Integrating the Healthcare Enterprise 5 IHE Patient Care Device (PCD) White Paper 10 Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide 15 Published Revision 1.1 20 Date: October 14, 2015 Author: IHE PCD Technical Committee Email: [email protected] 25 Please verify you have the most recent version of this document. See here for Published versions and here for Public Comment versions. Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ Foreword This white paper is published on October 14, 2015. Comments are invited and can be submitted at http://www.ihe.net/PCD_Public_Comments/. 30 General information about IHE can be found at: www.ihe.net. Information about the IHE Patient Care Device domain can be found at: ihe.net/IHE_Domains. Information about the organization of IHE Technical Frameworks and Supplements and the process used to create them can be found at: http://ihe.net/IHE_Process and 35 http://ihe.net/Profiles. The current version of the IHE Patient Care Device Technical Framework can be found at: http://www.ihe.net/Technical_Frameworks. ______________________________________________________________________________ 2 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ CONTENTS 40 1 Introduction & Background ....................................................................................................... 6 1.1 Acknowledgement .............................................................................................................. 7 2 Objective .................................................................................................................................... 8 3 Stakeholder Roles and Contributions ......................................................................................... 9 45 4 Cybersecurity Introduction....................................................................................................... 11 4.1 Basic Cyber-Security Considerations ............................................................................... 12 4.2 Risk Classification and Assessment.................................................................................. 14 5 Generic Device Architecture .................................................................................................... 16 6 General Security and Vulnerability Considerations ................................................................. 23 50 6.1 Targeted Attack ................................................................................................................. 23 6.2 Unintentional Exploitation ................................................................................................ 23 7 Vulnerability Management and Security Best Practices .......................................................... 25 7.1 Specific Security Topics ................................................................................................... 28 7.1.1 Defense-in-depth ........................................................................................................ 28 55 7.1.2 Zero Day Attacks ....................................................................................................... 29 7.2 COTS Vulnerabilities........................................................................................................ 30 7.2.1 Use of COTS .............................................................................................................. 30 7.2.2 Unsupported COTS, Lack of Security Updates and Patches ..................................... 31 7.2.3 Software Patching ...................................................................................................... 31 60 7.2.4 System Hardening ...................................................................................................... 33 7.2.5 Lack of Malware Protection / Security Technology .................................................. 34 7.2.6 Host Intrusion Detection and Prevention ................................................................... 35 7.3 Application Vulnerabilities ............................................................................................... 36 7.3.1 Insecure Coding Practices .......................................................................................... 38 65 7.3.2 Examples of Best Practices for Secure Coding ......................................................... 39 7.3.3 Application Deployment ............................................................................................ 40 7.4 Password / Authentication Vulnerabilities ........................................................................ 41 7.4.1 Hard-Coded Passwords .............................................................................................. 42 7.4.2 Factory Default Passwords ........................................................................................ 43 70 7.4.3 Password Policy Management ................................................................................... 43 7.4.4 Strong Authentication ................................................................................................ 46 7.4.5 Password Protection ................................................................................................... 48 7.5 Administrative Rights Management ................................................................................. 48 7.5.1 Account Rights Management .................................................................................... 48 75 7.6 Information Vulnerabilities ............................................................................................... 49 7.7 IT Network Infrastructure Vulnerabilities ........................................................................ 51 7.7.1 Hospital IT Networks and Supporting Infrastructure ................................................ 52 7.7.2 Vulnerabilities of IT Components ............................................................................. 53 7.7.3 Wireless Network Considerations ............................................................................. 54 80 7.8 Workflow and Process Vulnerabilities ............................................................................. 55 7.8.1 General Cybersecurity Best Practices and Procedures .............................................. 55 7.8.2 Training and Education .............................................................................................. 56 7.8.3 Supply Chain Management........................................................................................ 56 ______________________________________________________________________________ 3 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ 7.8.4 Medical Device Specific Risk Analysis .................................................................... 57 85 7.8.5 Responsibility Management ...................................................................................... 58 7.8.6 Security Management ................................................................................................ 59 7.8.7 Use of Portable Media ............................................................................................... 59 8 Configuration Management ..................................................................................................... 61 8.1 Planning Tasks and Resources Required .......................................................................... 61 90 8.1.1 Procedures Written Down and Kept Updated ........................................................... 61 8.1.2 Change Management Documents .............................................................................. 62 8.1.3 Coordination and Collaboration with Existing Systems ............................................ 62 8.2 Configuration Management in the Equipment Lifecycle: Examples ................................ 63 8.2.1 New, Loaned or Leased Device ................................................................................. 63 95 8.2.2 Sample Worksheet Contents ...................................................................................... 63 8.2.2.1 Change Management Initial Inputs .................................................................... 64 8.2.2.2 Network/Subnetwork Association ...................................................................... 64 8.2.2.3 Required Configuration Changes in Associated Systems (e.g., Manager Systems for Multiple Devices) ......................................................................................... 64 100 8.2.3 Preparation or Off-site Servicing ............................................................................... 65 8.2.3.1 Removal of ePHI and other Confidential Material ............................................. 65 8.2.3.2 Save Configuration for Later Restoration .......................................................... 65 8.2.4 Equipment Returns from Off-site Servicing .............................................................
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages83 Page
-
File Size-