university of massachusetts amherst -...
Post on 07-Jul-2018
222 Views
Preview:
TRANSCRIPT
Kevin FuAssociate Professor
Security & Privacy Research LabUMass Amherst Computer Science http://spqr.cs.umass.edu/
UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science
Improving the Securityof Medical Devices
IFIP 10.4 WG, Rockport, MA June 29, 2012
Supported in part by a Sloan Research Fellowship, NSF CNS-0831244, HHS 90TR0003/01.
Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Acknowledgments•CS faculty and physicians
-Prof. Dina Katabi, MIT Computer Science and AI Lab-Prof. Tadayoshi Kohno, University of Washington CSE-Dr. Daniel Kramer, BIDMC, Harvard Med School-Dr. William Maisel, BIDMC, Harvard Med School (fmr)-Dr. Matthew Reynolds, BIDMC, Harvard Med School-Prof. Dawn Song, UC Berkeley Computer Science Div.
•Research assistants-Shane Clark, Benessa Defend, Tamara Denning, Shyamnath Gollakota, Dan Halperin, Steve Hanna, Haitham Hassanieh, Tom Heydt-Benjamin, Andres Molina-Markham, Will Morgan, Pongsin Poosankam, Ben Ransford, Rolf Rolles, Mastooreh Salajegheh, Quinn Stewart
2
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
SPQR Lab
3
[Security & Privacy Research Lab]
§ Cybersecurity§ Medical devices, RFID
§ Stochastic computing§ Rethinking HW-SW interfaces to reduce energy§ Probabilistic storage in low-voltage NOR flash§ Zero-power clocks for smartcards
magni!ed 10x
Time
Volta
ge
Today’s slice of research
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Disclosuresn Support from NSF, HHS, DHS, IOM, Microsoft Research,
Symantec, McAfeen Visiting scientist, FDAn Board member, NIST ISPABn Patent pending technology:
§ Ultra-low power flash memory§ Zero-power security
n This presentation is based on both my own research and the research of others. None of the opinions, findings, or conclusions necessarily reflect the views of my past or present employers.
4
Hat
: za
zzle
.com
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Accumulative Risks of...
5
Accidents
Sabotage
Threat-o-meter
UnsafePractices
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Managerial issues:Diffusion of responsibility
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security 7
Dirty Secrets: SW Maintenance
9
n Health Information Technology (HIT) devices globally rendered unavailable
n Cause: Automated software update went haywiren Numerous hospitals were affected April 21, 2010
§ Rhode Island: a third of the hospitals were forced ``to postpone elective surgeries and stop treating patients without traumas in emergency rooms.”
§ Upstate University Hospital in New York: 2,500 of the 6,000 computers were affected.
Software Update Woes
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Users are Helpless
10
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Still Not It: Hospitals, Manufacturers
11
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Managerial issues:Diffusion of responsibility
Who’s covered whenSecure Health IT hits the fan?
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Accumulative Risks of...
13
Accidents
Sabotage
Threat-o-meter
UnsafePractices
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Security Analysis
14
1. Vulnerabilities2. Threats3. Exploits
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Phot
o by
Kev
in F
u @
Med
tron
ic m
useu
m
Benefits of Wireless
15
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Device Programmer
Implantation of Defibrillator
1. Doctor sets patient info2. Surgically implants3. Tests defibrillation4. Ongoing monitoring
Home monitor
Photos: Medtronic; Video: or-live.com16
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
n 402-405 MHz MICS band, nominal range several metersn Command shock sends 35 J in ~1 msec to the T-waven Designed to induce ventricular fibrillationn No RF amplification necessary
17
Wirelessly Induce Fatal Heart Rhythm
[Halperin et al., IEEE Symposium on Security & Privacy 2008]
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Wireless medical devices: great benefits.
subtle inconvenient risks.
Wireless Makes Everything Better?
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
[Pho
tos:
unc
yclo
pedi
a.w
ikia
.com
/wik
i/Bac
on &
Cis
co &
bac
ondu
jour
.blo
gspo
t.co
m]
20
Eliminative induction: variety of reasons for doubt (Baconian thinking) - John Goodenough
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
What aboutInternet-related
risks?
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
"These days, everything is much safer. It is easier to navigate thanks to modern technical instruments and the Internet."
-Captain Schettino, Captain of Costa Concordia
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Medical devicesecurity threats?
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security 24
Achoo!
The
Wee
kly
Wor
ld N
ews:
wor
ld’s
only
rel
iabl
e jo
urna
l
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Viruses on Radiology Equipment?
25
“over 122 medical devices have been compromised by malware over the last 14 months”Statement of The Honorable Roger W. Baker[House Committee on Veterans' Affairs, Subcommittee on Oversight and Investigations, Hearing on Assessing Information Security at the U.S. Department of Veterans Affairs]
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Security of 156 VA Med. Centersn Every 8 seconds, the VA found usernames and
passwords unprotected on networks
n VA has ~600,000 connected computing devices, of which ~50,000 are considered medical devices
n VA implemented VLANs with 3,270 different ACLs
n Manual maintenance of ACLs prone to human errorn ACLs broke network security tools that detect intrusions
n Why? My opinion: Unable to procure medical devices that provide meaningful security
26
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Slid
e fr
om H
owie
Shr
obe
and
othe
rs
Disease to Malware:Days to Hours
27
FluT
E: C
hao
et a
l., P
LoS C
ompu
tatio
nal B
iolo
gy,
2010
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
How significant areintentional,malicious
malfunctionsin software?
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
21 CFR 211.132 and Security
29
(a)General. The Food and Drug Administration has the authority under the Federal Food, Drug, and Cosmetic Act (the act) to establish a uniform national requirement for tamper-evident packaging of OTC drug products that will improve the security of OTC drug packaging
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
The Tylenol Scare of 1982
30
[Source: truTV crime library]
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Bad People Do Exist: Vandals
31
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Sour
ce:
Andy
Gre
enbe
rg, F
orbe
s
Lack of Exploits is Not Assurance
32
19 Days in April 2012
Pre-April 2012: No Mac threats,
therefore never will be.
Oh, Crap.
Malware rarely has precursor
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
http
://to
bacc
o.sta
nfor
d.ed
u/
Information Assurance or Bliss?
33
"This is an evolution from having to think about security and
safety as a healthcare company, and really about keeping
people safe on our therapy, to this different question about keeping people
safe around criminal or malicious intent."
[Catherine Szyman, President, Medtronic diabetes division, Reuters, October 26, 2011]
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Shoot P0wn Foot w/ Software Update
34
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Shoot P0wn Foot w/ Software Update
35
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Shoot P0wn Foot w/ Software Update
36
[Pho
to:
Care
Fusi
on],
Nie
ls P
rovo
s]
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Power Analysis of Medical Devicesn Power analysis for good!
n Detect malware on medicaldevices that cannot runconventional anti-virus SW
n “Potentia est Scientia: Energy Proportionality Enables Whole-System Power Analysis” by Clark, Shane S., Ransford, Benjamin, and Fu, Kevin. In Proceedings of the 7th USENIX Workshop on Hot Topics in Security. August 2012. To appear.
37
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Read More...
38
blog.secure-medicine.orgspqr.cs.umass.edu
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Semmelweis to Software Sepsis1. Implantable medical devices should be trustworthy2. Improved security will enable medical device innovation
39
Dr. Ignaz Semmelweis1818-1865
Dr. Charles Meigs1792-1869
Physicians should their wash
hands.
Doctors are gentlemen and
therefore their hands are always clean.
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Semmelweis to Software Sepsis1. Implantable medical devices should be trustworthy2. Improved security will enable medical device innovation
39
Dr. Ignaz Semmelweis1818-1865
Dr. Charles Meigs1792-1869
Physicians should their wash
hands.
Doctors are gentlemen and
therefore their hands are always clean.”
Medical devices should be
secure.
You’re so negative. There’s no ROI on security anyway.
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
←Ways Forward ➚Security shouldbe designed in
not bolted on
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
omdrl.org
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
tinyurl.org/medcomm
ACM MedCOMMWorkshop on Medical
Communication SystemsAugust 13, 2012, Helsinki, Finland
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Summary: Problem=Unavailabilityn Biggest risk:
§ Hackers breaking into medical devices§ Wide-scale unavailability of patient care
n Security can’t be bolted on. Build it in: requirements, design, implementation, post-market surveillance, etc.
43
[Pho
to:
Med
ical
Rea
l Est
ate
Advi
sors
]
spqr.cs.umass.edu • Prof. Kevin Fu • Medical Device Security
Summary: Problem=Unavailabilityn Biggest risk:
§ Hackers breaking into medical devices§ Wide-scale unavailability of patient care
n Security can’t be bolted on. Build it in: requirements, design, implementation, post-market surveillance, etc.
44
As you are aware, [...] an unknown virus was found in the [Cath Lab] system. Our [vendor] worked late into Christmas Eve in order to keep the infected [Cath Lab devices] isolated. As a proactive measure and to prevent our patients from inappropriate release of protected healthcare information the hospital immediately blocked our access to the internet. Today [it was] announced that they have traced the virus path from [a] nursing workstation. Apparently pictures were uploaded from a USB drive to yahoo.
[Pho
to:
Med
ical
Rea
l Est
ate
Advi
sors
]
top related