Medical Device Cyber Security – Best Practice Guide

Medical Device Cyber Security – Best Practice Guide

Integrating the Healthcare Enterprise 5 IHE Patient Care Device (PCD) White Paper 10 Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide 15 Published Revision 1.1 20 Date: October 14, 2015 Author: IHE PCD Technical Committee Email: [email protected] 25 Please verify you have the most recent version of this document. See here for Published versions and here for Public Comment versions. Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ Foreword This white paper is published on October 14, 2015. Comments are invited and can be submitted at http://www.ihe.net/PCD_Public_Comments/. 30 General information about IHE can be found at: www.ihe.net. Information about the IHE Patient Care Device domain can be found at: ihe.net/IHE_Domains. Information about the organization of IHE Technical Frameworks and Supplements and the process used to create them can be found at: http://ihe.net/IHE_Process and 35 http://ihe.net/Profiles. The current version of the IHE Patient Care Device Technical Framework can be found at: http://www.ihe.net/Technical_Frameworks. ______________________________________________________________________________ 2 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ CONTENTS 40 1 Introduction & Background ....................................................................................................... 6 1.1 Acknowledgement .............................................................................................................. 7 2 Objective .................................................................................................................................... 8 3 Stakeholder Roles and Contributions ......................................................................................... 9 45 4 Cybersecurity Introduction....................................................................................................... 11 4.1 Basic Cyber-Security Considerations ............................................................................... 12 4.2 Risk Classification and Assessment.................................................................................. 14 5 Generic Device Architecture .................................................................................................... 16 6 General Security and Vulnerability Considerations ................................................................. 23 50 6.1 Targeted Attack ................................................................................................................. 23 6.2 Unintentional Exploitation ................................................................................................ 23 7 Vulnerability Management and Security Best Practices .......................................................... 25 7.1 Specific Security Topics ................................................................................................... 28 7.1.1 Defense-in-depth ........................................................................................................ 28 55 7.1.2 Zero Day Attacks ....................................................................................................... 29 7.2 COTS Vulnerabilities........................................................................................................ 30 7.2.1 Use of COTS .............................................................................................................. 30 7.2.2 Unsupported COTS, Lack of Security Updates and Patches ..................................... 31 7.2.3 Software Patching ...................................................................................................... 31 60 7.2.4 System Hardening ...................................................................................................... 33 7.2.5 Lack of Malware Protection / Security Technology .................................................. 34 7.2.6 Host Intrusion Detection and Prevention ................................................................... 35 7.3 Application Vulnerabilities ............................................................................................... 36 7.3.1 Insecure Coding Practices .......................................................................................... 38 65 7.3.2 Examples of Best Practices for Secure Coding ......................................................... 39 7.3.3 Application Deployment ............................................................................................ 40 7.4 Password / Authentication Vulnerabilities ........................................................................ 41 7.4.1 Hard-Coded Passwords .............................................................................................. 42 7.4.2 Factory Default Passwords ........................................................................................ 43 70 7.4.3 Password Policy Management ................................................................................... 43 7.4.4 Strong Authentication ................................................................................................ 46 7.4.5 Password Protection ................................................................................................... 48 7.5 Administrative Rights Management ................................................................................. 48 7.5.1 Account Rights Management .................................................................................... 48 75 7.6 Information Vulnerabilities ............................................................................................... 49 7.7 IT Network Infrastructure Vulnerabilities ........................................................................ 51 7.7.1 Hospital IT Networks and Supporting Infrastructure ................................................ 52 7.7.2 Vulnerabilities of IT Components ............................................................................. 53 7.7.3 Wireless Network Considerations ............................................................................. 54 80 7.8 Workflow and Process Vulnerabilities ............................................................................. 55 7.8.1 General Cybersecurity Best Practices and Procedures .............................................. 55 7.8.2 Training and Education .............................................................................................. 56 7.8.3 Supply Chain Management........................................................................................ 56 ______________________________________________________________________________ 3 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ 7.8.4 Medical Device Specific Risk Analysis .................................................................... 57 85 7.8.5 Responsibility Management ...................................................................................... 58 7.8.6 Security Management ................................................................................................ 59 7.8.7 Use of Portable Media ............................................................................................... 59 8 Configuration Management ..................................................................................................... 61 8.1 Planning Tasks and Resources Required .......................................................................... 61 90 8.1.1 Procedures Written Down and Kept Updated ........................................................... 61 8.1.2 Change Management Documents .............................................................................. 62 8.1.3 Coordination and Collaboration with Existing Systems ............................................ 62 8.2 Configuration Management in the Equipment Lifecycle: Examples ................................ 63 8.2.1 New, Loaned or Leased Device ................................................................................. 63 95 8.2.2 Sample Worksheet Contents ...................................................................................... 63 8.2.2.1 Change Management Initial Inputs .................................................................... 64 8.2.2.2 Network/Subnetwork Association ...................................................................... 64 8.2.2.3 Required Configuration Changes in Associated Systems (e.g., Manager Systems for Multiple Devices) ......................................................................................... 64 100 8.2.3 Preparation or Off-site Servicing ............................................................................... 65 8.2.3.1 Removal of ePHI and other Confidential Material ............................................. 65 8.2.3.2 Save Configuration for Later Restoration .......................................................... 65 8.2.4 Equipment Returns from Off-site Servicing .............................................................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    83 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us