Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
© Zühlke 2019Slide 1 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
Cybersecurity in sm...
© Zühlke 2019Slide 2 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
©...
© Zühlke 2019Slide 3 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
Cybersecurity
© Zühlke 2019Slide 4 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
©...
© Zühlke 2019Slide 5 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
Why do we need bett...
© Zühlke 2019Slide 6 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
©...
© Zühlke 2019Slide 7 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
©...
© Zühlke 2019Slide 8 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
©...
© Zühlke 2019Slide 9 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
©...
© Zühlke 2019Slide 10 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 11 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 12 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 13 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 14 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
How can we achieve...
© Zühlke 2019Slide 15 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 16 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 17 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 18 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 19 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 20 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 21 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 22 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 23 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
© Zühlke © Zühlke
...
© Zühlke 2019Slide 24 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public |
Your Partner for
D...
Nächste SlideShare
Wird geladen in …5
×

Cybersecurity in Smart Medical Devices

280 Aufrufe

Veröffentlicht am

Key learnings from the medical device service provider perspective.

The slides were presented by Dr. Stefan Weiss at the "Digital Transformation in Pharma" workshop of the House of Pharma MBA Program in Frankfurt.

Veröffentlicht in: Gesundheitswesen
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Cybersecurity in Smart Medical Devices

  1. 1. © Zühlke 2019Slide 1 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | Cybersecurity in smart medical devices – Key learnings from the medical device service provider perspective
  2. 2. © Zühlke 2019Slide 2 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke EHRs are traded for up to $1000 – it is the most comprehensive identity record What is the dark net price of your data? EHR: Electronic health record Source: Adapted from https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/ Fake MBA degree $100 - $400$5 Credit Card with CVV up to $1000 Electronic Health Record up to $2000 US passport
  3. 3. © Zühlke 2019Slide 3 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | Cybersecurity
  4. 4. © Zühlke 2019Slide 4 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Cybersecurity is a fundamental dimension of medical device development and maintenance What is cybersecurity? Privacy How to protect my health information? Safety How to protect my health and the environment from injury? Cybersecurity How to protect medical devices from being manipulated?
  5. 5. © Zühlke 2019Slide 5 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | Why do we need better cybersecurity for medical devices?
  6. 6. © Zühlke 2019Slide 6 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Innovative, digital products and services also for healthy people drive market growth Medical devices become a prominent part of our daily lives Digital innovation 20% 0% 40% 100% 60% 80% 2023 31B € 2017 2028 100% 11B € 20B € Digital products and services revenue on total German medical device market CAGR: +16% SaMD: Software as a medical device SaMD Source: Adapted from Roland Berger – Gesundheit 4.0, 2018
  7. 7. © Zühlke 2019Slide 7 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Connectivity and standardization are shaping development Big data from new devices require cloud-based analytics Source: Philipps Medical devices become connected by default Standardized software platforms are used Mobile Apps become essential part of a medical device system
  8. 8. © Zühlke 2019Slide 8 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Numerous stakeholders can access our EHRs and medical device information Our health data is aggregated on platforms EHR Vaccination certificates Medical reports Appointments Emergency passport Laboratory values Medication pass Patient’s devices Echocardiography / radiographs Source: Adapted from McKinsey - Digitizing healthcare – opportunities for Germany, 2018
  9. 9. © Zühlke 2019Slide 9 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Healthcare cyberattacks cause the highest costs per stolen data set across industries Medical cyberattacks rise and cause high financial damage 365 0 50 100 150 200 250 300 350 400 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 $408 $206 $181 $174 $170 $167 Financial Health Services Pharmaceutical Technology Energy Average costs per stolen data setUS health breaches Anthem Inc.: >80M stolen data sets Source: IBM & Ponemon Cost of a Data Breach Report, 2018Source: Adapted from HIPAA Journal Healthcare Data Breach Statistics, 2018
  10. 10. © Zühlke 2019Slide 10 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Ransomware causes high damage also in clinics, without needing a direct internet connection Example 1: WannaCry - Medical device security in hospitals • Unpatched Windows Systems • > 200 countries, 48 hospital trusts affected • Devices included: • MRI Control Stations • Blood storage refrigerators • 19,000 cancelled appointments • £92m overall costs for the NHS Source: Adapted from https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/
  11. 11. © Zühlke 2019Slide 11 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke • Leaky wireless protocols and lack of authentication • Affected devices include: • Heart defibrillators • Pacemaker • Insulin pumps • More than 750.000 affected devices A high personal threat for patients and a reputation disaster for device manufacturers Example 2: Hackable implanted medical devices
  12. 12. © Zühlke 2019Slide 12 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Typical pitfalls of our customers Security is often managed like a visit to the dentist – needed but hated Management mindset Offline asset perspective Security kills usability A final wrapper will fix it Security kills agility Believed competence
  13. 13. © Zühlke 2019Slide 13 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Believed competence Conscious competence Incounscious competence Incounscious incompetence Conscious incompetence Believed competence – a key pitfall Example: Security is considered during development, but not throughout the product life cycle
  14. 14. © Zühlke 2019Slide 14 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | How can we achieve better cybersecurity?
  15. 15. © Zühlke 2019Slide 15 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Medical device development follows cybersecurity gold standard goals CIA are the three crucial goals for cybersecurity Confidentiality attacks: • Corporate espionage • Stealing EHRs Mitigation: • Data encryption & anonymization • Access control and authentication concepts Availability attacks: • Withholding data including ransomware and DDoS attacks Mitigation: • Frequent system updates • Regular backups
  16. 16. © Zühlke 2019Slide 16 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke We recommend a holistic approach considering the legal, project and personal level To achieve CIA, security has to be managed on several levels Legal Project Personal
  17. 17. © Zühlke 2019Slide 17 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke ISO/IEC 29147 ISO/IEC 30111 NIST SP 800-53 NIST SP 800-37 IEC 80001-1 ISO 14971 IEC 62443-1-1 IEC 62443-2-1 IEC 62443-3-1 AAMI TIR57 NIST SP 800-30 FDA Postmarket Cybersecurity G. FDA Cybersecurity for … OTS G. FDA Wireless Medical Devices G. FDA Premarket Cybersecurity G. NIST Framework for Improving Critical Infrastructure Cybersecurity IEC TIR 80001-2-2 IEC TR 80001-2-1 The existing medical device guidance for security is complex, but insufficiently detailed Legal: Regulatory compliance is mandatory
  18. 18. © Zühlke 2019Slide 18 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Security and safety mgmt. are based on the same process but with different perspectives Safety risk management plan Safety risk analysis Safety risk evaluation Safety risk control Evaluation of residual risk Safety risk management report (Post-)Production information Security risk management plan Security risk analysis Security risk evaluation Security risk control Evaluation of residual risk Security risk management report (Post-)Production information Legal: AAMI TIR57 offers a high-level best practise
  19. 19. © Zühlke 2019Slide 19 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Assets: Definition of the most sensitive information on a medical device Project: Our cybersecurity management approach • Patient information • Core functions (e.g. measurements, drug application, alarms) • Core IP (e.g. machine learning models) Assets Threat & threat analysis Security objectives
  20. 20. © Zühlke 2019Slide 20 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Threats: Identification of attacking personas, their motivation and resulting threats Thief: Profit-driven theft Assets Threat & threat analysis Security objectives Spy: Observe users Saboteur: Reduce availability Mercenary: Machine hijacking Extortionist: Blackmailing Project: Our cybersecurity management approach
  21. 21. © Zühlke 2019Slide 21 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Security objectives: Specific actions on system and environment level Project: Our cybersecurity management approach Assets Threat & threat analysis Security objectives System objectives: • Data encryption & anonymization • Layered access control concepts Environment objectives: • Network encryption • System diversity (Windows + Linux) • Redundant systems
  22. 22. © Zühlke 2019Slide 22 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Source: https://hpi.de/pressemitteilungen/2016/die-top-ten-deutscher-passwoerter.html Can you describe your first date with these words?  Personal: Avoid the top 10 used passwords in Germany 6. qwertz 7. arschloch 8. schatz 9. hallo1 10.ficken 1. hallo_ 2. passwort 3. hallo123 4. schalke04 5. passwort1
  23. 23. © Zühlke 2019Slide 23 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke © Zühlke Successful with a strategic, balanced approach between convenience and security Our 5 key learnings to develop secure medical devices Secure medical device solution Continuous management throughout life cycle Security by design and default Discrete safety and security analysis Security is a strategic business topic Regular training of the “human component”
  24. 24. © Zühlke 2019Slide 24 |Cybersecurity in smart medical devices | Dr. Stefan Weiss03 August 2019 Public | Your Partner for Digital Business Innovation Dr. Stefan Weiss Business Innovation Consultant Pharma & Medtech +49 6196 777 54 426 Stefan.Weiss@zuehlke.com

×