Download - Medical Devices & Cyber Security Protection
Nick Mankovich & Leslie TroutPhilips HealthcareJune 2, 2011
Medical Devices & Cyber Security Protection
Cyber security preparedness via manufacturer programs and international standards.
Philips Healthcare, Nick Mankovich, June 2, 2011 22
Monday’s headlines!
Philips Healthcare, Nick Mankovich, June 2, 2011 3
Medical devices (e.g., monitoring, imaging) are the source of the largest volume of personal health data.
They are used for prevention, diagnosis, and treatment of disease. Often acting as long-term archive (e.g., imaging).
Medical devices are sometimes security compromised – usually as collateral damage in broad cyber security attacks.
There have been rare broad cybersecurity denial-of-service events e.g., Conficker:o January 2010: 10% of Healthcare IT down in Sweden.o December 2010: 15% of Healthcare IT down in New Zealand.
To date, USA HIT has security events but impact is limited, not broad (adequate edge and network protection/isolation).
Medical Device Industry & Security
3
Philips Healthcare, Nick Mankovich, June 2, 2011 4
The medical device industry has been directly addressing security and privacy issues for over 10 years in, e.g.,o The Digital Imaging Communication in Medicine Standard (DICOM)
issued its first Security Profile in 2001 (PS3.1 Part 15).o The industry trade group, NEMA established a Security and Privacy
Committee in 2000 and it has become a USA-European-Japanese
joint committee (NEMA/COCIR/JIRA). http://www.medicalimaging.org/policy-and-positions/joint-security-and-privacy-committee-2/
o Healthcare Information and Management Systems (HIMSS) has focused activities in their:• Privacy and Security Work Group• Patient Identity Integrity Work Group• Medical Device Security Work Group
Involved in the 2010 Sector Annual Report: Healthcare and Public Health Work Group
Medical Device Industry & Security
4
Philips Healthcare, Nick Mankovich, June 2, 2011 5
Businesses
ImagingSystems
Cath Lab
X-Ray
CT
MR
SPECT
SPECT/CT
PET/CT
Home Healthcare Solutions
Sleep Disordered Breathing
Medical Alert Services
Home Cardiac Monitoring
Home Respiratory
Senior Living
Clinical Care Systems
Ultrasound
Cardiac Resuscitation
Ventilation
ECG Solutions
Children’s Medical Ventures
Medical Consumables& Supplies
Emergency Care Services
Healthcare Informatics
Anesthesia Informatics
Cardiology Informatics
Critical Care Informatics
Clinical DecisionSupport Systems
Maternal & PerinatalMonitoring Solutions
Patient Monitoring Systems
Radiology Informatics
Philips Healthcare
Businesses
Services
Site Planning & Project Management
Ambient Experience
Education Services
Performance Services
Managed Services
Equipment Maintenance
Key products and service of Philips HealthcareProviding comprehensive support
Philips Healthcare, Nick Mankovich, June 2, 2011 77
How to organize for product security?
Product Security: The management of products and services that support Philips Healthcare in assisting the healthcare providers in maintaining confidentiality, integrity and availability of protected health information and the hardware/software systems that create and manage it.
Note: In general, we are a business-to-business supplier working for the Health Delivery Organization (hospital, clinic, doctor’s office) providing hardware, software, and services that support their healthcare mission.
Philips Healthcare, Nick Mankovich, June 2, 2011 88
Philips Healthcare Product Security & Privacy Advisory Structure
Philips Healthcare, Nick Mankovich, June 2, 2011 9
Organize Around Compliance
9
Philips Healthcare, Nick Mankovich, June 2, 2011 1010
A way forward emerges
• Tension between hospitals and medical device manufacturers and among hospital organizations (biomed/IT).
• In December 2005, the FDA called for action to address the real harm seen in improperly managed interconnection of medical devices using local hospital IT-networks.
• A proposal was created for a standard and a Joint Working Group (ISO/IEC JWG 7) was formed between ISO and IEC.
PROCESS TRANSFER: moving from the manufacturing world of risk management for safety and effectiveness into the fuller world of safety, effectiveness, and security risk management.
For the first time, security and privacy were put on common ground with safety and effectiveness risk management.
Philips Healthcare, Nick Mankovich, June 2, 2011 1111
IEC 80001-1:2010 (approved September, 2010)
Philips Healthcare, Nick Mankovich, June 2, 2011 1212
80001-1 Roles & Responsibilities
Stakeholder partnerships:
Healthcare Provider / Responsible Organization
Medical Device Manufacturers I.T. Technology Vendors 3rd Party Integrators Risk Management Experts …
… shared vision & mission!
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 13
1. Analyze Risk Based on Probability and Severity of
harm Harm from reduced safety, effectiveness,
data & systems security
2. Evaluate Risk Based on Pre-defined risk acceptability
criteria Easily acceptable, Certainly
unacceptable, or further evaluation needed
3. Control Risk
4. Determine GO / STOP
Systematic and Documented
Cross-functional team using same process and language
Risk Management Process
Philips Healthcare, Nick Mankovich, June 2, 2011 1414
Conclusion: maturing medical device security
Today, there is no broad, coordinated cyber security planning. Some possibilities:o Create some national scenarios/simulations of
healthcare infrastructure cyber security attack.o Create meaningful scenarios for operation sans IT.
Continue to learn from each other and from actual cyber security events.
Increase deployment of medical device isolation networks.
Debate and decide security capabilities of medical devices (difficult cost discussions, 80001 Security TR).
Philips Healthcare, Nick Mankovich, June 2, 2011 151515