general therapy purpose mobile • Communication Decision application • Hardware Acceptability or •Data decision to mitigate further

Asset ThreatThreat VulnerabilityHazard ControlsControl AcceptabilityRisk Event Acceptability

2016 MEDEC Regulatory Conference POST MARKET VULNERABILITY ANALYSIS

• RESPONSIBLE DISCLOSURE PROCESS COORDINATED VIA GLOBAL PRIVACY AND SECURITY OFFICE • SME EVALUATION OF DISCLOSED AND DISCOVERED VULNERABILITIES • R&D SME’S WORKING WITH REPORTING PARTIES TO UNDERSTAND AND ATTEMPT TO REPLICATE • INTERNAL TRACKING FOR OPTIMAL RESOLUTION AND TRACKING • ACTIVITIES AND OUTCOMES ARE DOCUMENTED

• COORDINATED RESPONSES TO REGULATORY BODIES AND INTERESTED PARTIES • FOLLOW UP COMMUNICATIONS IN A TIMELY MANNER

2016 MEDEC Regulatory Conference HOMELAND SEASON 2, EPISODE 10 – “BROKEN HEARTS” HYPOTHESIZED PACEMAKER HACK

How has Med Dev ensured this is highly unlikely to happen to our patients? . Secure Design Practices . Ongoing Risk Analysis . Threat Modeling Finally- . Current Med Dev pacemakers are not directly connected to the internet . Therapy settings cannot be set remotely . Therapy settings are monitored for unexpected changes . Pacemakers can’t be programmed to cause fibrillation! Tough to cause harm through programming adjustments alone.

2016 MEDEC Regulatory Conference Questions?

2016 MEDEC Regulatory Conference