DOCSLIB.ORG

Medical Device Cyber Security – Best Practice Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Medical Device Cyber Security – Best Practice Guide Integrating the Healthcare Enterprise 5 IHE Patient Care Device (PCD) White Paper 10 Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide 15 Published Revision 1.1 20 Date: October 14, 2015 Author: IHE PCD Technical Committee Email: [email protected] 25 Please verify you have the most recent version of this document. See here for Published versions and here for Public Comment versions. Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ Foreword This white paper is published on October 14, 2015. Comments are invited and can be submitted at http://www.ihe.net/PCD_Public_Comments/. 30 General information about IHE can be found at: www.ihe.net. Information about the IHE Patient Care Device domain can be found at: ihe.net/IHE_Domains. Information about the organization of IHE Technical Frameworks and Supplements and the process used to create them can be found at: http://ihe.net/IHE_Process and 35 http://ihe.net/Profiles. The current version of the IHE Patient Care Device Technical Framework can be found at: http://www.ihe.net/Technical_Frameworks. ______________________________________________________________________________ 2 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ CONTENTS 40 1 Introduction & Background ....................................................................................................... 6 1.1 Acknowledgement .............................................................................................................. 7 2 Objective .................................................................................................................................... 8 3 Stakeholder Roles and Contributions ......................................................................................... 9 45 4 Cybersecurity Introduction....................................................................................................... 11 4.1 Basic Cyber-Security Considerations ............................................................................... 12 4.2 Risk Classification and Assessment.................................................................................. 14 5 Generic Device Architecture .................................................................................................... 16 6 General Security and Vulnerability Considerations ................................................................. 23 50 6.1 Targeted Attack ................................................................................................................. 23 6.2 Unintentional Exploitation ................................................................................................ 23 7 Vulnerability Management and Security Best Practices .......................................................... 25 7.1 Specific Security Topics ................................................................................................... 28 7.1.1 Defense-in-depth ........................................................................................................ 28 55 7.1.2 Zero Day Attacks ....................................................................................................... 29 7.2 COTS Vulnerabilities........................................................................................................ 30 7.2.1 Use of COTS .............................................................................................................. 30 7.2.2 Unsupported COTS, Lack of Security Updates and Patches ..................................... 31 7.2.3 Software Patching ...................................................................................................... 31 60 7.2.4 System Hardening ...................................................................................................... 33 7.2.5 Lack of Malware Protection / Security Technology .................................................. 34 7.2.6 Host Intrusion Detection and Prevention ................................................................... 35 7.3 Application Vulnerabilities ............................................................................................... 36 7.3.1 Insecure Coding Practices .......................................................................................... 38 65 7.3.2 Examples of Best Practices for Secure Coding ......................................................... 39 7.3.3 Application Deployment ............................................................................................ 40 7.4 Password / Authentication Vulnerabilities ........................................................................ 41 7.4.1 Hard-Coded Passwords .............................................................................................. 42 7.4.2 Factory Default Passwords ........................................................................................ 43 70 7.4.3 Password Policy Management ................................................................................... 43 7.4.4 Strong Authentication ................................................................................................ 46 7.4.5 Password Protection ................................................................................................... 48 7.5 Administrative Rights Management ................................................................................. 48 7.5.1 Account Rights Management .................................................................................... 48 75 7.6 Information Vulnerabilities ............................................................................................... 49 7.7 IT Network Infrastructure Vulnerabilities ........................................................................ 51 7.7.1 Hospital IT Networks and Supporting Infrastructure ................................................ 52 7.7.2 Vulnerabilities of IT Components ............................................................................. 53 7.7.3 Wireless Network Considerations ............................................................................. 54 80 7.8 Workflow and Process Vulnerabilities ............................................................................. 55 7.8.1 General Cybersecurity Best Practices and Procedures .............................................. 55 7.8.2 Training and Education .............................................................................................. 56 7.8.3 Supply Chain Management........................................................................................ 56 ______________________________________________________________________________ 3 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ 7.8.4 Medical Device Specific Risk Analysis .................................................................... 57 85 7.8.5 Responsibility Management ...................................................................................... 58 7.8.6 Security Management ................................................................................................ 59 7.8.7 Use of Portable Media ............................................................................................... 59 8 Configuration Management ..................................................................................................... 61 8.1 Planning Tasks and Resources Required .......................................................................... 61 90 8.1.1 Procedures Written Down and Kept Updated ........................................................... 61 8.1.2 Change Management Documents .............................................................................. 62 8.1.3 Coordination and Collaboration with Existing Systems ............................................ 62 8.2 Configuration Management in the Equipment Lifecycle: Examples ................................ 63 8.2.1 New, Loaned or Leased Device ................................................................................. 63 95 8.2.2 Sample Worksheet Contents ...................................................................................... 63 8.2.2.1 Change Management Initial Inputs .................................................................... 64 8.2.2.2 Network/Subnetwork Association ...................................................................... 64 8.2.2.3 Required Configuration Changes in Associated Systems (e.g., Manager Systems for Multiple Devices) ......................................................................................... 64 100 8.2.3 Preparation or Off-site Servicing ............................................................................... 65 8.2.3.1 Removal of ePHI and other Confidential Material ............................................. 65 8.2.3.2 Save Configuration for Later Restoration .......................................................... 65 8.2.4 Equipment Returns from Off-site Servicing .............................................................
Load more

Recommended publications
  • Learn Python the Hard Way
    ptg11539604 LEARN PYTHON THE HARD WAY Third Edition ptg11539604 Zed Shaw’s Hard Way Series Visit informit.com/hardway for a complete list of available publications. ed Shaw’s Hard Way Series emphasizes instruction and making things as ptg11539604 Zthe best way to get started in many computer science topics. Each book in the series is designed around short, understandable exercises that take you through a course of instruction that creates working software. All exercises are thoroughly tested to verify they work with real students, thus increasing your chance of success. The accompanying video walks you through the code in each exercise. Zed adds a bit of humor and inside jokes to make you laugh while you’re learning. Make sure to connect with us! informit.com/socialconnect LEARN PYTHON THE HARD WAY A Very Simple Introduction to the Terrifyingly Beautiful World of Computers and Code Third Edition ptg11539604 Zed A. Shaw Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.
    [Show full text]
  • Senior Data Engineer Cala Health, Inc
    875 Mahler Road, Ste. 168 Burlingame, CA, 94010 +1 415-890-3961 www.calahealth.com Job Description: Senior Data Engineer Cala Health, Inc. About Cala Health Cala Health is a bioelectronic medicine company transforming the standard of care for chronic disease. The company's wearable neuromodulation therapies merge innovations in neuroscience and technology to deliver individualized peripheral nerve stimulation. Cala Health’s lead product, Cala Trio™, is the only non-invasive prescription therapy for essential tremor and is now available through a unique digital business model of direct- to-patient solutions. New therapies are under development in neurology, cardiology, and psychiatry. The company is headquartered in the San Francisco Bay Area and backed by leading investors in both healthcare and technology. For more information, visit CalaHealth.com. The Opportunity We are looking for a Senior Data Engineer to expedite our Data Platform Stack to support our growth and also enable new product development in a dynamic, fast-paced startup environment. Specific Responsibilities also include ● Key stakeholder in influencing the roadmap of Cala’s Digital Therapeutics Data Platform. ● Build, operate and maintain highly scalable and reliable data pipelines to enable data collection from Cala wearables, partner systems, EMR systems and 3rd party clinical sources. ● Enable analysis and generation of insights from structured and unstructured data. ● Build Datawarehouse solutions that provide end-to-end management and traceability of patient longitudinal data, enable and optimize internal processes and product features. ● Implement processes and systems to monitor data quality, ensuring production data is always accurate and available for key stakeholders and business processes that depend on it.
    [Show full text]
  • Digital Rights Management and the Process of Fair Use Timothy K
    University of Cincinnati College of Law University of Cincinnati College of Law Scholarship and Publications Faculty Articles and Other Publications Faculty Scholarship 1-1-2006 Digital Rights Management and the Process of Fair Use Timothy K. Armstrong University of Cincinnati College of Law Follow this and additional works at: http://scholarship.law.uc.edu/fac_pubs Part of the Intellectual Property Commons Recommended Citation Armstrong, Timothy K., "Digital Rights Management and the Process of Fair Use" (2006). Faculty Articles and Other Publications. Paper 146. http://scholarship.law.uc.edu/fac_pubs/146 This Article is brought to you for free and open access by the Faculty Scholarship at University of Cincinnati College of Law Scholarship and Publications. It has been accepted for inclusion in Faculty Articles and Other Publications by an authorized administrator of University of Cincinnati College of Law Scholarship and Publications. For more information, please contact [email protected]. Harvard Journal ofLaw & Technology Volume 20, Number 1 Fall 2006 DIGITAL RIGHTS MANAGEMENT AND THE PROCESS OF FAIR USE Timothy K. Armstrong* TABLE OF CONTENTS I. INTRODUCTION: LEGAL AND TECHNOLOGICAL PROTECTIONS FOR FAIR USE OF COPYRIGHTED WORKS ........................................ 50 II. COPYRIGHT LAW AND/OR DIGITAL RIGHTS MANAGEMENT .......... 56 A. Traditional Copyright: The Normative Baseline ........................ 56 B. Contemporary Copyright: DRM as a "Speedbump" to Slow Mass Infringement ..........................................................
    [Show full text]
  • Software Assurance
    Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research.
    [Show full text]
  • 100% Pure Java Cookbook Use of Native Code
    100% Pure Java Cookbook Guidelines for achieving the 100% Pure Java Standard Revision 4.0 Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, California 94303 USA Copyrights 2000 Sun Microsystems, Inc. All rights reserved. 901 San Antonio Road, Palo Alto, California 94043, U.S.A. This product and related documentation are protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Restricted Rights Legend Use, duplication, or disclosure by the United States Government is subject to the restrictions set forth in DFARS 252.227-7013 (c)(1)(ii) and FAR 52.227-19. The product described in this manual may be protected by one or more U.S. patents, foreign patents, or pending applications. Trademarks Sun, the Sun logo, Sun Microsystems, Java, Java Compatible, 100% Pure Java, JavaStar, JavaPureCheck, JavaBeans, Java 2D, Solaris,Write Once, Run Anywhere, JDK, Java Development Kit Standard Edition, JDBC, JavaSpin, HotJava, The Network Is The Computer, and JavaStation are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and certain other countries. UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd. All other product names mentioned herein are the trademarks of their respective owners. Netscape and Netscape Navigator are trademarks of Netscape Communications Corporation in the United States and other countries. THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
    [Show full text]
  • Mdcg 2019-16
    Medical Device Medical Device Coordination Group Document MDCG 2019-16 MDCG 2019-16 Guidance on Cybersecurity for medical devices December 2019 This document has been endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission.The document is not a European Commission document and it cannot be regarded as reflecting the official position of the European Commission. Any views expressed in this document are not legally binding and only the Court of Justice of the European Union can give binding interpretations of Union law. Page 1 of 46 Medical Device Medical Device Coordination Group Document MDCG 2019-16 Table of Contents 1. Introduction ........................................................................................................................................ 4 1.1. Background ............................................................................................................................. 4 1.2. Objectives ............................................................................................................................... 4 1.3. Cybersecurity Requirements included in Annex I of the Medical Devices Regulations ........ 4 1.4. Other Cybersecurity Requirements ......................................................................................... 6 1.5. Abbreviations .........................................................................................................................
    [Show full text]
  • C Programming Tutorial
    C Programming Tutorial C PROGRAMMING TUTORIAL Simply Easy Learning by tutorialspoint.com tutorialspoint.com i COPYRIGHT & DISCLAIMER NOTICE All the content and graphics on this tutorial are the property of tutorialspoint.com. Any content from tutorialspoint.com or this tutorial may not be redistributed or reproduced in any way, shape, or form without the written permission of tutorialspoint.com. Failure to do so is a violation of copyright laws. This tutorial may contain inaccuracies or errors and tutorialspoint provides no guarantee regarding the accuracy of the site or its contents including this tutorial. If you discover that the tutorialspoint.com site or this tutorial content contains some errors, please contact us at [email protected] ii Table of Contents C Language Overview .............................................................. 1 Facts about C ............................................................................................... 1 Why to use C ? ............................................................................................. 2 C Programs .................................................................................................. 2 C Environment Setup ............................................................... 3 Text Editor ................................................................................................... 3 The C Compiler ............................................................................................ 3 Installation on Unix/Linux ............................................................................
    [Show full text]
  • BSI Medical Devices: Webinar Q&A
    ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 BSI Medical Devices: Webinar Q&A ISO 14971:2019 Risk Management for Medical Devices 13 November 2019 Page 1 of 10 ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 Q&A Q. Should EN ISO 14971:2012 be used to demonstrate continued compliance to the ERs or GSPRs or use the 2019 revision of the standard? A. A manufacturer must demonstrate compliance to the applicable legislation. Harmonization of a standard allows for a presumption of conformity to the applicable legislation where the standard is applied and the manufacturer considers the Qualifying remarks/Notes in Annex Z. Additional clarification has been made available from the European Commission, whereby it is now considered that the recent editions of standards published by standardizers reflect the state of the art, regardless of its referencing in the OJEU and therefore the ISO 14971:2019 version represents the state of the art for the Medical Device Directives and Regulation. This update is welcomed as it provides clarity for industry and ensures manufacturers need only to comply with a single version of a standard. It is anticipated the 2019 revision will be harmonized to the Regulations. Q. From the Date of Application of the MDR and IVDR will the technical documentation for existing Directive certificates be required to be updated to the 2019 revision of the standard, considering the transitional provisions of MDR Article 120 and IVDR Article 110? A. A manufacturer must demonstrate compliance to the applicable legislation.
    [Show full text]
  • A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff
    FEATURE © Copyright AAMI 2018. Single user license only. Copying, networking, and distribution prohibited. A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff Abstract and users cannot assume that medical Steven Harp, is a distinguished We propose a reference architecture aimed at devices will operate in a benign security engineer at Adventium Labs in supporting the safety and security of medical environment. Any device that is capable of Minneapolis, MN. Email: steven. devices. The ISOSCELES (Intrinsically connecting to a network or physically [email protected] Secure, Open, and Safe Cyber-Physically exposes any sort of data port is potentially at Enabled, Life-Critical Essential Services) risk. How should we think about and Todd Carpenter, is chief engineer architecture is justified by a collection of design manage risk in this context? at Adventium Labs in Minneapolis, principles that leverage recent advances in This question has been explored exten- MN. Email: todd.carpenter@ software component isolation based on sively.3,4 Special publications from the adventiumlabs.com hypervisor and other separation technologies. National Institute of Standards and Technol- The instantiation of the architecture for ogy (e.g., 800-39) provide a conceptual risk John Hatcliff, PhD, is a particular medical devices is supported by a management framework.5,6 AAMI TIR577 distinguished professor at Kansas development process based on Architecture describes how security risk management State University in Manhattan, KS. Analysis and Design Language. The architec- can be integrated with safety risk manage- Email: [email protected] ture models support safety and security ment (e.g., as addressed in ISO 14971 and analysis as part of a broader risk management specifically for medical devices in IEC framework.
    [Show full text]
  • FI-STAR Deliverable D1.1 Has Already Discussed Legal Requirements Related to Data Security Breach Notifications
    Ref. Ares(2014)706091 - 13/03/2014 Deliverable D2.1 Standardisation and Certification requirements Editor: Franck Le Gall, easy global markets Deliverable nature: Report (R) Dissemination level: Public (PU) (Confidentiality) Contractual delivery Dec. 2013 date: Actual delivery date: Jan. 2014 Suggested readers: Version: 1.1 Total number of 74 pages: Keywords: Standardisation, certification Abstract This document details the technical requirements resulting from existing standards and prepares future certification process. FI-STAR FP7-ICT-604691 D1.2 Standardisation and Certification requirements Disclaimer This document contains material, which is the copyright of certain FI-STAR consortium parties, and may not be reproduced or copied without permission. All FI-STAR consortium parties have agreed to full publication of this document. The commercial use of any information contained in this document may require a license from the proprietor of that information. Neither the FI-STAR consortium as a whole, nor a certain part of the FI-STAR consortium, warrant that the information contained in this document is capable of use, nor that use of the information is free from risk, accepting no liability for loss or damage suffered by any person using this information. This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 604691. Impressum [Full project title] Future Internet Social and Technological Alignment Research [Short project
    [Show full text]
  • Postmarket Management of Cybersecurity in Medical Devices
    Contains Nonbinding Recommendations Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff Document issued on December 28, 2016. The draft of this document was issued on January 22, 2016. For questions regarding this document, contact Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, rm. 5434, Silver Spring, MD 20993-0002, 301-796-6937. For questions regarding this document as applied to devices regulated by CBER, contact the Office of Communication, Outreach and Development in CBER at 1-800-835-4709 or 240-402-8010 or [email protected]. U.S. Department of Health and Human Services Food and Drug Administration Center for Devices and Radiological Health Office of the Center Director Center for Biologics Evaluation and Research Contains Nonbinding Recommendations Preface Public Comment You may submit electronic comments and suggestions at any time for Agency consideration to http://www.regulations.gov . Submit written comments to the Division of Dockets Management, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD 20852. Identify all comments with the docket number FDA-2015-D-5105. Comments may not be acted upon by the Agency until the document is next revised or updated. Additional Copies CDRH Additional copies are available from the Internet. You may also send an e-mail request to [email protected] to receive an electronic copy of the guidance. Please use the document number 1400044 to identify the guidance you are requesting. CBER Additional copies are available from the Center for Biologics Evaluation and Research (CBER), by written request, Office of Communication, Outreach, and Development (OCOD), 10903 New Hampshire Ave., Bldg.
    [Show full text]
  • 510(K) for a Software Change to An
    Contains Nonbinding Recommendations Draft – Not for Implementation 1 Deciding When to Submit a 2 510(k) for a Software Change to an 3 Existing Device 4 ______________________________________________________________________________ 5 Draft Guidance for Industry and 6 Food and Drug Administration Staff 7 8 DRAFT GUIDANCE 9 This draft guidance document is being distributed for comment purposes only. 10 11 Document issued on August 8, 2016. 12 13 You should submit comments and suggestions regarding this draft document within 90 days of 14 publication in the Federal Register of the notice announcing the availability of the draft 15 guidance. Submit electronic comments to http://www.regulations.gov. Submit written 16 comments to the Division of Dockets Management (HFA-305), Food and Drug Administration, 17 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. Identify all comments with the docket 18 number listed in the notice of availability that publishes in the Federal Register. 19 20 For questions about this document, contact (CDRH) Linda Ricci, Office of Device Evaluation, 21 301-796-6325, [email protected]. 22 23 For questions about this document regarding CBER-regulated devices, contact the Office of 24 Communication, Outreach and Development (OCOD), by calling 1-800-835-4709 or 240-402- 25 8010. 26 27 28 29 U.S. Department of Health and Human Services 30 Food and Drug Administration 31 Center for Devices and Radiological Health 32 Center for Biologics Evaluation and Research 33 1 Contains Nonbinding Recommendations Draft – Not for Implementation 34 Preface 35 36 Additional Copies 37 38 CDRH 39 Additional copies are available from the Internet.
    [Show full text]