10. FDA GUIDANCE
• FDA released pre and post market guidance on cybersecurity recommendations for
medical devices
• Guidance is a huge step in the right direction, but is currently non-binding
• Even if all manufacturers comply tomorrow it will take years before all in place
medical devices are replaced with more secure models
11. SECURING THE NOW???
• How do healthcare institutions ensure that their current device deployments are
done securely?
• Even a device with all the security features in the world will be insecure if it is not
deployed in a secure manner. What constitutes a secure medical device
deployment?
12. OWASP STANDARD
• OWASP makes available a Secure Medical Device Deployment Standard
• https://goo.gl/KecNw9
13. PURCHASING CONTROLS
• The best way to prevent risks from impacting your environment is to prevent them
from being introduced in the first place
• Security Audit
• Privacy Audit
• Support
• List of software components
14. PERIMETER DEFENSES
• Medical devices should be denied access to the outside world wherever feasible
• Firewalls
• Network Intrusion Detection
• Proxy/Web Filter
15. NETWORK SECURITY CONTROLS
• Do these devices really need to communicate with every other device on your
network? The answer is NO!!!
• Network Segmentation
• Internal Firewalls
• Internal NIDS
• Syslog Server
• Log Monitoring
• Vulnerability Scanning
• DNS Sinkholes
16. DEVICE SECURITY CONTROLS
• Change default credentials
• Account Lockout
• Enable Secure Transport
• Spare copy of firmware
• Backup of device configs
• Baseline configurations
• Encrypt Storage
• Different User Accounts
• Restrict Access to Management
Interface
• Update Mechanisms
• Compliance Monitoring
• Physical Security
• Asset Management
What are the security controls that should be configured on the devices
themselves?
17. INTERFACES AND CENTRAL
STATIONS
• Computers and servers are often used to collect data and transmit data to other
systems in the environment. These need to be secures as well.
• OS Hardening
• Encrypted Transport
• Message Security
• Updates
18. SECURITY TESTING AND
INCIDENT RESPONSE
• Prove your deployments are secure and that you can really respond to an issue if it
arises
• Pen Tests
• Incident Response Plan
• Mock Incidents
19. GROWING ADOPTION
• Standard Covered in publications such as CSO Magazine, IAPP Privacy
Perspectives, HelpNet Security, Health System CIO
• Turkish Language translation recently donated by Erdal Yildiz
20. OWASP ANTI-RANSOMWARE GUIDE
• A defense in depth based guide consisting of 45 suggested controls in the following
categories
• Perimeter Defenses
• Network Defenses
• Endpoint Defenses
• Server Side Defenses
• SIEM and Log Management
• Backup and Recovery
• Awareness Training
• Incident Response
• IoT
https://goo.gl/uOGAtZ