partnering for medical device security and patient … · devices are becoming more connected...
TRANSCRIPT
1
PARTNERING FOR MEDICAL DEVICE SECURITY AND PATIENT SAFETY
Session 272; March 8, 2018
Lisa Grisim, VP & ACIO; Auston Davis, CISO; Ilir Kullolli, Director, Clinical Technology
Stanford Children’s Health
2
Lisa Grisim, RN, MSN
Auston Davis, MS, CISM
Ilir Kullolli, MS
Has no real or apparent conflicts of interest to report
Conflict of Interest
3
Agenda• History of Clinical Technology at Stanford Children’s
• IS & Clinical Technology Partnership & Management Approach
• State of Biomedical Security
• Clinical Technology Approach
4
Learning Objectives• Describe how to better strategize and organize for device security
management
• Discuss how to formulate and structure policies to drive success
• Identify and organize a pathway for device integration and security
5
Stanford Children’s Health
• Stanford Children’s Health (SCH) is the only medical network in the area, & the country, exclusively dedicated to pediatric & obstetric care.
• Network of more than 1,000 physicians across 60 locations.
• At the heart of our healthcare system is Lucile Packard Children’s Hospital Stanford, which is internationally recognized for advancing leadership & innovation with family-centered care of newborns, children, & expectant mothers.
6
Awards & Recognition
Davies Award
7
History of Clinical Technology at SCH
• Shared service between
Stanford Health Care &
Stanford Children’s
Health
• Reported through
General Services
Re-Organization
• Reporting structure
changed report through
the IS dept.
Children’s Dedicated
• Assessment completed in
look at impact of splitting
the dept. between the 2
hospitals
• Decision made to
separate
Reporting Change
• Department reporting
structure within IS
transitioned from CTO
to ACIO
Shared Service
Future
2005 2012 2015 2016
8
Stanford Children’s Health
Understand
Department Operations
Educate on
Appropriate Use of ITSurface Trends &
Upcoming IT Needs
Identify New
Opportunities
IS Service Leader Clinical Technology Engineer
IS & Clinical Technology Partnership
• Coverage in all key areas in the organization
• Coordinated Gemba rounds
• Build a rapport & trusted relationship
9
IS Management Approach • Weekly Leadership Gemba Rounds
• Visibility wall walk- 1 hr.
• Ad hoc huddles- 30 mins.
• Service Leaders meeting- 30 mins.
• Daily Tiered Huddles (8a to 10a)
1. Managers with Staff
2. Directors with Managers
3. VP with Directors
4. Executive team with VPs/Admin. Directors
10
State of Biomedical Security
Dependency
Patient care is now more
dependent on technology
than ever
Connectivity
Devices are becoming
more connected
Exploitability
Tools to compromise and
harm systems are readily
available and cheap (free)
Security
Firewalls and Anti-Virus
are not enough
11
Shift in Blame
2012Feb
2018
“The FDA won’t let
me fix it”
- Every Biomed Vendor
2016
“Vendors don’t create secure
biomedical devices”
- FDA + Every Biomed Engineer
“No one is enforcing safe
biomedical devices”
- Every Security Professional
12
Current Challenges
Vendors do not have any real incentive to
produce secure biomedical equipment
Limited Incentive
Vulnerable legacy systems still need to be
utilized since there is no suitable
replacement
Legacy
Vendors are only required to report
vulnerabilities in their devices under limited
circumstances
Reporting
13
There is Hope
Level of Security
Post-Market
Labeling
ISAC/ISAOs
Information
Sharing
Innovating Security
Finding
Security
Solutions
Guidelines & Framework
FDA
Guidance
Vendors are being
encouraged to use labels
to signify its level of
security compliance
Information sharing
amongst the ISACs and
ISAOs is on the rise
Security professionals
are architecting solutions
to address some issues
FDA is providing guidance
& suggested framework to
vendors & security teams
14
Clinical Technology Approach - Phases
• Must have a seat at the table during negotiations with vendors
• Ensure that Device Security is part of the RFP Document
• Must Obtain MDS2 Documents
• Require vendors to provide equipment that can be patched for the life of the equipment
• Create process to assess risk
• Work collaboratively with IS Security to determine device profile
• Deploy device
• Perform inventory assessment
• Assess all Biomedical Device/System applications
• Classify them by risk
• Remediate devices at risk
• Ensure no loss of data, minimize downtimes, and no patient harms result from this
Planning/
RFP
Intake
Current
Inventory
15
Old Biomed Network
• Separate Network
• Expensive to Maintain
• Hard to Support & keep up to date
• Outside of “Normal” Clinical Engineering responsibilities
• No Change Control process
• *Harder to be hacked into
16
New - Converged Network
• Same network as IS
• Cheaper to maintain
• Easier to support & keep up to date
• Supported by Network Team & Server Team
• Change Control
• More issues due to network outages/updates
• Easier to address issues
17
RFP Process• Operating System/Service Pack
o Lifecycle Support
o Update/Upgrade Plans
• Database (if applicable)
• Ports/Protocols/Services used by device
• Antivirus/Antimalware & Physical Safeguards
• Internet Connectivity type needed (public?)
• Hardwired/Wireless network/Bluetooth
• System Architecture (if applicable)
• Encryption, Passwords & Audit Capabilities
18
Address Equipment at Intake
Trigger:
SC or designee
(at the dock)
receives
equipment &
enters receipt of
Equipment into
Peoplesoft
Start
Supply Chain or designee
identifies CTBE as the
responsible party and
notifies them to pick up
equipment
CMMS generates
an “Equipment Add
Form” for each
device received &
alerts the CTBE
Manager
CTBE BMET
Enters equipment
information with
PO Information in
CMMS
Does the
Device need IS
review
No
BMET contacts IS Security for Device
Review and submit any exceptions
necessary
Yes
Manufacturer
• MDS2 Forms
• CyberSecurity Program and Response
• Provide timely updates and patches
• Collaborate to address concerns
Clinical Technology
• Operating Systems
• ePHI Information
• Network Capabilities
• Applications
• Encryption
• Physical Security
Information Security
• Perform Risk Assessment
• Access to Information
• Ability to be hacked into
• Risks to Business
• Prioritize devices based on the assessment performed
• Apply Access Controls
19
Equipment Inventory• Perform Physical Inventory of Equipment
~ 20,000 Medical Devices in Inventory
~ 4,000 with Cyber Security implications:
o Contain ePHI
o Connect to the network
o Storage Capabilities
o Physically portable
o No security controls
o Are not encrypted
• Perform Vendor Assessment
Tier I – Highest Risk
ePHI, Portable,
Networked, Unencrypted,
Unpatchable Operating
System
Tier II
Networked, Encrypted,
ePHI, Portable,
Unpatchable
Tier III
Networked, Encrypted,
No ePHI, Portable,
Patchable
Tier IV – Lowest Risk
Stand-Alone, Encrypted,
No ePHI, Non-Portable,
Patchable
20
Addressing Security Risks
21
Addressing Security Risks – Real Example
Monitor
Activity for
rogue DNS &
DHCP servers
Segment
Ensure Medfusion network is
segmented from other hospital
& clinical IT infrastructure
BackupPassword
DeployFirewall
Apply proper password hygiene
standards across systems (i.e. use
upper/lowercase; special characters;
minimum character length of 8).
Take backups & perform
routine evaluations
Apply Access
Control – Cisco ISE
Test
Test the Solution Deploy the
Final Solution
22
Control Comm. Routes/Access Control• Implementation of Cisco ISE for All Networked Medical Equipment
o Real Time Monitoring of Traffic
o Network Intrusion Detection & Prevention
o Increase Network Visibility of Assets/Communication
o Limit communication routes (device to server; vice-versa) & build Device Specific Profiles
o Quickly disable a group of devices in case of an intrusion
o Protect the IS Network
o Enable a Safe Patient Care Environment
• VRF for all devices that cannot comply with Security Standards
23
Patches and Updates
Deploy
Patch/Update1
2
3 4
5
6
File Exclusions
Establish Intervals
Determine Availability Test Patches
Announce Patches
File exclusions for medical
devices that must not be
patched automatically
Define appropriate
patching intervals
Continuously check with
manufactures for patches
& updates
Communicate,
communicate, then
communicate some more…
Test impact to system
performance & operability
Change RequestSubmit & get Change
Request approved
24
Clinical Technology Approach Summary
Sustain the Process!!!
Medical Device Security is an afterthought when purchasing medical devices and systems
Involved in negotiations w/ vendors Device Security is part of RFP Require equipment that can be patched
Medical Device Functionality can be compromised by “over managing” security of devices (eg. Cisco ISE)
Assessment of devices Assessment of applications Classify by risk & remediateNo loss of data or pt. harm,
minimize downtimes
Non-Accurate Inventory doesn’t allow us to manage security for Medical Devices
Perform Inventory Collect Data Update Inventory Data ID equipment w/ highest risk
25
Questions
Lisa Grisim, RN, MSN
Vice President & Associate CIO
Stanford Children’s Health
Ilir Kullolli, MS
Director, Clinical Technology &
Biomedical Engineering
Stanford Children’s Health
Auston Davis, MS, CISM
Chief Information Security Officer
Stanford Children’s Health
Please don’t forget to complete the online session evaluation…