W H I T E P A P E R

MEDICAL DEVICES: SECURITY CHALLENGES FOR HDOs AND MANUFACTURERS

RICH CURTISS | DIRECTOR, COALFIRE

INTRODUCTION This paper aims to organizations understand the issue of security in the context of medical devices. Medical devices have not historically been included in HIPAA compliance regulations or healthcare security and risk programs, yet their capabilities make them prime targets for exploitation. Increased connectivity of medical devices has exposed them to cyber attacks from which they not were designed to prevent. At stake are both patient safety and privacy plus healthcare delivery organizations’ (HDOs) network security.

One objective for this paper is to get this issue on the radar of HDOs. We’ll also review the benefits of ‘security by design’ and the concept of embedding security into devices for medical device manufacturers as they seek market differentiation, rapid go-to-market capabilities, and security throughout the product life cycle.

SAFE VS. SECURE In the age of the digitized enterprise, the security of electronic protected health information (ePHI) is paramount on every front and endpoint. HIPAA does not regulate medical devices, but it does impose requirements on covered entities and business associates for the safeguarding of ePHI that is created, received, maintained, or transmitted. For this reason, medical devices should be included in HDOs’ HIPAA security programs, and security should be embedded in every stage of a device manufacturer’s product development lifecycle.

Beyond patient privacy, the lack of medical device security can be a patient safety issue if an attacker is able to compromise them. When medical devices become the weak link in the network, they can also become easy targets for attackers who want to use them to get access to hospital networks and launch attacks on other valuable assets.

All stakeholders should work together – HDOs, device manufacturers, and regulators – to better align and coordinate implementation guidance to create a holistic cybersecurity ecosystem. In recent years, the Food & Drug Administration (FDA) has taken a leadership role in providing guidance to manufacturers on the cybersecurity of medical devices.

NOT SCIENCE FICTION Safety can be compromised by poor security, as illustrated in dramatic fashion in 2012, when security researcher Barnaby Jack (his real name) was able to wirelessly reprogram an insulin pump to deliver a fatal dose. The same researcher also revealed the ability to remotely activate a pacemaker to deliver a fatal shock. This was a plot element on a popular TV show that led to widespread concern over the viability of the attack. More recently, there have been multiple demonstrations of hacking medical devices. In 2017, the FDA issued a recall of St. Jude pacemakers to patch security holes.

An attack on medical devices has the potential to cause patient harm in several ways. For example, a malicious actor infiltrating an infusion pump could alter the drug parameters that could result in adverse impact on the patient. The WannaCry attack in 2017 impacted several medical devices across the world limiting organizations’ ability to treat their patients and impacting patient care and safety.

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 2 Ransomware continued to be a threat to healthcare organizations as demonstrated by the resurgence of SamSam ransomware.

These examples demonstrate that security is no longer a ‘nice-to-have’ feature, but a necessary and indispensable part of medical device design and implementation. Device manufacturers must plan for pre-market ‘security by design’ rather than security that is bolted on later in the product lifecycle.

RISK REDUCTION EFFORTS Security risks to medical devices are being studied and evaluated by many entities from academic to governmental to industry. As healthcare is delivered outside the walls of a hospital with big data ramifications, more medical devices are connected to the network. Addressing the security challenges starts with understanding the root of the problem.

SECURITY RESEARCH There are major efforts underway to discover the relevant issues with the security of medical devices. The Archimedes Project at Ann Arbor Research Center has been uncovering security issues since 2006. These problems range from data insecurity to safety concerns. Their research has provided valuable feedback to the industry and is influencing the security design of medical devices.

In recent years, due to high visibility from ransomware attacks and coordinated efforts, more research and disclosures are happening. The number of security vulnerabilities published by ICS-CERT has increased exponentially since 2017.

FDA GUIDANCE In the 1960s, a broad movement began with the intention to regulate medical devices and culminated in the Medical Devices Regulation Act of 1976. Among many provisions, this act authorized the FDA to regulate medical devices. For devices classified to pose the highest risk to human life, pre-market approval was required to provide reasonable assurance of their safety and effectiveness.

The FDA issued a series of guidance documents regarding cybersecurity of medical devices. Their guidance for pre-market submissions published in 2014, and updated in late 2018, identifies issues manufacturers should consider in the design and development of medical devices to ensure they adequately address cybersecurity vulnerabilities. Pre-market clearance is relevant for devices that represent the highest risk to human life. This guidance particularly points out the value of documentation of risk analysis, including lifecycle recommendations.

Later, the FDA followed up with detailed guidance about the use of wireless technology in medical devices, emphasizing the use of authentication and encryption. Although no attacks are known to have occurred in the real world, the exploitable vectors discovered by researchers are directly addressed in this guidance, which is likewise aimed at pre-market submissions.

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 3 The FDA’s 2018 updates to the pre-market guidance for medical devices includes recommendations based on this evolving space, including sharing of cybersecurity bill of materials (CBOM). Meanwhile, they issued guidance in October 2017 clarifying that manufacturers should release information gathered by the devices directly to patients upon request, addressing a gap in HIPAA.

The FDA's post-market cybersecurity guidance issued in December 2016 recommends that medical device manufacturers "address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device". The guidance emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices. For most cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered 'cybersecurity routine updates or patches,' for which the FDA does not require advance notification or reporting, the document notes.

In October 2018, MITRE Corporation in collaboration with the FDA launched “The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook”, which outlines a framework for HDOs to plan for and respond to medical device cybersecurity incidents.

The College of Healthcare Information Management Executives (CHIME) suggests that manufacturers should be required to configure their devices with respect to an industry-accepted security standard – a standard that accounts for the basic principles of cybersecurity controls and alleviates risks.

They also recommend that the guidance should grant manufacturers some level of 'safe harbor' protection against regulatory enforcement, provided that they achieve third-party certification, actively participate in a centralized Information Sharing and Analysis Organization (ISAO) and develop security patches in a timely manner.

ISO AND AAMI GUIDANCE FOR MANUFACTURERS A detailed guide to risk management for the safety of medical devices is described in ISO 14971. It makes the central philosophical point: “All stakeholders need to understand that the use of a medical device entails some degree of risk.” Minimization of those inherent risks is the aim of the processes outlined. These include:

• Detailed example questions that can illuminate intended use • Types of hazardous situations • Sample controls that can be applied to discovered risks

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 4

AAMI subsequently released TIR57 in 2016, “Principles for medical device security – Risk management”. TIR57 blends security and safety risk management by showing how to apply the principles presented in ANSI/AAMI/ISO 14971, Medical devices – Application of risk management to medical devices, to security threats that could impact the confidentiality, integrity, and/or availability of a medical device or information processed by the device. It lists a six-step for medical device security risk management: • Security risk analysis • Security risk evaluation • Security risk control • Evaluation of overall residual security risk acceptability • Security risk management report • Production and postproduction information

HELP FROM THE INDUSTRY Manufacturers have responded by issuing Manufacturer Disclosure Statements for Medical Device Security (MDS2). The forms were originally developed by HIMSS and later standardized with the National Electrical Manufacturers Association (NEMA). A difficult issue for IT professionals has been that medical devices have full computing power but don’t fit into the usual taxonomy of IT devices. Further, information about the operation of a device is often proprietary, obscuring important details useful to IT personnel attempting to proactively manage risk.

The MDS2 provides manufacturers a structured way to disclose risk information without exposing sensitive intellectual property. It contains information about:

• The way the device uses ePHI and how that ePHI is protected • Ways the device can be configured for access control (both logical and physical) • Device options for hardening (including anti-malware) • Networking details • Backup and recovery • Guidance about device lifecycle

The MDS2 is an essential data source for the risk management process. A later update to the MDS2 standard form has increased the structured information on the form, making it even more useful and better aligned with IEC 80001 (the ISO standard for risk management of networked medical devices). Industry is working on a revision of MDS2 form to address recent developments in medical device cybersecurity and FDA guidance.

In the next section, we bring together these sources of information and show how an organization could apply them to their situation.

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 5

GUIDANCE FROM THE FTC In 2015, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, which recommended that Internet of Things (IoT) devices, including medical devices, need to maintain a high security posture. The following recommendations came from the FTC report:

1. Manufacturers should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, they should consider:

✓ Conducting a privacy or security risk assessment ✓ Minimizing the data they collect and retain ✓ Testing their security measures before launching products

2. Organizations should train employees about good security and ensure that security issues are addressed at the appropriate level of responsibility within the organization.

3. Organizations should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.

4. When organizations identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 6 5. Organizations should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.

6. Organizations should continue to monitor products throughout the lifecycle and, to the extent feasible, patch known vulnerabilities.

When thinking of cybersecurity and data privacy, we tend to think about authentication, authorization, and encryption. But for safety-critical devices, things are more difficult and additional things must be considered:

Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?

Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance providers?

Patching: How is the firmware, (OS), or application going to be patched by IT, HTM, or clinical engineering staff within HDOs (or the home for remote devices)?

Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?

External Threats: Has the device been designed to lock it down from external threats?

Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?

Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?

Application Security: Is the Security Development Lifecycle (SDL), or similar software security assurance process, integrated into the engineering process?

Network Security: Have all network protocols not in use by the device been turned off so they are not broadcasting?

Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?

HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 7 FISMA Compliance: If products are sold to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?

Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?

Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?

Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?

Password Management: Are passwords hardcoded into the device or made configurable?

Configuration Protection: Are configuration files properly protected against malicious changes?

Cybersecurity is an emergent property of a system and not a feature or function that you can add later, as confirmed by FDA guidance and the FTC report.

HDOs: RISK MANAGEMENT HDOs should approach the issue of medical device security from a risk management perspective. Backed by guidance on best practices and detailed data for each medical device, organizations can effectively pursue a risk management methodology such as NIST 800-30. One simplified outline of the steps in 800-30 would be:

1. Inventory and characterization of systems 5. Likelihood determination

2. Threat identification 6. Impact analysis

3. Vulnerability assessment 7. Recommended risk controls

4. Control analysis

Here we can see the usefulness of the efforts described previously. The MDS2 forms can serve as meta- data for an inventory of medical devices. Threats and vulnerabilities are analyzed and publicized. These reports help determine which controls will be most effective for which threats. The FDA is laying the groundwork for enhanced security expectations.

Organizations can use standard risk management techniques when backed bysuch robust information. With an understanding of the organization’s risk appetite, appropriate controls can be implemented and evaluated.

There’s another issue for HDOs to consider. It could take many years before they are no longer using legacy medical devices running software that is no longer supported by vendors. But there are critical steps they can take to minimize the security risks posed by those legacy devices. There are supply chains of medical devices that are five or 10 years in the making, which didn't have the kind of security requirements expected for connected devices.

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 8 HDOs across the U.S. are using legacy medical devices that were not only designed without security as a priority but are also running legacy software and operating systems that are no longer supported by vendors, which creates security and safety risks. To address these and other security challenges related to legacy medical devices, there are several important steps recommended in guidance issued by the National Institute of Standards and Technology.

One step includes enumerating risk – gaining visibility into device inventory and their attributes can be an eye-opening exercise for most HDOs. Implement security controls that align with specific risks and continuously measure the effectiveness of those controls. HDOs must also consider how ransomware can potentially threaten medical devices and consider the security and privacy risk posed by cloud services and other third-party vendors.

COALFIRE’S EXPERIENCE Coalfire helps organizations proactively manage security risk associated with medical devices. Our services help to navigate the landscape more effectively and efficiently.

RISK ANALYSIS AND METHODOLOGY Following the methodology outlined previously, Coalfire developed a security risk management program that encompasses cybersecurity risk management throughout the lifecycle of the medical device. This methodology integrates data from device MDS2 forms and the HDO environment to help prioritize risk remediation efforts. Performing a detailed risk analysis and developing a clinical engineering risk management program is an important first step in securing medical devices.

STRATEGIC AND TACTICAL ADVICE The rapid growth of threats coupled with the slower pace of improved medical device security means that a stable ecosystem is years away. Coalfire advises organizations at all levels of program maturity. Sectors such as financial services and government had a head start in dealing with embedded systems security, and their efforts offer valuable lessons.

First, the focus must be on identifying existing risk while laying a foundation for improvement. More mature programs scale forward by expanding the scope of pilot programs, continuously evaluating risk, and holding device manufacturers responsible throughout the procurement process. Many HDOs now include security addendums to procurement contracts with manufacturers.

DEVICE MANUFACTURERS UNIQUE NEEDS Coalfire offers device manufacturers services to help build in security at all phases of the product development lifecycle. Pre-market technical testing can identify vulnerabilities and provide results that help to mature an organization’s overall security risk management program. Understanding the cybersecurity readiness of products and determining areas for improvement are important first steps in building a strong cybersecurity posture that can be used as a competitive differentiator for increased revenue.

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 9 CONCLUSION Although there is no timeline for when medical device security will mature to match the level of general IT, important steps are being taken. A coalition of academic, government, and industry experts are building the case for government and industry security mandates. In the meantime, these efforts can inform effective risk management programs for proactive HDOs.

For device manufacturers, security is getting prioritized in the development lifecycle. Security and data privacy should be elevated by product management to market driver and competitive differentiator status. Instead of using a checklist approach to security, manufacturers should consider how major device functions and capabilities enhance the device’s security posture or reduce the risk of data privacy breaches. Progressive and innovative product design professionals that embed privacy, security, and safety into their products will build trust with customers.

ABOUT COALFIRE Coalfire is the trusted cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for nearly 20 years and has offices throughout the United States and Europe. For more information, visit Coalfire.com.

Copyright © 2020 Coalfire. All rights reserved. WP_MedDev-Challenges_020720

Medical Devices: Security Challenges for Providers and Manufacturers | Whitepaper 10