Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Risk Management for Medical Devices

Practical Risk Management for Medical Devices

Presented at the January 2018 Connected Medical Device & IOT Security Summit in Baltimore.

How to perform automated and low-lift third party risk management (TPRM) for medical devices.

Hospitals and health systems manage a myriad of devices across their multiple facilities but are usually unaware of what risks are present in their devices. I show how to manage third party risks assessments across multiple med device vendors so that it almost eliminates the scoring and ranking work on the health system side and pushes it to suppliers.

Shahid N. Shah

January 26, 2018
Tweet

More Decks by Shahid N. Shah

Other Decks in Technology

Transcript

  1. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    1
    THIRD PARTY RISK
    MANAGEMENT FOR
    MEDICAL DEVICES
    By Shahid N. Shah, Publisher, Netspective Media
    This Photo by Unknown Author is licensed under CC BY
    https://www.opsfolio.com/

    View full-size slide

  2. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    4
    Med Device & IoT Security Theatre
    We want to sound smart so we talk about risk-based security but we’re no better than airport security theatre

    View full-size slide

  3. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    5
    Is the MDS2 Security Theatre?
    Is this third party risk-based or just making us feel good?
    http://www.himss.org/resourcelibrary/MDS2

    View full-size slide

  4. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    6

    View full-size slide

  5. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    7
    There is no cybersecurity crisis
    specific to medical devices.
    To get the best tools and frameworks with the best support, stay industry-neutral.
    Whenever something becomes “healthcare specific” it slows down its innovation.
    Risk management, continuous diagnostics
    & mitigations will take us far. But how?

    View full-size slide

  6. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    8
    MDRAP is an excellent start
    But what about things other than medical devices? Why treat those separately?
    ✓ Shared-first
    ✓ Crowdsourced
    ✓ Multi-stakeholder
    ✓ Multi-institution
    Compliance-focused
    Medical-device specific
    Not integrated with security
    tools (yet!)
    Join www.mdiss.org and subscribe to MDRAP

    View full-size slide

  7. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    9
    Compliance: often binary (yes/no)
    Security: must be continuous
    You can be compliant and not secure,
    secure but not compliant, or both
    Compliant insecurity is pretty common
    Does compliance lead to better security?
    Unless generated from underlying security tools, compliance leads to a false sense of security

    View full-size slide

  8. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    10
    Compliance Requirement
    Establish procedures for creating,
    changing, and safeguarding
    passwords
    Insecure but compliant
    • Default admin password
    • Documentation says password should
    be changed upon initial setup
    • Documentation says password should
    be rotated frequently
    Secure and compliant
    • When device or software is initially
    setup, it forces a password change
    • Device or software prompts to change
    password regularly
    • Device or software reports, each night, if
    default passwords aren’t changed or
    rotations haven’t occurred
    An example of compliant insecurity

    View full-size slide

  9. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    11
    There is a medical device and
    IoT risk definition crisis.
    Risk taxonomies, risk measures, and risk metrics are at least
    confusing if not difficult to implement.
    How can we create a community or crowd-sourced set of
    definitions, especially of outcomes focused vs. process metrics?
    Are we looking for safety assurance or risk assurance?

    View full-size slide

  10. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    12
    Asset management
    –Requirements management
    –Procurement authority
    –Intake procedures
    –Asset ownership/custodian gap
    –Charging & storage locations
    Operations
    –Tracking MD by patients
    –Disposal procedures
    Maintenance management
    –Patch management
    –Alerts
    Access management
    –Unauthorized remote access
    –Unauthorized local access
    Loss/theft
    –Audit logs w/patient history
    Incident management
    –Incident reporting
    –Incident response
    –Forensics capabilities
    System engineering process
    –Software vulnerabilities
    oSecure software development
    oCommercial Operating Systems
    oOpen source software
    –Hardware vulnerabilities
    oPatching limitations
    oHardcoding generic credentials
    oEasily accessible USB ports on portable
    devices
    Software maintenance process
    –Secure coding environment
    oSeparation of Dev & Ops
    oCode test & validation
    oCMDB
    –Patch distribution process
    oPatch integrity checks
    Cloud operations
    –Access controls
    oSeparation of Dev & Ops
    –Supply chain
    oCode test & validation
    Insider threats
    Supply Chain
    Supply Chain
    Physical
    Insider
    LAN
    OS
    Data
    Where are the frameworks & tools?
    Source: Cynergistek
    Pre-market Risks (Manufacturers) Post-market Risks (Manufacturers & HDOs)
    How are things supposed to improve when each manufacturer is independent but HDO risks are collaborative?

    View full-size slide

  11. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    13
    Supply Chain
    Duh! Useless advice without solutions
    HDOs have no easy way to “do the right thing” when manufacturers don’t play well together
    Network Controls
    •VLANs and
    isolation
    •Pen testing
    •Patch
    management
    Asset Management
    •Unified CMDB
    •Strategic
    sourcing
    •Hardware and
    Software supply
    chain
    management
    Device Controls
    •Passwords
    •Require
    common
    language in
    RFP/RFI

    View full-size slide

  12. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    16
    There is a healthcare data
    privacy crisis.
    Not enough organizations have separated digital confidentiality
    and privacy policies from security policies.
    User behavior analytics (UBA) and data loss prevention (DLP)
    technology isn’t as widely deployed as it should be.

    View full-size slide

  13. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    17
    There is a secure software
    development crisis.
    Our software development lifecycles, languages, and tools are build
    for the networks of 1990s.
    Secure development lifecycles and modern software supply chain
    techniques must be implemented.

    View full-size slide

  14. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    18
    Preparing annual controls catalogs and
    compliance documentation or passing
    audits doesn’t mean you’re safe.
    Not enough organizations differentiate between point in time
    assessments versus continuous monitoring.
    Only continuous monitoring of each operational asset,
    from the bottom-up, ensures security.

    View full-size slide

  15. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    19
    WHAT IS THE
    SOLUTION?
    ML, AI, and AUTOMATION
    AUTO SCORING
    AUTO ASSESSMENTS
    DISTRIBUTED COMPLIANCE
    COLLABORATIVE EVIDENCE

    View full-size slide

  16. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    20
    Digitize compliance into
    structured data and
    integrate with security
    THE NEXT CONSULTANT TO GIVE ADVICE ABOUT
    YET ANOTHER DOCUMENT OR TEMPLATE SHOULD BE FIRED

    View full-size slide

  17. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    21
    Threat models should be supplied & created
    If you don’t know what else to use, require Microsoft Threat Modeling Toolkit

    View full-size slide

  18. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    22
    https://blog.docker.com/2016/08/securing-enterprise-software-supply-chain-using-docker/
    https://www.slideshare.net/blackducksoftware/managing-the-android-supply-chain-and-the-role-of-spdx
    IoT software supply chain transparency needed
    Build next-generation MDS2 into Software Package Data Exchange (SPDX)
    https://spdx.org

    View full-size slide

  19. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    23
    https://securityintelligence.com/how-stix-taxii-and-cybox-can-help-with-standardizing-threat-information/
    http://www.redzonetech.net/podcast/aharon-chernin/
    Structured threat sharing is a must
    Trusted Automated Exchange of Indicator Information (TAXII)
    Cyber Observable Expression (CybOX)
    Structured Threat Information Expression (STIX)

    View full-size slide

  20. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    24
    MERGE SPREADSHEETS
    and COLLATE DATA
    SEND SPREADSHEETS
    and E-MAILS to RESPONDERS
    RECEIVE E-MAIL
    RESPONSES
    CONDUCT ASSESSMENT and
    PREPARE COMPLIANCE
    REPORTS
    RECEIVE REQUEST
    Current Assessment Process
    Is your existing request for information approach manual, e-mail driven, and spreadsheet focused?
    R1 R2 Rn
    R1 R2 Rn
    R1 R2 Rn

    View full-size slide

  21. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    25
    MERGE SPREADSHEETS
    and COLLATE DATA
    SEND SPREADSHEETS
    and E-MAILS to RESPONDERS
    RECEIVE E-MAIL
    RESPONSES
    CONDUCT ASSESSMENT and
    PREPARE COMPLIANCE
    REPORTS
    RECEIVE REQUEST
    Current Assessment Process is Terrible
    Is your existing request for information approach manual, e-mail driven, and spreadsheet focused?
    Manually craft charts, tables,
    narratives plus reports and
    then send them via e-mail or
    put them into a shared folder
    Someone asks you to run a
    “data call” to assess some
    business process or cyber
    security posture through a
    compliance request or
    questionnaire
    Gather the questionnaire
    responses via e-mail and put
    spreadsheets in file shares
    while keeping track of status:
    who’s done, who’s remaining,
    and who needs a reminder
    You send the data call to your
    responders via Excel and e-mail
    Merge, rationalize, and score
    data across responders
    Do you have a library of
    reusable templates or do
    you spend time repeating
    the same requests?
    What happens when you
    correct an error or
    clarification required in the
    original spreadsheet? More
    e-mails?
    What happens when
    respondents have
    questions? More e-
    mails?
    What happens if responders
    accidentally change the
    spreadsheet columns or
    don’t format their data
    properly?
    What happens to the
    reports if responses are
    updated or are late? Delays
    or recreate and resend the
    reports?
    What happens when
    attachments are required
    to answer certain
    questions?
    Do respondents have to
    create new responses if
    nothing has changed?
    Can responders
    delegate one or more
    questions to others?
    What do you do when data call
    requesters want to the data a
    different way or have questions
    about specific responses? More
    e-mails?
    Do you share results
    with assessees?

    View full-size slide

  22. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    26
    REVIEW AUTO-SCORING
    and CONDUCT ASSESSMENT
    SELECT and SEND
    Questionnaire
    RECEIVE NOTIFICATIONS
    OF RESPONDERS AS THEY
    ANSWER QUESTIONS
    RESPOND DIRECTLY IF
    THEY HAVE QUESTIONS
    SHARE COMPLIANCE
    REPORTS
    RECEIVE REQUEST
    Opsfolio Attest Community Pilot
    Unified, low lift, transparent, and less error-prone approach for automated and continuous compliance
    R1 R2 Rn
    R1 R2 Rn
    R1 R2 Rn
    Responses can come
    from automated tools if
    available!

    View full-size slide

  23. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    27
    Invitations, notifications, comments, and clarification requests still go out via e-mail but everyone, both inside and
    outside your company, gets their own application account for proper auditing and response tracking in a single system.
    One System for Humans & Bots
    Assessees and responders can be human or automation tools and collectors

    View full-size slide

  24. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    28
    Audience Participation
    Are your senior executives well versed in the
    major concepts like first party risk vs. third
    party risk vs. threats vs. compliance vs. security
    vs. privacy?
    •Yes, this is all elementary and our team
    understands it completely
    •No, we understand most of the concepts but
    some of the nuances aren’t clear
    •No, we do not understand all the concepts
    and could use guidance

    View full-size slide

  25. www.netspective.com
    © 2017 Netspective. All Rights Reserved.
    29
    THANK YOU
    Shahid N. Shah, Publisher, Netspective Media
    [email protected] @ShahidNShah
    THIRD PARTY RISK
    MANAGEMENT FOR
    MEDICAL DEVICES
    https://www.opsfolio.com/

    View full-size slide