Securing Complex Cyber-Physical Medical Device Landscapes
Total Page:16
File Type:pdf, Size:1020Kb
April 2018 Volume 16 Issue 4 The Dangers in Perpetuating a Culture of Risk Acceptance Using PKI to Build a Secure Industrial Internet of Things The Two Faces of Innovation: From Safe and Dumb to Vulnerable Smart Products and Infrastructure Cyber-Physical Intelligence Securing Complex Cyber-Physical Medical Device Landscapes INTERNET OF THINGS DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY Securing Complex Cyber-Physical Medical Device Landscapes By Ulrich Lang The author presents innovative approaches to cybersecurity that should be considered to securely integrate medical device landscapes (and many other IoT environments) in the coming years as IoT rapidly matures. Abstract comparison, in 2015 there were approximately 4.9 million things connected to the Internet). In this article we will present innovative approaches to cy- bersecurity that should be considered to securely integrate Importantly, IoT will also play a major role in achieving medical device landscapes (and many other IoT environ- “smart health care” to improve patient care/experience, effi- ments) in the coming years as IoT rapidly matures. The ar- ciency, and outcomes. Hospitals already use many medical ticle is based on the results of several government-funded devices today (e.g., numerous monitoring and pump devic- R&D projects, in particular a research project to secure a es, etc.) though mostly not in a very interconnected fashion. cyber-physical medical environment (for Defense Health Presently, in most cases, there is a human (e.g., nurse) in the Program, DHP), and a research project to automate access loop to ensure safety because the devices in use have not control policy testing (for National Institute of Standards been designed with the security in mind that is required for and Technology, NIST). autonomous operation (e.g., monitoring). According to the latest research, US Department of Health plans to (eventu- ally) save up to USD 300 billion from the national budget he Internet of Things (IoT) is the network of phys- due to medical innovations [3]. ical devices, vehicles, home appliances, and other Such future medical device landscapes pose many cyberse- items embedded with electronics, software, sensors, curity and privacy challenges because most of these are “cy- Tactuators, and connectivity that enables these objects to ber-physical” systems where cybersecurity breaches (and connect and exchange data [1]. The IoT is going to be trans- other failures) could directly impact the physical safety of formational—significantly impacting most industries and patients. parts of society. Experts estimate that the IoT will rapidly grow to 30 billion objects within just two more years [2] (for Today, medical IoT is not fully matured yet, leading to a disconnect: Health IT is increasingly interconnected, while 14 – ISSA Journal | April 2018 Securing Complex Cyber-Physical Medical Device Landscapes | Ulrich Lang information security is not keeping up. This limits “smart 2. Secure device communications: The Data-Distribution health care” improvements and health IoT in general. In this Service (DDS) provides secure publish-subscribe com- emerging environment, hospitals need to prioritize patient munications for real-time and embedded systems. DDS safety first, which means medical devices are often not inte- introduces a virtual global data space where applications grated; since humans are usually in the loop, there isn’t much can share information by simply reading and writing da- need for automation. This leads to inefficiencies, and patient ta-objects addressed by means of an application-defined care/experience is not as good as it could be. Yet, having hu- name (topic) and a key. DDS features fine and extensive mans in the loop actually creates its own risks. control of QoS parameters. Our research uses RTI DDS In this article we will present innovative approaches to cyber- Connext, a leading DDS implementation provided by Re- security that should be considered to securely integrate med- al-Time Innovations (RTI), Inc. OpenICE uses RTI DDS ical device landscapes (and many other IoT environments) in as a communications layer. the coming years as IoT rapidly matures. The article is based 3. Security policy automation simplifies the management on the results of several government-funded R&D projects, in and technical implementation of security policies. It al- particular a research project to secure a cyber-physical med- lows security professionals to manage rich security pol- ical environment (for the Defense Health Program1) and a icies consistently in one place and often automatically research project to automate access control policy testing (for technically enforce the managed policies across many the National Institute of Standards and Technology2). devices, layers, and technologies. Our research uses Ob- The presented approach comprises several parts: jectSecurity OpenPMF, which generates technical policy enforcement for DDS, networks, etc., from generic secu- 1. Integrated clinical environment: OpenICE is an initia- rity policies and imported information about users, sys- tive to create a community implementation of an integrat- tems, applications, networks, etc. ed clinical environment (ICE). The initiative encompasses not only software implementation but also an architecture Cyber-physical systems for a wider clinical ecosystem to enable new avenues of NIST defines cyber-physical systems as co-engineered inter- clinical research. The OpenICE project is run by MD PnP. acting networks of physical and computational components Our research uses the OpenICE reference implementation [4], which will form the foundation for critical infrastruc- and DocBox’s implementation as an ICE layer. ture and emerging/future smart services. Cyber-physical systems will improve quality of life in many areas, such as “smart” cities, transportation, hospitals, and energy. While 1 ObjectSecurity LLC is a subcontractor to Real-Time Innovations (RTI), Inc. for this SBIR Phase II contract, focusing on the topics described in this article. More cyber-physical systems can be used to improve safety (e.g., information about the R&D project: https://sbirsource.com/sbir/awards/167769- methodologies-and-tools-for-securing-medical-device-systems-in-integrated- public safety), they also pose potential cybersecurity risks es- clinical-environments-ice. pecially because cybersecurity could impact every patient’s 2 This SBIR (Phase II) was awarded to ObjectSecurity LLC. RTI Inc was a subcontractor in Phase I. More information about the R&D project: https:// physical health and safety (in non-cyber-physical systems, objectsecurity.com/nist. Members Join ISSA to: l Earn CPEs through Conferences and Education l Network with Industry Leaders l Advance their Careers www.issa.org l Attend Chapter Events to Meet Local Colleagues l Become part of Special Interest Groups (SIGs) that focus on particular topics Join Today: www.issa.org/join Regular Membership $95* CISO Executive Membership $995 (+Chapter Dues: $0-$35*) (Includes Quarterly Forums) *US Dollars/Year April 2018 | ISSA Journal – 15 Securing Complex Cyber-Physical Medical Device Landscapes | Ulrich Lang employee credentials to gain unauthorized access. Health IT access control simply isn’t capable of providing the security that will be required: access is overprovisioned, too simplistic (identity-based access con- trol (IBAC) and role-based access control (RBAC)), and unmanageable due to being fragmented and siloed. Add the IoT and ransomware attacks such as Mirai (2016) and WannaCry (2017) into the mix (which both affected medical devices) and it be- comes even clearer that locking down ac- cess at all levels to the “minimum neces- sary” is sorely needed. HIPAA fines are rarely administered but are a risk for health providers (fines have gone up to $4.8M for Figure 1 – Example OpenICE system setup [5] non-compliance after a breach). Furthermore, with improved direct/immediate harm is usually directed towards stealing access control (and other cybersecurity), hospitals could en- or changing sensitive, valuable information). able “smart business,” resulting in a forecasted $8.5M in an- nual savings per US hospital (US$36 billion US total) [7]. Smart health care: Integrated medical devices Identity and access management (IAM) is an important pro- should detect and respond automatically gram/initiative for health providers (and most organizations). Smart health care will comprise at least: However, in our experience, hospital IAM systems are often Networked, smart, and semi-autonomous devices not fully mature (based on hospital IAM road-map projects • the author has completed recently). • Clinical, business, and building systems communication • IAM systems are distributed (there is a main IAM and nu- • Real-time analytics, tracking, etc. merous sub-IAMs) Automation • • There are custom batch processes to keep information Healthcare providers care about smart health care because it synchronized has the significant potential to measurably improve patient • Onboarding/offboarding is done using manual processes care, a patient’s experience, and health provider efficiency. In with limited checks conjunction, healthcare providers (especially hospitals) must implement significantly improved cybersecurity to ensure • There is almost no work-flow automation patient safety, security, and privacy when deploying these au- • There is a flat network with little isolation (including -cy tomated, autonomous IoT environments. ber-physical)