SlideShare ist ein Scribd-Unternehmen logo

Healthcare cyber powerpoint

Als PPT, PDF herunterladen
S
safecities
TechnologieBusiness
1 von 23
Cybersecurity for Medical Devices: Three Threads Intertwined Presented to MedSun audio conference Cybe rse curity o f Me dicalDe vice s on April 12th , 2005 by Scott Bolte (Scott.Bolte@ge.com) Product Security Program Manager GE Healthcare
First, the Patient’s Thread
3 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company What Re ally is at Risk? Common focus on individual medical devices is important… but misleading. Most medical systems can be secured simply by disconnecting them from the network. Unfortunately what would be lost, and what really needs to be protected, is the secure transfer of clinical information between medical systems. Theright information, beforetheright people, at theright time, improves patient treatment. Securityimprovements must not impedethat informationflow.
Next, A Manufacturer’s Thread
5 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Constraints on Manufacturers Manufacturers rarelyneed to get approval from FDA with regards to Cybersecurity fixes. However, they always need to validate safe & effective operation after changes, including 3rd party patches. No one can predict impact of 3rd party changes on clinical operations in advance. Therefore, verifying and validating seemingly minor changes may take significant time. Determining impact of patch, or any other design change, usually requires deep understanding of medical device. Everyone would like to move faster, but there is no magic way to avoid necessary validation.
6 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company GE Healthcare Initiatives in a Nutshell Product Development Changes: • Eliminating default but unnecessary network services to reduce the opportunities for future attacks. • Objective & automated vulnerability assessments at each product release. • Formal design requirements system augmented with new security requirements. Organizational Capabilities Changes: • Enhancing remote service technology to improve response times. • Optimizing validation & verification of corrective and preventive actions. • Established incident response and threat assessment processes spanning the globe. Improved Communication: • Ongoing security education & awareness training throughout GE Healthcare. • Improved channels of communication with customers.
Finally, the Healthcare Provider’s Thread
8 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Proceed with Caution Traditional IT assumptions and procedures need to accommodate unique medical device realities. Generic IT security best practices, indiscriminatelyappliedto medical devices without manufacturer coordination, can pose patient safety risk. For example: • automatic patching can and has broken medical devices, • network vulnerability scans can disrupt clinical operations, • antivirus software can disrupt time-sensitive clinical operations, • misidentification of clinical data as a virus may interfere with clinical care, • authentication schemes must fail-open (let the user in) instead of fail- closed (lock the user out).
9 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Long Term Perspective Required Unlike most IT systems, medical devices life cycles can be 10, 15, 20 years or longer! While general purpose hardware & software need to be replaced regularly to keep up with evolving needs, medical devices will continue to perform their focused purpose adequately for many years. Need to assume underlying operating systems may be used years longer than IT managers typically expect.
10 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company The Sky is NO T Falling All security problems are not equal. Threat prioritization, with a phased remediation plan, is required. Response to specific threats should be based on threat assessment. Cornerstones of threat assessment are likelihood & severity. Some factors include: • impact on host (severity of compromise/infection), • immediate attack vs. potential exploit, • manual vs. automatic propagation of malicious attack (expected virulence), • expected use profile of system, • proactive external controls already in place. Bothmanufacturers andhealthcareproviders canandshould proactivelytakesteps toreducelikelihoodof problems.
11 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Ongoing Communications Cooperation between hospital IT staff and clinical personnel is critical since both parties have essential knowledge. It is dangerous when they work independently. Cooperation between healthcare providers and equipment manufacturers is also critical; for the exact same reasons. Treat security problems and concerns like any other problem with a medical device. They are hazards that need to be appropriately addressed. Don’t reinvent the wheel or set up spe cialchannels -- use established support mechanisms.
12 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Secure Network Designs Medical devices are provided with filtered power, filtered air, filtered water, etc. Why not filtered networks? Defense-in-depth network designs proven and effective at reducing risks. For example, Department of Veteran Affairs' Me dicalDe vice Iso latio n Archite cture Guide . Exploit predictable medical device network communications: • restrict medical device connections to known peers (e.g. patient monitor with central nurses station, scanner and a PACS, HIS, RIS, lab, etc.), • prevent connections with general purpose systems (e.g. uncontrolled laptops), • use network intrusion detection systems (NIDS) to detect unexpected patterns, but be cautious triggering automatic responses. Healthcareproviders restrictingmedical devicecommunications todefinedpeers is non-invasiveyet canbeincrediblyeffective.
Weaving the Threads Together
14 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company We Must Work Together Interoperability is essential as with DICOM, HL7, and other clinical standards. Manufacturers must continue to work together and with healthcare providers on security standards, otherwise clinical interoperability may be undermined. Industry forums should be used to develop and/or publicize standards & best practices. (See NEMA, HIMSS, etc. pages in Additio nalInfo rm atio n appendix.)
15 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company MDS2 : A Pattern for Things to Come? Looming April 2005 HIPAA security regulations were driving a lot of churn for manufacturers and healthcare providers throughout 2004. The HIMSS Medical Device Security Workgroup recognized the opportunity to simplify through standardization and rose to the challenge. The Manufacture r's Disclo sure State m e nt fo r Me dicalDe vice Se curity (MDS2 ) was developed in just a couple of months last fall is already a de facto industry standard. MDS2 is a model of how collective wisdom can streamlining effective communication between all parties. More information on the MDS2 may be found in the Additio nalInfo rm atio n appendix.
16 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Conclusion Everyone has things they can do on their own to manage risk, both immediately and long term. Industry forums should be used to share knowledge and develop common solutions. GE Healthcare will continue to work with our customers and our peers to develop better products, standards, and practices for the industry. Medical device cybersecurity risks can be managed without interfering with patient care… if we work together.
Additional Information
18 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company GE Healthcare The ever growing security portal http://www.gehealthcare.com/usen/security/index.html includes: • Manufacture r’s Disclo sure State m e nt fo r Me dicalDe vice Se curity (MDS2 ) for GE Healthcare products • FAQs • Product vulnerability information
19 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company NEMA Security & Privacy Committee SPC’s material at http://nema.org/prod/med/security/ includes: • Bre ak-Glass – An Appro ach to Granting Em e rg e ncy Acce ss to He althcare Syste m s • Patching O ff-the -She lf So ftware Use d in Me dicalInfo rm atio n Syste m s • De fe nding Me dicalInfo rm atio n Syste m s Ag ainst Malicio us So ftware
20 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company HIMSS Medical Device Security WG HIMSS work group’s material at http://www.himss.org/ASP/topics_medicalDevice.asp includes: • original Manufacture r’s Disclo sure State m e nt fo r Me dical De vice Se curity (MDS2 ), • Department of Veterans Affairs’ Me dicalDe vice Iso latio n Archite cture Guide , • links to current issues, trends and tools, • contact information to join workgroup.
21 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Original MDS2 a Huge Step Forward In the style of DICOM conformance statements and IHE integrations profiles the MDS2 has: • standard set of questions and instructions, • objective yes/no type questions required with optional notes, • all users benefit from knowledge of MDS2 authors, • standard format eases manufacturer burden, • standard, objective format eases burden on device users.
22 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Enhanced MDS2 as New Model? Sponsor Manufacturer User Three organizations work together to efficiently share information. • Sponsorfirst identifies widespread need and then creates standard profile with fixed questions & instructions (e.g. HIMSS creating MDS2 ). • Manufacturer, in turn, adds answers and notes to device profile for each of their product lines. • Users optionally augment manufacturer’s documents with site specific notes and instructions to guide installation and operation of medical device.
23 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Device Profiles in the Future? https://sourceforge.net/projects/device-profile/ is a brand new effort to automate communication such as the MDS2 • Sponsors (e.g. HIMSS) create standard questions. • Manufacturers document each product. • Users augment manufacturer information with local guidance.

Empfohlen

Hacking Into Medical Devices
Hacking Into Medical DevicesHacking Into Medical Devices
Hacking Into Medical Devices
Jane Wang
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
3GDR
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
ims_introduction_2015
ims_introduction_2015ims_introduction_2015
ims_introduction_2015
Jay Lee
 
ims_brochure_2013
ims_brochure_2013ims_brochure_2013
ims_brochure_2013
Jay Lee
 
ims_highlights
ims_highlightsims_highlights
ims_highlights
Jay Lee
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
Ajay Ohri
 

Empfohlen

Hacking Into Medical Devices
Hacking Into Medical DevicesHacking Into Medical Devices
Hacking Into Medical Devices
Jane Wang
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
3GDR
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
ims_introduction_2015
ims_introduction_2015ims_introduction_2015
ims_introduction_2015
Jay Lee
 
ims_brochure_2013
ims_brochure_2013ims_brochure_2013
ims_brochure_2013
Jay Lee
 
ims_highlights
ims_highlightsims_highlights
ims_highlights
Jay Lee
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
Ajay Ohri
 
VCE White Paper: Vblock Systems and Healthcare Information Technology
VCE White Paper: Vblock Systems and Healthcare Information Technology VCE White Paper: Vblock Systems and Healthcare Information Technology
VCE White Paper: Vblock Systems and Healthcare Information Technology
EMC
 
Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WP
Luke Arrington
 
IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...
IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...
IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...
Alex Zeltov
 
Cutting the Cord
Cutting the CordCutting the Cord
Cutting the Cord
RLE Technologies
 
UI report
UI reportUI report
UI report
Sergey Yrievich
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...
Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...
Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...
Pistoia Alliance
 
mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...
mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...
mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...
Levi Shapiro
 
Comp8 unit8a lecture_slides
Comp8 unit8a lecture_slidesComp8 unit8a lecture_slides
Comp8 unit8a lecture_slides
CMDLMS
 
Mobile Device Mgmt Healthcare Whitepaper
Mobile Device Mgmt Healthcare WhitepaperMobile Device Mgmt Healthcare Whitepaper
Mobile Device Mgmt Healthcare Whitepaper
James A. Morin
 
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst..."The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
mcarruthers
 
Solar PV Technology : Health & Safety
Solar PV Technology : Health & SafetySolar PV Technology : Health & Safety
Solar PV Technology : Health & Safety
Vinod Jyothikumar
 
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded SystemsDr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati
 
Technology Meets Medicine: Business Models and Distribution Strategies
Technology Meets Medicine: Business Models and Distribution StrategiesTechnology Meets Medicine: Business Models and Distribution Strategies
Technology Meets Medicine: Business Models and Distribution Strategies
guest1fee1
 
EDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaEDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-ilta
David Kearney
 
Electrical Risk Management
Electrical Risk ManagementElectrical Risk Management
Electrical Risk Management
Mark Platten
 
Good To Go Safety Iosh 2010
Good To Go Safety Iosh 2010Good To Go Safety Iosh 2010
Good To Go Safety Iosh 2010
Graham Halliday
 
Photovoltaic Module Weather Durability & Reliability
Photovoltaic Module Weather Durability & ReliabilityPhotovoltaic Module Weather Durability & Reliability
Photovoltaic Module Weather Durability & Reliability
sunpower
 
Dlp notes
Dlp notesDlp notes
Dlp notes
anuepcet
 
Top7ReasonsPreventativeMaintenanceCity
Top7ReasonsPreventativeMaintenanceCityTop7ReasonsPreventativeMaintenanceCity
Top7ReasonsPreventativeMaintenanceCity
Alecia Flahiff
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
IRJET Journal
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
IRJET Journal
 

Weitere ähnliche Inhalte

Was ist angesagt?

Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WP
Luke Arrington
 
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded SystemsDr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati
 
Technology Meets Medicine: Business Models and Distribution Strategies
Technology Meets Medicine: Business Models and Distribution StrategiesTechnology Meets Medicine: Business Models and Distribution Strategies
Technology Meets Medicine: Business Models and Distribution Strategies
guest1fee1
 
EDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaEDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-ilta
David Kearney
 
Electrical Risk Management
Electrical Risk ManagementElectrical Risk Management
Electrical Risk Management
Mark Platten
 
Top7ReasonsPreventativeMaintenanceCity
Top7ReasonsPreventativeMaintenanceCityTop7ReasonsPreventativeMaintenanceCity
Top7ReasonsPreventativeMaintenanceCity
Alecia Flahiff
 

Was ist angesagt? (20)

VCE White Paper: Vblock Systems and Healthcare Information Technology
VCE White Paper: Vblock Systems and Healthcare Information Technology VCE White Paper: Vblock Systems and Healthcare Information Technology
VCE White Paper: Vblock Systems and Healthcare Information Technology
 
Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WP
 
IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...
IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...
IBM Insight 2014 session (4152 )- Accelerating Insights in Healthcare with “B...
 
Cutting the Cord
Cutting the CordCutting the Cord
Cutting the Cord
 
UI report
UI reportUI report
UI report
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
 
Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...
Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...
Pistoia Alliance Debates: PhUSE Framework for the Adoption of Cloud Technolog...
 
mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...
mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...
mHealth Israel_Health IT for Next Generation Care Delivery_Orna Berry, Ph.D.,...
 
Comp8 unit8a lecture_slides
Comp8 unit8a lecture_slidesComp8 unit8a lecture_slides
Comp8 unit8a lecture_slides
 
Mobile Device Mgmt Healthcare Whitepaper
Mobile Device Mgmt Healthcare WhitepaperMobile Device Mgmt Healthcare Whitepaper
Mobile Device Mgmt Healthcare Whitepaper
 
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst..."The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
 
Solar PV Technology : Health & Safety
Solar PV Technology : Health & SafetySolar PV Technology : Health & Safety
Solar PV Technology : Health & Safety
 
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded SystemsDr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
Dr Dev Kambhampati | Security Tenets for Life Critical Embedded Systems
 
Technology Meets Medicine: Business Models and Distribution Strategies
Technology Meets Medicine: Business Models and Distribution StrategiesTechnology Meets Medicine: Business Models and Distribution Strategies
Technology Meets Medicine: Business Models and Distribution Strategies
 
EDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaEDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-ilta
 
Electrical Risk Management
Electrical Risk ManagementElectrical Risk Management
Electrical Risk Management
 
Good To Go Safety Iosh 2010
Good To Go Safety Iosh 2010Good To Go Safety Iosh 2010
Good To Go Safety Iosh 2010
 
Photovoltaic Module Weather Durability & Reliability
Photovoltaic Module Weather Durability & ReliabilityPhotovoltaic Module Weather Durability & Reliability
Photovoltaic Module Weather Durability & Reliability
 
Dlp notes
Dlp notesDlp notes
Dlp notes
 
Top7ReasonsPreventativeMaintenanceCity
Top7ReasonsPreventativeMaintenanceCityTop7ReasonsPreventativeMaintenanceCity
Top7ReasonsPreventativeMaintenanceCity
 

Ähnlich wie Healthcare cyber powerpoint

eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Health
ulmedical
 
Acus intel medical_devices
Acus intel medical_devicesAcus intel medical_devices
Acus intel medical_devices
atlanticcouncil
 
Design Considerations to Maximize Medical Device Cloud Connectivity
Design Considerations to Maximize Medical Device Cloud ConnectivityDesign Considerations to Maximize Medical Device Cloud Connectivity
Design Considerations to Maximize Medical Device Cloud Connectivity
Greenlight Guru
 
Capstone Final Project
Capstone Final ProjectCapstone Final Project
Capstone Final Project
chris odle
 

Ähnlich wie Healthcare cyber powerpoint (20)

DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
 
E-Health Care Cloud Solution
E-Health Care Cloud SolutionE-Health Care Cloud Solution
E-Health Care Cloud Solution
 
i2 Contact Tracing One Pager
i2 Contact Tracing One Pageri2 Contact Tracing One Pager
i2 Contact Tracing One Pager
 
eHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile HealtheHealth - Medical Systems Interoperability & Mobile Health
eHealth - Medical Systems Interoperability & Mobile Health
 
Acus intel medical_devices
Acus intel medical_devicesAcus intel medical_devices
Acus intel medical_devices
 
The Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and RisksThe Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and Risks
 
Practical Guide - www.devicematters.com
Practical Guide - www.devicematters.comPractical Guide - www.devicematters.com
Practical Guide - www.devicematters.com
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
 
Improve Patient Care and Reduce IT Costs with Vendor Neutral Archiving and Cl...
Improve Patient Care and Reduce IT Costs with Vendor Neutral Archiving and Cl...Improve Patient Care and Reduce IT Costs with Vendor Neutral Archiving and Cl...
Improve Patient Care and Reduce IT Costs with Vendor Neutral Archiving and Cl...
 
Dr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational Awareness
 
NIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesNIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric Utilities
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the Fog
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
 
Design Considerations to Maximize Medical Device Cloud Connectivity
Design Considerations to Maximize Medical Device Cloud ConnectivityDesign Considerations to Maximize Medical Device Cloud Connectivity
Design Considerations to Maximize Medical Device Cloud Connectivity
 
Failure is a friend
Failure is a friendFailure is a friend
Failure is a friend
 
Managing Reliability Expectations & Warranty Costs in Medical Electronics
Managing Reliability Expectations & Warranty Costs in Medical ElectronicsManaging Reliability Expectations & Warranty Costs in Medical Electronics
Managing Reliability Expectations & Warranty Costs in Medical Electronics
 
Capstone Final Project
Capstone Final ProjectCapstone Final Project
Capstone Final Project
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centers
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 

Kürzlich hochgeladen (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Healthcare cyber powerpoint

  • 1. Cybersecurity for Medical Devices: Three Threads Intertwined Presented to MedSun audio conference Cybe rse curity o f Me dicalDe vice s on April 12th , 2005 by Scott Bolte (Scott.Bolte@ge.com) Product Security Program Manager GE Healthcare
  • 3. 3 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company What Re ally is at Risk? Common focus on individual medical devices is important… but misleading. Most medical systems can be secured simply by disconnecting them from the network. Unfortunately what would be lost, and what really needs to be protected, is the secure transfer of clinical information between medical systems. Theright information, beforetheright people, at theright time, improves patient treatment. Securityimprovements must not impedethat informationflow.
  • 5. 5 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Constraints on Manufacturers Manufacturers rarelyneed to get approval from FDA with regards to Cybersecurity fixes. However, they always need to validate safe & effective operation after changes, including 3rd party patches. No one can predict impact of 3rd party changes on clinical operations in advance. Therefore, verifying and validating seemingly minor changes may take significant time. Determining impact of patch, or any other design change, usually requires deep understanding of medical device. Everyone would like to move faster, but there is no magic way to avoid necessary validation.
  • 6. 6 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company GE Healthcare Initiatives in a Nutshell Product Development Changes: • Eliminating default but unnecessary network services to reduce the opportunities for future attacks. • Objective & automated vulnerability assessments at each product release. • Formal design requirements system augmented with new security requirements. Organizational Capabilities Changes: • Enhancing remote service technology to improve response times. • Optimizing validation & verification of corrective and preventive actions. • Established incident response and threat assessment processes spanning the globe. Improved Communication: • Ongoing security education & awareness training throughout GE Healthcare. • Improved channels of communication with customers.
  • 7. Finally, the Healthcare Provider’s Thread
  • 8. 8 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Proceed with Caution Traditional IT assumptions and procedures need to accommodate unique medical device realities. Generic IT security best practices, indiscriminatelyappliedto medical devices without manufacturer coordination, can pose patient safety risk. For example: • automatic patching can and has broken medical devices, • network vulnerability scans can disrupt clinical operations, • antivirus software can disrupt time-sensitive clinical operations, • misidentification of clinical data as a virus may interfere with clinical care, • authentication schemes must fail-open (let the user in) instead of fail- closed (lock the user out).
  • 9. 9 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Long Term Perspective Required Unlike most IT systems, medical devices life cycles can be 10, 15, 20 years or longer! While general purpose hardware & software need to be replaced regularly to keep up with evolving needs, medical devices will continue to perform their focused purpose adequately for many years. Need to assume underlying operating systems may be used years longer than IT managers typically expect.
  • 10. 10 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company The Sky is NO T Falling All security problems are not equal. Threat prioritization, with a phased remediation plan, is required. Response to specific threats should be based on threat assessment. Cornerstones of threat assessment are likelihood & severity. Some factors include: • impact on host (severity of compromise/infection), • immediate attack vs. potential exploit, • manual vs. automatic propagation of malicious attack (expected virulence), • expected use profile of system, • proactive external controls already in place. Bothmanufacturers andhealthcareproviders canandshould proactivelytakesteps toreducelikelihoodof problems.
  • 11. 11 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Ongoing Communications Cooperation between hospital IT staff and clinical personnel is critical since both parties have essential knowledge. It is dangerous when they work independently. Cooperation between healthcare providers and equipment manufacturers is also critical; for the exact same reasons. Treat security problems and concerns like any other problem with a medical device. They are hazards that need to be appropriately addressed. Don’t reinvent the wheel or set up spe cialchannels -- use established support mechanisms.
  • 12. 12 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Secure Network Designs Medical devices are provided with filtered power, filtered air, filtered water, etc. Why not filtered networks? Defense-in-depth network designs proven and effective at reducing risks. For example, Department of Veteran Affairs' Me dicalDe vice Iso latio n Archite cture Guide . Exploit predictable medical device network communications: • restrict medical device connections to known peers (e.g. patient monitor with central nurses station, scanner and a PACS, HIS, RIS, lab, etc.), • prevent connections with general purpose systems (e.g. uncontrolled laptops), • use network intrusion detection systems (NIDS) to detect unexpected patterns, but be cautious triggering automatic responses. Healthcareproviders restrictingmedical devicecommunications todefinedpeers is non-invasiveyet canbeincrediblyeffective.
  • 14. 14 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company We Must Work Together Interoperability is essential as with DICOM, HL7, and other clinical standards. Manufacturers must continue to work together and with healthcare providers on security standards, otherwise clinical interoperability may be undermined. Industry forums should be used to develop and/or publicize standards & best practices. (See NEMA, HIMSS, etc. pages in Additio nalInfo rm atio n appendix.)
  • 15. 15 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company MDS2 : A Pattern for Things to Come? Looming April 2005 HIPAA security regulations were driving a lot of churn for manufacturers and healthcare providers throughout 2004. The HIMSS Medical Device Security Workgroup recognized the opportunity to simplify through standardization and rose to the challenge. The Manufacture r's Disclo sure State m e nt fo r Me dicalDe vice Se curity (MDS2 ) was developed in just a couple of months last fall is already a de facto industry standard. MDS2 is a model of how collective wisdom can streamlining effective communication between all parties. More information on the MDS2 may be found in the Additio nalInfo rm atio n appendix.
  • 16. 16 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Conclusion Everyone has things they can do on their own to manage risk, both immediately and long term. Industry forums should be used to share knowledge and develop common solutions. GE Healthcare will continue to work with our customers and our peers to develop better products, standards, and practices for the industry. Medical device cybersecurity risks can be managed without interfering with patient care… if we work together.
  • 18. 18 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company GE Healthcare The ever growing security portal http://www.gehealthcare.com/usen/security/index.html includes: • Manufacture r’s Disclo sure State m e nt fo r Me dicalDe vice Se curity (MDS2 ) for GE Healthcare products • FAQs • Product vulnerability information
  • 19. 19 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company NEMA Security & Privacy Committee SPC’s material at http://nema.org/prod/med/security/ includes: • Bre ak-Glass – An Appro ach to Granting Em e rg e ncy Acce ss to He althcare Syste m s • Patching O ff-the -She lf So ftware Use d in Me dicalInfo rm atio n Syste m s • De fe nding Me dicalInfo rm atio n Syste m s Ag ainst Malicio us So ftware
  • 20. 20 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company HIMSS Medical Device Security WG HIMSS work group’s material at http://www.himss.org/ASP/topics_medicalDevice.asp includes: • original Manufacture r’s Disclo sure State m e nt fo r Me dical De vice Se curity (MDS2 ), • Department of Veterans Affairs’ Me dicalDe vice Iso latio n Archite cture Guide , • links to current issues, trends and tools, • contact information to join workgroup.
  • 21. 21 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Original MDS2 a Huge Step Forward In the style of DICOM conformance statements and IHE integrations profiles the MDS2 has: • standard set of questions and instructions, • objective yes/no type questions required with optional notes, • all users benefit from knowledge of MDS2 authors, • standard format eases manufacturer burden, • standard, objective format eases burden on device users.
  • 22. 22 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Enhanced MDS2 as New Model? Sponsor Manufacturer User Three organizations work together to efficiently share information. • Sponsorfirst identifies widespread need and then creates standard profile with fixed questions & instructions (e.g. HIMSS creating MDS2 ). • Manufacturer, in turn, adds answers and notes to device profile for each of their product lines. • Users optionally augment manufacturer’s documents with site specific notes and instructions to guide installation and operation of medical device.
  • 23. 23 / Scott Bolte / 2005-04-12 Copyright © 2005 by General Electric Company Device Profiles in the Future? https://sourceforge.net/projects/device-profile/ is a brand new effort to automate communication such as the MDS2 • Sponsors (e.g. HIMSS) create standard questions. • Manufacturers document each product. • Users augment manufacturer information with local guidance.