cybersecurity - ul€¦ · cybersecurity of medical devices cybersecurity threats in healthcare...

11
CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

Upload: others

Post on 20-May-2020

48 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

CYBERSECURITY OF MEDICAL DEVICES AND UL 2900

Page 2: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

The healthcare industry is projected to spend an estimated $1 billion (USD) on cybersecurity in 2016 as hospitals and healthcare providers become a major target for hackers and other cybercriminals1. That’s because medical devices and systems are increasingly interconnected with other devices and systems to facilitate the recording of vital data and the updating of health medical records, and to improve overall coordination of patient care. Vulnerabilities in technologies required to support interconnectiv-ity, including hardware and software, can expose many medical devices to deliberate cyber threats.

Unfortunately, the consequences of successful cyberattacks against medical devices not only threatens the security of confidential patient medical records but can also endanger the health and safety of patients and healthcare workers alike. And the cost of addressing data breaches in the healthcare industry can be more than $360 per record, the highest per record cost of the top industries directly impacted by cybercrime2. As a result, the security of medical devices and systems against cyberattacks is an essential requirement for medical device manufacturers.

This UL white paper discusses cybersecurity threats to which interconnected medical devices may be vulnerable, and how the application of the requirements of the UL 2900 series of standards can help address those threats. The paper begins with an overview of the scope and impact of global cybersecurity issues and government efforts to address the problem, before focusing on specific cybersecurity threats to medical devices. The white paper then reviews aspects of current standards that address these threats before presenting the risk management approach detailed in UL 2900, Standard for Software Cybersecurity for Network-Connectable Devices. The paper concludes with a discussion of UL’s Cybersecurity Assurance Program (CAP) for interconnected devices and the program’s potential benefits to manufacturers of healthcare products, including medical devices.

Cybersecurity of Medical Devices and UL 2900

page 2

Cybersecurity of Medical Devices

Page 3: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

page 3

Cybersecurity of Medical Devices

Cybersecurity Threats in HealthcareVirtually unknown just a decade ago, attacks on information technology (IT) infrastructure and systems have rapidly become a major risk to governments, organizations and enterprises around the world. The international accounting and advisory firm PwC places the number of reported IT security incidents at nearly 43 million in 2014, a 48 percent increase over 20133, compromising approximately one billion data records4. The cost to the global economy from cybercrime is currently estimated at more than $400 billion annually5,6, and is projected to increase to over $2 trillion by the year 20197.

As advances in technology and information systems transform the modern landscape for patient care, the healthcare industry is especially vulnerable to cyberattacks. The market for interconnected healthcare systems and so-called smart medical devices is expected to reach nearly $58 billion annually by 20238. However, most of these advanced medical devices incorporate embedded computer systems and wireless technologies that make them vulnerable to cybersecurity threats.

According to the U.S. Food and Drug Administration (FDA)9, specific vulnerabilities that can directly impact healthcare systems and medical devices include:• Network connected/configured medical devices that have been infected or disabled by malware;• Malware on hospital computers, smartphones and tablets that targets wireless mobile devices to access patient data, monitoring systems or implanted medical devices;• Failure to update security software for medical devices and networks;• Security vulnerabilities in off-the-shelf software; and• Uncontrolled distribution of passwords intended for privileged device access.

These and other vulnerabilities have resulted in a significant and growing number of cyberattacks against healthcare systems. Statistics reported by the U.S. Department of Health and Human Services (HHS) under the federal Health Information Technology for Economic and Clinical Health (HITECH) Act reveal that more than 1400 breaches of protected health information involving 500 or more patient records have been reported since 2009, affecting more than 150 million patients10. More recently, a 2016 survey of healthcare executives found that reported attacks on healthcare operational systems and embedded medical devices increased fourfold from 2014 to 2015, while attacks on consumer medical technologies nearly doubled11.

Page 4: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

page 4

Cybersecurity of Medical Devices

Cyberattacks against interconnected healthcare systems and devices are likely to continue to escalate in part because of the value of healthcare records. Stolen health files and records reportedly sell for 10 to 20 times the price obtained for stolen credit card information12, making them much more attractive to hackers and cyber thieves. As a result, ransomware attacks on healthcare are also on rise. For example, as part of a series of attacks on California hospitals in early 2016, hackers demanded $3.6 million in ransom to unlock the medical records of one Los Angeles-area hospital (the hospital ultimately paid about $17,000 to end the threat)13.

Aside from comprising confidential patient data, some experts believe that future ransomware attacks will target life-critical medical devices such as infusion pumps and pacemakers14. In one frightening portent of this possibility, the U.S. FDA released a safety communication in 2013 alerting healthcare providers to end the use of a computerized pump infusion system due to cybersecurity vulnerabilities. The FDA warned that the infusion system could be accessed remotely through the hospital’s network, potentially allowing unauthorized users to control the device or change the dosages being delivered by the pump15.

Cybersecurity and the Critical Infrastructure As part of the overall effort to address cybersecurity threats, the healthcare industry is generally considered part of the so-called critical infrastructure, which can be defined as “IT assets, networks, services and installations that, if disrupted or destroyed, would have a serious impact on the health, security or economic well-being of citizens and the efficient functioning of a country’s government.”16 In addition to healthcare, those industries most often designated as part of the critical infrastructure include defense, energy generation and distribution, water systems, transportation and shipping, financial services and public safety.

Because of their overall importance, entities that work within designated critical infrastructure industries are expected to comply with government-mandated cybersecurity requirements and practices. In the European Union (EU), for example, the European Programme for Critical Infrastructure Protection (EPCIP) identifies critical infrastructure entities within the transportation and energy industries and details specific requirements applicable to entities within those industries. These requirements include the development of an operator security plan that identifies important infrastructure assets, provides a detailed threat assessment based on asset vulnerability, and details countermeasures to combat cyber threats. Some countries, including Germany and the United Kingdom, have additional cybersecurity requirements applicable to critical infrastructure entities.

In the U.S., the protection of critical infrastructure against cyber threats is largely based on voluntary compliance with standards and practices. Issued in February 2013, Presidential Executive Order 13636 (Improving Critical Infrastructure Cybersecurity)17 called on the National Institute of Standards and Technology (NIST) to develop risk-based cybersecurity measures and practices that could be adopted by entities designated as part of the critical infrastructure. The resulting Cybersecurity Framework,18 published by NIST in 2014, encourages organizations to consider cybersecurity risks in the context of its overall risk management process, and provides structured guidance for reducing cyber threats based on existing standards, guidelines and practices.

Page 5: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

FDA Guidance on Cybersecurity for Medical Devices

The FDA has published two separate guidance documents related to the issue of cyber-security in medical devices19. The first guidance was published in 2014 and addresses the content of premarket submissions for the management of cybersecurity in medical devices. Specifically, this guidance identifies and addresses cybersecurity issues that medical device manufacturers should consider in the design and development of their products.

The guidance recommends that manufacturers follow a risk management approach that includes the following five elements:

• Identification of assets, threats and vulnerabilities

• Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients

• Assessment of the likelihood of a threat and of a vulnerability being exploited

• Determination of risk levels and suitable mitigation strategies

• Assessment of residual risk and risk acceptance criteria.

The FDA’s cybersecurity premarket submission guidance also provides specific recommendations regarding documentation that should be included as part of a manufacturer’s premarket submission to the Agency. Recommended documentation includes a list of all cybersecurity risks that were considered in the design of a given device and a corresponding list of controls that were implemented to address those risks. In addition, manufacturers are expected to supply with their premarket submission user instructions that include recommended cybersecurity controls applicable to a given device’s intended use.

A separate draft guidance addressing the post-market management of cybersecurity in medical devices was issued by the FDA in January 2016.20 The draft guidance acknowledges that even the most diligent efforts to address potential cybersecurity risks ahead of placing a medical device on the market cannot account for future vulnerabilities resulting from the introduction of new technologies. Therefore, the draft guidance recommends that device manufacturers monitor, identify and address cybersecurity vulnerabilities as a routine part of their post-market management and oversight of medical devices.

page 5

Cybersecurity of Medical Devices

Page 6: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

Figure 1: General purpose model

• Monitoring cybersecurity information sources for identification and detection of cybersecurity, vulnerabilities and risk;

• Understanding, assessing and detecting the presence and impact of a vulnerability;

• Establishing and communicating processes for vulnerability intake and handling;

• Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;

• Adopting a coordinated vulnerability disclosure policy and practice; and,

• Deploying mitigations that address cybersecurity risks early and prior to exploitation.

According to the draft guidance, specific elements of an effective post-market cybersecurity risk management program would include the following components:

In cases where a specific vulnerability could compromise the essential clinical performance of a device and represent a reasonable probability of death or serious adverse health consequences, the draft guidance recommends that manufacturers notify the FDA. The draft guidance also strongly advises medical device manufacturers to participate in a cybersecurity information sharing and analysis organization (ISAO) to facilitate the timely dissemination of cybersecurity information and intelligence among device manufacturers, providing a competitive advantage over companies that don’t engage in sustainable practices or those that fail to promote their efforts.

In addition to their specific recommendations, both of the FDA’s guidance documents on cybersecurity in medical devices reference the NIST Framework noted previously in this paper,21 and encourage manufacturers to incorporate Framework Core elements in their risk management plans.

It is important to note that FDA guidance documents are advisory in nature and do not have the force of law. However, failure to comply with guidance recommendations can potentially slow the FDA’s review of a premarket application or subject a manufacturer to sanctions for unsafe products currently on the market. Therefore, compliance with the recommendations contained in FDA guidance documents is highly advisable.

page 6

Cybersecurity of Medical Devices

Page 7: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

Figure 1: General purpose model

A number of standards are currently available that address key aspects of the safety and security of interconnected medical devices and related software. A partial list includes the following standards:

About UL 2900 for Network-Connectable Devices

While compliance with the requirements in these standards is essential for dealing with the risks associated with cyber threats to interconnected medical devices, they do not directly evaluate the risk assessment process used by manufacturers to objectively assess the breadth and extent of cyber threats to which their devices might be exposed. Further, these standards do not provide clear and objective criteria to assess the actual effectiveness of product features designed to thwart the threats identified as part of the risk assessment. For manufacturers whose medical devices are subject to FDA pre-market approval, these gaps may complicate the review process as envisioned in the Agency’s guidance on the management of cybersecurity in medical devices.

ISO 14971—Medical devices – Application of risk management to medical devices

EC 60601-1—Medical electrical equipment – Part 1: General requirements for basic safety and essential performance

IEC 62304—Medical device software – Software life cycle processes

IEC 80001-1—Application of risk management for IT-networks incorporating medical devices –Part 1: Roles responsibilities and activities

IEC 80001-2-2—Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls

IEC/TR 80001-2-8 – Application of risk management for IT-networks incorporating medical devices – Part 2-8: Application guidance – Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2

IEC/TR 80001-2-9 – Application of risk management for IT-networks incorporating medical devices – Part 2-9: Application guidance – Guidance for use of security assurance cases to demonstrate confidence in IEC/TR 80001-2-2 security capabilities (under development,

IEC 80002-1—Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software

AAMI/UL 2800—Safety and Security Requirements of Interoperable Medical Systems (under development)

AAMI/TIR 57—Principles for medical device information security management

page 7

Cybersecurity of Medical Devices

Page 8: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

Addressing the Gaps

To address these gaps, UL developed a series of Outlines of Investigations to provide verifiable criteria for assessing the cyber vulnerability of network-connectable products and systems. Applicable to a broad range of interconnected devices, the UL 2900 series, Standard for Software Cybersecurity for Network-Connectable Devices, is intended to address software vulnerabilities and weaknesses, minimize exploitation, avoid known malware leaving the production line, review security controls and increase security awareness and preparedness. For medical devices, UL 2900 will consist of three parts, as follows:

UL 2900-2-1: Particular Requirements for Healthcare Systems—Address

specific testing requirements applicable to healthcare systems

and medical devices

UL 2900-3: General Requirements for the Organization and Product Development Security Lifecycle

Processes for Network-Connectable Devices (under development)—

Addresses general testing of organizational processes for conducting

a risk assessment to determine applicable cyber threats

UL 2900-1: General Requirements for Network-Connectable

Devices—Addresses general testing requirements applicable to all types

of interconnected devices

page 8

Cybersecurity of Medical Devices

Page 9: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

page 9

Cybersecurity of Medical Devices

page 9

For more information about the UL 2900 series of standards and the UL CAP, visit http://ul.com/cybersecurity, or contact [email protected].

©2016 UL LLC. All rights reserved. This white paper may not be copied or distributed without permission. It is provided for general information purposes only and is not intended to convey legal or other professional advice.

UL’s 2900 series of cybersecurity standards offers documented criteria for assessing the vulnerability of all types of network-connectable products and systems to cyber threats. Using tests such as known vulnerability scanning, malware scanning, static code analysis and others, UL 2900 series of standards help to identify software vulnerabilities and weaknesses, address known malware issues, review security controls and increase overall security awareness. As such, they provide medical device manufacturers with a method for demonstrating their efforts to provide for the security of their products against cyberattacks, as well as the safety and security of patients and their medical data.

UL’s 2900 series of standards are a core component of the UL CAP, which helps to address security risks in a wide range of interconnected devices and systems, including industrial control systems, automotive applications, building automation and smart home systems, networking equipment and consumer electronics. The UL CAP employs a holistic view of security, from product security to secure system integration, all with the goal of mitigating cybersecurity risks.

Page 10: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

page 10

Cybersecurity of Medical Devices

page 10

Endnotes

1 “Outlook 2016: Cybersecurity to Become Main IT Concern for Hospitals,” Health IT Law & Industry Report, Bloomberg BNA, January 15, 2016. Web. 10 March 2016. http://www.bna.com/outlook-2016-cybersecurity-n57982066279/

2 “2015 Cost of Data Breech Study: Global Analysis,” a report of research conducted by the Ponemon Institute and sponsored by IBM, May 2015. Web. 10 March 2016. http://www-03.ibm.com/security/data-breach/

3 “Managing Cyber Risks in an Interconnected World: The Global State of Information Security Survey 2015,” Pricewaterhouse Coopers LLP, Web. 15 April 2016. http://pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml

4 “2014: Year of Mega Breaches & Identify Theft—Findings from the 2014 Breach Level Index,” Gemalto NV, February 12, 2015. Web. 15 April 2016. http://breachlevelindex.com/pdf/Breach-Level-Index-Annual-Report-2014.pdf

5 “Net Losses: Estimating the Global Cost of Cybercrime—Economic impact of cybercrime II,” Center for Strategic and International Studies, June 2014. Web. 15 April 2016. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf

6 “Lloyd’s CEO: Cyber attacks cost companies $400 billion every year,” Fortune, January 23, 2015. Web. 4 April 2016. http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/

7 “Cybercrime will cost businesses over $2 trillion by 2019,” press release by Juniper Research, 12 May 2015. Web. 15 April 2016. http://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion

8 “Smart Healthcare Products—Global Industry Analysis, Size, Share, Growth, Trends and Forecast 2015-2023,” Transparency Market Research, March 1, 2016. Web. 15 April 2016. http://www.transparencymarketresearch.com/smart-healthcare-products-market.html

9 “Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication,” U.S. Food and Drug Administration, June 13, 2013. Web. 15 April 2016. http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm

10 “Breach Report 2015: Protected Health Information (PHI),” Redspin, February 2016. Web. 15 April 2016. https://www.redspin.com/resources/download/breach-report-2015-protected-health-information-phi/

11 “Transformation and turnaround in cybersecurity: Healthcare payers and providers—Key findings from The Global State of Information Security Survey 2016,” Pricewaterhouse Coopers LLP. Web 15 April 2016. http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/pwc-gsiss-2016-healthcare-providers.pdf

Page 11: CYBERSECURITY - UL€¦ · Cybersecurity of Medical Devices Cybersecurity Threats in Healthcare Virtually unknown just a decade ago, attacks on information technology (IT) infrastructure

page 11

Cybersecurity of Medical Devices

page 11

Endnotes

12 “Report: Ransomware on the horizon for medical devices,” MassDevice.com, November 25, 2015. Web. 15 April 2016. http://www.massdevice.com/report-ransomware-on-the-horizon-for-medical-devices/?utm_source=hs_email&utm_medium=email&utm_content=24314437&_hsenc=p2ANqtz-8z1DrkOr3cAE3HRGqOaYLkkhB-NEYqOStIIo6Jarz4PLvBPeNpszDwVISjbA-SEY6HVvbdz1ikk0UeYqOSfN15_SbO9Q&_hsmi=24314437

13 “Big Paydays Force Hospitals to Prepare for Ransomware Attacks,” NBC News, April 23, 2016. Web. 27 April 2016. http://www.nbcnews.com/tech/security/big-paydays-force-hospitals-prepare-ransomware-attacks-n557176

14 “Predictions 2016: Cybersecurity Swings to Prevention,” Forrester Research, November 12, 2016. Web. 15 April 2016. https://www.forrester.com/report/Predictions+2016+Cybersecurity+Swings+To+Prevention/-/E-RES117390

15 “Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication,” U.S. Food and Drug Administration, July 31, 2015. Web. 15 April 2016. http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm

16 “International CIIP Handbook 2008/2009,” ETH Zurich, Center for Security Studies, July 2008. Web. 15 April 2016. http://www.isn.ethz.ch/Digital-Library/Publications/Detail/?id=91952.

17 “Executive Order 13636—Improving Critical Infrastructure Cybersecurity,” February 19, 2013. Web. 15 April 2016. https://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf

18 “Framework for Improving Critical Infrastructure Cybersecurity,” U.S. National Institute of Standards and Technology (NIST), February 12, 2014. Web. 15 April 2016. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

19 “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff,” Center for Devices and Radiological Health, U.S. Food and Drug Administration, October 2, 2014. Web. 15 April 2016. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

20 “Postmark Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff,” Center for Devices and Radiological Health, U.S. Food and Drug Administration, January 22, 2016. Web. 15 April 2016. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

21 “Framework for Improving Critical Infrastructure Cybersecurity,” see Note 10.