Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
The Dreaded Embedded
Barry Caplin
VP & CISO
Fairview Health Services
bcaplin1@fairview.org
bc@bjb.org
@bcaplin
securityand...
@bcaplin
http://about.me/barrycaplin
securityandcoffee.blogspot.com
o Not-for-profit established in 1906
o Academic Health System since 1997
partnership with University of Minnesota
o >22K e...
Who is Fairview?
A partnership of North Memorial and Fairview
• For Reals?
• What’s a “Thing” and why is it on the
Internet?
• Put a Chip In It
• Are Medical Devices “Things”?
• You’re...
CSI:Cyber 11/1/15 s2/ep5 “hack E.R.”
• “Hacker group” takes over hospital
• Kills via infusion pump
• Ransom
• Weak/no aut...
“I asked you not
to tell me that!”
Who’s got?...
Apr. 3, 2010
300K ipads
1M apps
250K ebooks
… day 1!
2011 – tablet/smartphone sales exceeded PCs
Apr. 24, 2015
1M orders
2500 apps
available
… day 1!
2016 – IOT sales exceed
smartphone
+
tablet
http://weputachipinit.tumblr.com/
Medical Devices
http://get-fun-here.blogspot.com/2014/04/
22-strange-medical-instruments-from.html
Medical Devices
1997
2013
“Embedded”
• Quantified Self
• Insulin pumps, pace-
makers, ICD, etc.
 FDA requirements
 Device manufacturers
 Ease of ...
Security Challenges
 Exposure/Leakage of data – including
repairs
 Poor Design/Protocols
 Ownership
 Malware
 Direct ...
• Primary mechanism is… Obscurity
• Focus is on
Function
Aesthetics
Communication
Cost
Speed to Market
• Testing?
• P...
• Sneakernet
– USB updates or data
movement
• Data Exfiltration
– aka Breach!
• Integrity
– Alter Capability
– Alter Data/...
• FDA certification process
– Complex, painful, long, expensive
• Patching and FDA advice
– Manufacturers responsible for ...
• Retail
• Manufacturing
• Energy
We Are Not Alone
Solutions
• FDA, NIST and others in progress
• NCCoE/NIST/UMN TLI infusion pump security study
https://nccoe.nist.gov/sites/default/...
• LifeCycle and Risk
Management approach
– CyberSecurity Insurance?
• SLM – Security Lifecycle
Management
• Existing?:
– N...
• It will get worse before it gets better
• Mandatory NIST CyberSecurity Framework?
• FDA pre-market security accreditatio...
Tweet along: #Sec360 www.Secure360.org
Barry Caplin
Fairview Health Services
bcaplin1@fairview.org
bc@bjb.org
@bcaplin
sec...
Dreaded Embedded   sec360 5-17-16
Nächste SlideShare
Wird geladen in …5
×

Dreaded Embedded sec360 5-17-16

601 Aufrufe

Veröffentlicht am

How do you make an inanimate object “smart”? You put a chip in it! And then you connect it to the global internet! These chips run what is typically called an embedded operating system – a Windows, unix or Linux variant, or something custom made. Because these chips are embedded in power grid equipment, medical equipment, appliances or even people, updates and patches are problematic. The Internet of Things (IoT) is growing at a rate 10-times that of standard computers. A typical hospital/clinic system may have 4-5 times as many smart connected medical devices as computers. The Dreaded Embedded refers to the proliferation of vulnerabilities associated with these devices. What are the security and privacy concerns of these devices? What about FDA and other regulatory compliance? And how do we deal with these devices as part of an information security program?

Veröffentlicht in: Technologie
  • Loggen Sie sich ein, um Kommentare anzuzeigen.

  • Gehören Sie zu den Ersten, denen das gefällt!

Dreaded Embedded sec360 5-17-16

  1. 1. The Dreaded Embedded Barry Caplin VP & CISO Fairview Health Services bcaplin1@fairview.org bc@bjb.org @bcaplin securityandcoffee.blogspot.com Secure 360 Tues. May 17, 2016 Tweet along: #Sec360
  2. 2. @bcaplin http://about.me/barrycaplin securityandcoffee.blogspot.com
  3. 3. o Not-for-profit established in 1906 o Academic Health System since 1997 partnership with University of Minnesota o >22K employees o >3,300 aligned physicians o Employed, faculty, independent o 7 hospitals/medical centers (>2,500 staffed beds) o 40-plus primary care clinics o 55-plus specialty clinics o 47 senior housing locations o 30-plus retail pharmacies 2014 volumes o 6.39M outpatient encounters o 1.4M clinic visits o 71,049 inpatient admissions o 76,595 surgeries o 9,298 births o 282 blood and marrow transplants o 340 organ transplants o >$4 billion total revenue
  4. 4. Who is Fairview? A partnership of North Memorial and Fairview
  5. 5. • For Reals? • What’s a “Thing” and why is it on the Internet? • Put a Chip In It • Are Medical Devices “Things”? • You’re doing what with my data? • Security Concerns • Solutions? Agenda Tweet along: #Sec360
  6. 6. CSI:Cyber 11/1/15 s2/ep5 “hack E.R.” • “Hacker group” takes over hospital • Kills via infusion pump • Ransom • Weak/no auth and encryption in med devices • Smart TV • Hardware Poisoning • Flat Network • Medical Record Integrity • Physical Access to Network • Financial v Hacktivism What’s Real?
  7. 7. “I asked you not to tell me that!” Who’s got?...
  8. 8. Apr. 3, 2010 300K ipads 1M apps 250K ebooks … day 1!
  9. 9. 2011 – tablet/smartphone sales exceeded PCs
  10. 10. Apr. 24, 2015 1M orders 2500 apps available … day 1!
  11. 11. 2016 – IOT sales exceed smartphone + tablet
  12. 12. http://weputachipinit.tumblr.com/
  13. 13. Medical Devices http://get-fun-here.blogspot.com/2014/04/ 22-strange-medical-instruments-from.html
  14. 14. Medical Devices
  15. 15. 1997
  16. 16. 2013
  17. 17. “Embedded” • Quantified Self • Insulin pumps, pace- makers, ICD, etc.  FDA requirements  Device manufacturers  Ease of connection • Jay Radcliffe, BlackHat 2011 Barnaby Jack, HackerHalted 2012 • Homeland attack (Broken Hearts, s2/ep10 12/2/12)  Wireless attack via pacemaker id/sn  Dick Cheney ICD, 2007 • MITM or snooping • Integrity • Availability
  18. 18. Security Challenges  Exposure/Leakage of data – including repairs  Poor Design/Protocols  Ownership  Malware  Direct Attack  Integrity  Availability But don’t we have all this now???
  19. 19. • Primary mechanism is… Obscurity • Focus is on Function Aesthetics Communication Cost Speed to Market • Testing? • Patching? • Design? Security
  20. 20. • Sneakernet – USB updates or data movement • Data Exfiltration – aka Breach! • Integrity – Alter Capability – Alter Data/Reporting • Availability • Medjacking – Attack – Infiltrate – Pivot Attack Vectors https://securityledger.com/wp- content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-0_6-3-2015-1.pdf
  21. 21. • FDA certification process – Complex, painful, long, expensive • Patching and FDA advice – Manufacturers responsible for patches – Premarket review not required for security patch FDA Reality http://www.fda.gov/MedicalDevices/DeviceRegulationand Guidance/GuidanceDocuments/ucm077812.htm http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ ucm356423.htm
  22. 22. • Retail • Manufacturing • Energy We Are Not Alone
  23. 23. Solutions
  24. 24. • FDA, NIST and others in progress • NCCoE/NIST/UMN TLI infusion pump security study https://nccoe.nist.gov/sites/default/files/nccoe/NCCOE_HIT-Medical-Device- Use-Case.pdf https://nccoe.nist.gov/projects/use_cases/medical_devices • Medical Device Innovation, Safety and Security Consortium (MDISS), International Society of Automation (ISA), HITRUST Alliance, NIST and others working with: • FDA, HHS, DOD, NHISAC, CIS (Center for Internet Security), AAMI (Association for Advancement of Medical Instrumentation), ACCE (American College of Clinical Engineering), SANS, and others • IHE/MDISS – Medical Device Software Patching white paper https://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.0 _PC_2015-07-01.pdf • MDS2 (Manufacturer Disclosure Statement for Medical Device Security) http://www.nema.org/Standards/Pages/Manufacturer-Disclosure- Statement-for-Medical-Device-Security.aspx • Archimedes http://www.secure-medicine.org/ • NIST SP-1800 Securing Electronic Health Records on Mobile Devices https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices Frameworks
  25. 25. • LifeCycle and Risk Management approach – CyberSecurity Insurance? • SLM – Security Lifecycle Management • Existing?: – NAC – Scanning – Communications – Threat/Vuln Intell – Patching? – Segmentation? – Segregation? Solutions? Intake Analysis Requirements DesignTest Deploy Maintain
  26. 26. • It will get worse before it gets better • Mandatory NIST CyberSecurity Framework? • FDA pre-market security accreditation? • Help Vendors – Ask – Assess – Push back • Help Universities – Connect – Advise • The First Rule of Security… We Talk About Security! – HSPIG Final Thoughts http://mnc3.org
  27. 27. Tweet along: #Sec360 www.Secure360.org Barry Caplin Fairview Health Services bcaplin1@fairview.org bc@bjb.org @bcaplin securityandcoffee.blogspot.com

×