230 likes | 648 Vues
Cyber security preparedness via manufacturer programs and international standards. Medical Devices & Cyber Security Protection. Nick Mankovich & Leslie Trout. Philips Healthcare. June 2, 2011. Monday’s headlines!. Medical Device Industry & Security.
E N D
Cyber security preparedness via manufacturer programs and international standards. Medical Devices & Cyber Security Protection Nick Mankovich & Leslie Trout Philips Healthcare June 2, 2011
Medical Device Industry & Security • Medical devices (e.g., monitoring, imaging) are the source of the largest volume of personal health data. • They are used for prevention, diagnosis, and treatment of disease. Often acting as long-term archive (e.g., imaging). • Medical devices are sometimes security compromised – usually as collateral damage in broad cyber security attacks. • There have been rare broad cybersecurity denial-of-service events e.g., Conficker: • January 2010: 10% of Healthcare IT down in Sweden. • December 2010: 15% of Healthcare IT down in New Zealand. • To date, USA HIT has security events but impact is limited, not broad (adequate edge and network protection/isolation). 3
Medical Device Industry & Security • The medical device industry has been directly addressing security and privacy issues for over 10 years in, e.g., • The Digital Imaging Communication in Medicine Standard (DICOM) issued its first Security Profile in 2001 (PS3.1 Part 15). • The industry trade group, NEMA established a Security and Privacy Committee in 2000 and it has become a USA-European-Japanese joint committee (NEMA/COCIR/JIRA). • http://www.medicalimaging.org/policy-and-positions/joint-security-and-privacy-committee-2/ • Healthcare Information and Management Systems (HIMSS) has focused activities in their: • Privacy and Security Work Group • Patient Identity Integrity Work Group • Medical Device Security Work Group • Involved in the 2010 Sector Annual Report: Healthcare and Public Health Work Group 4
Key products and service of Philips HealthcareProviding comprehensive support Philips Healthcare Businesses Businesses ImagingSystems Home Healthcare Solutions Healthcare Informatics Clinical Care Systems Services Cath Lab X-Ray CT MR SPECT SPECT/CT PET/CT Sleep Disordered Breathing Medical Alert Services Home Cardiac Monitoring Home Respiratory Senior Living Ultrasound Cardiac Resuscitation Ventilation ECG Solutions Children’s Medical Ventures Medical Consumables& Supplies Emergency Care Services Anesthesia Informatics Cardiology Informatics Critical Care Informatics Clinical DecisionSupport Systems Maternal & PerinatalMonitoring Solutions Patient Monitoring Systems Radiology Informatics Site Planning & Project Management Ambient Experience Education Services Performance Services Managed Services Equipment Maintenance
How to organize for product security? Product Security: The management of products and services that support Philips Healthcare in assisting the healthcare providers in maintaining confidentiality, integrity and availability of protected health information and the hardware/software systems that create and manage it. Note: In general, we are a business-to-business supplier working for the Health Delivery Organization (hospital, clinic, doctor’s office) providing hardware, software, and services that support their healthcare mission.
Philips Healthcare Product Security & Privacy Advisory Structure
A way forward emerges • Tension between hospitals and medical device manufacturers and among hospital organizations (biomed/IT). • In December 2005, the FDA called for action to address the real harm seen in improperly managed interconnection of medical devices using local hospital IT-networks. • A proposal was created for a standard and a Joint Working Group (ISO/IEC JWG 7) was formed between ISO and IEC. PROCESS TRANSFER: moving from the manufacturing world of risk management for safety and effectiveness into the fuller world of safety, effectiveness, and security risk management. For the first time, security and privacy were put on common ground with safety and effectiveness risk management.
80001-1 Roles & Responsibilities Stakeholder partnerships: • Healthcare Provider / Responsible Organization • Medical Device Manufacturers • I.T. Technology Vendors • 3rd Party Integrators • Risk Management Experts • … … shared vision & mission!
Risk Management Process • Analyze Risk • Based on Probability and Severity of harm • Harm from reduced safety, effectiveness, data & systems security • Evaluate Risk • Based on Pre-defined risk acceptability criteria • Easily acceptable, Certainly unacceptable, or further evaluation needed • Control Risk • Determine GO / STOP • Systematic and Documented • Cross-functional team using same process and language
Conclusion: maturing medical device security • Today, there is no broad, coordinated cyber security planning. Some possibilities: • Create some national scenarios/simulations of healthcare infrastructure cyber security attack. • Create meaningful scenarios for operation sans IT. • Continue to learn from each other and from actual cyber security events. • Increase deployment of medical device isolation networks. • Debate and decide security capabilities of medical devices (difficult cost discussions, 80001 Security TR).