Practical Risk Management for Medical Devices

Practical Risk Management for Medical Devices

Presented at the January 2018 Connected Medical Device & IOT Security Summit in Baltimore.

How to perform automated and low-lift third party risk management (TPRM) for medical devices.

Hospitals and health systems manage a myriad of devices across their multiple facilities but are usually unaware of what risks are present in their devices. I show how to manage third party risks assessments across multiple med device vendors so that it almost eliminates the scoring and ranking work on the health system side and pushes it to suppliers.

3962189473d062fdc76ce9a07cbe89fd?s=128

Shahid N. Shah

January 26, 2018
Tweet

Transcript

  1. www.netspective.com © 2017 Netspective. All Rights Reserved. 1 THIRD PARTY

    RISK MANAGEMENT FOR MEDICAL DEVICES By Shahid N. Shah, Publisher, Netspective Media This Photo by Unknown Author is licensed under CC BY https://www.opsfolio.com/
  2. www.netspective.com © 2017 Netspective. All Rights Reserved. 4 Med Device

    & IoT Security Theatre We want to sound smart so we talk about risk-based security but we’re no better than airport security theatre
  3. www.netspective.com © 2017 Netspective. All Rights Reserved. 5 Is the

    MDS2 Security Theatre? Is this third party risk-based or just making us feel good? http://www.himss.org/resourcelibrary/MDS2
  4. www.netspective.com © 2017 Netspective. All Rights Reserved. 6

  5. www.netspective.com © 2017 Netspective. All Rights Reserved. 7 There is

    no cybersecurity crisis specific to medical devices. To get the best tools and frameworks with the best support, stay industry-neutral. Whenever something becomes “healthcare specific” it slows down its innovation. Risk management, continuous diagnostics & mitigations will take us far. But how?
  6. www.netspective.com © 2017 Netspective. All Rights Reserved. 8 MDRAP is

    an excellent start But what about things other than medical devices? Why treat those separately? ✓ Shared-first ✓ Crowdsourced ✓ Multi-stakeholder ✓ Multi-institution Compliance-focused Medical-device specific Not integrated with security tools (yet!) Join www.mdiss.org and subscribe to MDRAP
  7. www.netspective.com © 2017 Netspective. All Rights Reserved. 9 Compliance: often

    binary (yes/no) Security: must be continuous You can be compliant and not secure, secure but not compliant, or both Compliant insecurity is pretty common Does compliance lead to better security? Unless generated from underlying security tools, compliance leads to a false sense of security
  8. www.netspective.com © 2017 Netspective. All Rights Reserved. 10 Compliance Requirement

    Establish procedures for creating, changing, and safeguarding passwords Insecure but compliant • Default admin password • Documentation says password should be changed upon initial setup • Documentation says password should be rotated frequently Secure and compliant • When device or software is initially setup, it forces a password change • Device or software prompts to change password regularly • Device or software reports, each night, if default passwords aren’t changed or rotations haven’t occurred An example of compliant insecurity
  9. www.netspective.com © 2017 Netspective. All Rights Reserved. 11 There is

    a medical device and IoT risk definition crisis. Risk taxonomies, risk measures, and risk metrics are at least confusing if not difficult to implement. How can we create a community or crowd-sourced set of definitions, especially of outcomes focused vs. process metrics? Are we looking for safety assurance or risk assurance?
  10. www.netspective.com © 2017 Netspective. All Rights Reserved. 12 Asset management

    –Requirements management –Procurement authority –Intake procedures –Asset ownership/custodian gap –Charging & storage locations Operations –Tracking MD by patients –Disposal procedures Maintenance management –Patch management –Alerts Access management –Unauthorized remote access –Unauthorized local access Loss/theft –Audit logs w/patient history Incident management –Incident reporting –Incident response –Forensics capabilities System engineering process –Software vulnerabilities oSecure software development oCommercial Operating Systems oOpen source software –Hardware vulnerabilities oPatching limitations oHardcoding generic credentials oEasily accessible USB ports on portable devices Software maintenance process –Secure coding environment oSeparation of Dev & Ops oCode test & validation oCMDB –Patch distribution process oPatch integrity checks Cloud operations –Access controls oSeparation of Dev & Ops –Supply chain oCode test & validation Insider threats Supply Chain Supply Chain Physical Insider LAN OS Data Where are the frameworks & tools? Source: Cynergistek Pre-market Risks (Manufacturers) Post-market Risks (Manufacturers & HDOs) How are things supposed to improve when each manufacturer is independent but HDO risks are collaborative?
  11. www.netspective.com © 2017 Netspective. All Rights Reserved. 13 Supply Chain

    Duh! Useless advice without solutions HDOs have no easy way to “do the right thing” when manufacturers don’t play well together Network Controls •VLANs and isolation •Pen testing •Patch management Asset Management •Unified CMDB •Strategic sourcing •Hardware and Software supply chain management Device Controls •Passwords •Require common language in RFP/RFI
  12. www.netspective.com © 2017 Netspective. All Rights Reserved. 16 There is

    a healthcare data privacy crisis. Not enough organizations have separated digital confidentiality and privacy policies from security policies. User behavior analytics (UBA) and data loss prevention (DLP) technology isn’t as widely deployed as it should be.
  13. www.netspective.com © 2017 Netspective. All Rights Reserved. 17 There is

    a secure software development crisis. Our software development lifecycles, languages, and tools are build for the networks of 1990s. Secure development lifecycles and modern software supply chain techniques must be implemented.
  14. www.netspective.com © 2017 Netspective. All Rights Reserved. 18 Preparing annual

    controls catalogs and compliance documentation or passing audits doesn’t mean you’re safe. Not enough organizations differentiate between point in time assessments versus continuous monitoring. Only continuous monitoring of each operational asset, from the bottom-up, ensures security.
  15. www.netspective.com © 2017 Netspective. All Rights Reserved. 19 WHAT IS

    THE SOLUTION? ML, AI, and AUTOMATION AUTO SCORING AUTO ASSESSMENTS DISTRIBUTED COMPLIANCE COLLABORATIVE EVIDENCE
  16. www.netspective.com © 2017 Netspective. All Rights Reserved. 20 Digitize compliance

    into structured data and integrate with security THE NEXT CONSULTANT TO GIVE ADVICE ABOUT YET ANOTHER DOCUMENT OR TEMPLATE SHOULD BE FIRED
  17. www.netspective.com © 2017 Netspective. All Rights Reserved. 21 Threat models

    should be supplied & created If you don’t know what else to use, require Microsoft Threat Modeling Toolkit
  18. www.netspective.com © 2017 Netspective. All Rights Reserved. 22 https://blog.docker.com/2016/08/securing-enterprise-software-supply-chain-using-docker/ https://www.slideshare.net/blackducksoftware/managing-the-android-supply-chain-and-the-role-of-spdx

    IoT software supply chain transparency needed Build next-generation MDS2 into Software Package Data Exchange (SPDX) https://spdx.org
  19. www.netspective.com © 2017 Netspective. All Rights Reserved. 23 https://securityintelligence.com/how-stix-taxii-and-cybox-can-help-with-standardizing-threat-information/ http://www.redzonetech.net/podcast/aharon-chernin/

    Structured threat sharing is a must Trusted Automated Exchange of Indicator Information (TAXII) Cyber Observable Expression (CybOX) Structured Threat Information Expression (STIX)
  20. www.netspective.com © 2017 Netspective. All Rights Reserved. 24 MERGE SPREADSHEETS

    and COLLATE DATA SEND SPREADSHEETS and E-MAILS to RESPONDERS RECEIVE E-MAIL RESPONSES CONDUCT ASSESSMENT and PREPARE COMPLIANCE REPORTS RECEIVE REQUEST Current Assessment Process Is your existing request for information approach manual, e-mail driven, and spreadsheet focused? R1 R2 Rn R1 R2 Rn R1 R2 Rn
  21. www.netspective.com © 2017 Netspective. All Rights Reserved. 25 MERGE SPREADSHEETS

    and COLLATE DATA SEND SPREADSHEETS and E-MAILS to RESPONDERS RECEIVE E-MAIL RESPONSES CONDUCT ASSESSMENT and PREPARE COMPLIANCE REPORTS RECEIVE REQUEST Current Assessment Process is Terrible Is your existing request for information approach manual, e-mail driven, and spreadsheet focused? Manually craft charts, tables, narratives plus reports and then send them via e-mail or put them into a shared folder Someone asks you to run a “data call” to assess some business process or cyber security posture through a compliance request or questionnaire Gather the questionnaire responses via e-mail and put spreadsheets in file shares while keeping track of status: who’s done, who’s remaining, and who needs a reminder You send the data call to your responders via Excel and e-mail Merge, rationalize, and score data across responders Do you have a library of reusable templates or do you spend time repeating the same requests? What happens when you correct an error or clarification required in the original spreadsheet? More e-mails? What happens when respondents have questions? More e- mails? What happens if responders accidentally change the spreadsheet columns or don’t format their data properly? What happens to the reports if responses are updated or are late? Delays or recreate and resend the reports? What happens when attachments are required to answer certain questions? Do respondents have to create new responses if nothing has changed? Can responders delegate one or more questions to others? What do you do when data call requesters want to the data a different way or have questions about specific responses? More e-mails? Do you share results with assessees?
  22. www.netspective.com © 2017 Netspective. All Rights Reserved. 26 REVIEW AUTO-SCORING

    and CONDUCT ASSESSMENT SELECT and SEND Questionnaire RECEIVE NOTIFICATIONS OF RESPONDERS AS THEY ANSWER QUESTIONS RESPOND DIRECTLY IF THEY HAVE QUESTIONS SHARE COMPLIANCE REPORTS RECEIVE REQUEST Opsfolio Attest Community Pilot Unified, low lift, transparent, and less error-prone approach for automated and continuous compliance R1 R2 Rn R1 R2 Rn R1 R2 Rn Responses can come from automated tools if available!
  23. www.netspective.com © 2017 Netspective. All Rights Reserved. 27 Invitations, notifications,

    comments, and clarification requests still go out via e-mail but everyone, both inside and outside your company, gets their own application account for proper auditing and response tracking in a single system. One System for Humans & Bots Assessees and responders can be human or automation tools and collectors
  24. www.netspective.com © 2017 Netspective. All Rights Reserved. 28 Audience Participation

    Are your senior executives well versed in the major concepts like first party risk vs. third party risk vs. threats vs. compliance vs. security vs. privacy? •Yes, this is all elementary and our team understands it completely •No, we understand most of the concepts but some of the nuances aren’t clear •No, we do not understand all the concepts and could use guidance
  25. www.netspective.com © 2017 Netspective. All Rights Reserved. 29 THANK YOU

    Shahid N. Shah, Publisher, Netspective Media shahid@shah.org @ShahidNShah THIRD PARTY RISK MANAGEMENT FOR MEDICAL DEVICES https://www.opsfolio.com/