SlideShare uma empresa Scribd logo

Security for Healthcare Devices – Will Your Device Be Good Enough?

Transferir como PPTX, PDF
W
Walt Maclay

The Concern: Devices in Healthcare * Cybersecurity and privacy issues have been on the increase Security for Wearables Is More Important * FDA digital health requirements Security by Design for Healthcare Devices * How to start security by design and get it right

Saúde e medicina
1 de 31
Security for Healthcare Devices – Will Your Device Be Good Enough? Meet FDA and CE requirements, and avoid embarrassing and expensive security breaches
AGENDA 2 The Concern: Devices in Healthcare • Cybersecurity and privacy issues have been on the increase Security for Wearables is More Important • FDA digital health requirements Security By Design for Healthcare Devices • How to start security by design and get it right
The Concern: Devices in Healthcare 3 Medical Systems Hacks Are Scary, but Medical Device Hacks Could Be Even Worse Harvard Business Review, 2017 Medical Devices Are the Next Security Nightmare Wired, 2017
of health care organizations have been the victim of a cyberattack Source: SANS Institute94% Critical medical devices can be hacked, potentially creating life threating patient safety issues Notable attacks on smart devices and infrastructure St. Jude Medical pacemakers vulnerable to hacking – 465,000 devices recalled – fear that hackers can deplete batteries or even alter patient’s heartbeat (Source: The Guardian) Owlet’s Baby Heart Monitor vulnerable to exploits – unencrypted network, no authentication required (Source: CBS News) 20172016 TRENDnet Webcam hacking – hackers posted live feeds of 700 cameras to the web – failure to secure IP addresses, unencrypted log in, not password protected (Source: TechNewsWorld) 2012 4
Consumer product companies are open to lawsuits 5 Quick Facts: • Recent Incident: December 2019 • Hackers broke into Ring security cameras of two families • Hackers used device speakers to broadcast racial slurs • Ring advised customers to enable two-factor authentication, use strong passwords on their accounts (Source: Vice) Now: • Ring has faced growing criticism over its security practices • Two couples who had their devices hacked initiated class action lawsuits against Ring (Source: Business Insider)
Ring Class Action Lawsuit 6 What is it about? Multiple class action lawsuits have been filed against the Amazon-owned company, Ring. The suit accuses Ring of negligence, breach of implied contract, invasion of privacy, etc. They claim Ring has failed to implement “even the most basic” security measures to protect its customers. Who is affected? Anyone who owns a Ring home security device. What could the class action do? Force Ring to put stronger safeguards in place to protect user’s privacy and award money to device owners. (Source: ClassAction.org)
What Now? Ask Questions. 7 • What elements must be considered when designing healthcare devices? • Why security challenges for wearables are greater than for an endpoint in a fixed location. • How to do security by design?
Security challenges for wearables are higher than an endpoint in a fixed location 8 Why? The device may not be the correct device. The wearer can wander around and be almost anywhere. The device may be used by the wrong person.
How to determine if it’s authorized to send data? 9 Fall detection capabilities Take the Apple watch for example. The Apple Watch Series 4 and its key features were cleared by FDA in the US. 3 new heart monitoring capabilities • Low heart rate alert • Heart rhythm detection • Personal electrocardiogram (ECG) monitor Apple Watch Series 4 as a serious medical device: (Source: Forbes)
How to determine if it’s authorized to send data? 10 So, the API requires the Apple Watch to: The Apple Watch does not have the UI to grant data authorization. (Source: Learning Swift) Let the user know they need to grant that permission on the iPhone. Prompt the user with the health authorization dialog on the iPhone. Make the call once the authorization is complete on the iPhone. Handle the result of the authorization from the iPhone on the Apple Watch.
Other Questions to Think About 11 Has it been spoofed? Is there a different device sending data? Is the device sending the right data? Is the device sending data accurately? Was data taken at the right time? 1 2 3 4
Security Regulations for Wearables are Changing 12 Food and Drug Administration’s (FDA) Digital Health Requirements Issued on Oct. 18, 2018 Defined by FDA “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” Final release is still pending Non-biding later guidance is advisable for use Security requirements Draft guidance only 2014 version applies for now
FDA requirements 13 Higher level of security if 1. Device connects to another product or network (wired or wirelessly) 2. A cybersecurity incident could directly result in harm to multiple patients Tier 1 Standard security Tier 2
Tier 1 recommends the following: 14 Authentication Encryption IdentificationAuthorization Correction
Medical Devices Needing High Security, Based on NIST Cybersecurity Framework 15 Tier 1 recommends the following: Prevent unauthorized use • Limit access to trusted users and devices only • Authenticate and check authorization of safety-critical commands Ensure trusted content by maintaining code, data, and execution integrity Maintain confidentiality of data Design the device to detect cybersecurity threats in a timely fashion A B C Design the device to respond to and contain the impact of a potential cyber security incident Design the device to recover capabilities or services that were impaired due to a cyber security incident E D F
16 Cryptographic Verification and Authentication Secure Configuration Cybersecurity BOM (CBOM) Patches and Updates (Rapid verification, validation testing, and deployment) Autonomous Functionality Session Time Out Intrusion Detection System Routine Security and Antivirus Scanning Forensic Evidence Capture Vulnerability Analysis Breach Notification Retention and Recovery Other Resilience Measures Other Tier 1 design recommendations include:
17 but items may be ignored if a risk-based rational shows they are not appropriate. Tier 2 has the same recommendations,
18 Separate from security, but you must have security to meet HIPAA. Patient data security is very serious. HIPAA – Patient Data Privacy
HIPAA is focused on the user HIPAA Requirements 19 Requires end-to-end security • From device to database • Physical access control at database If data is transmitted without patient ID, no privacy concern • Match a code with the patient name at the database
CE Security Requirements 20 CE requirements are not as specific as FDA guidance, but have similar requirements. Devices must be safe, effective, and secure. There is a focus on data protection (see GDPR), which is more strict than U.S. patient data requirements. Documents that apply: • Annex I of the Medical Device Regulations (MDR) • EN62304 on software • EN14971 on hazard analysis
CE Security Required Practices 21 Security managementPractice 1 Specification of security requirementsPractice 2 Secure by designPractice 3 Secure implementationPractice 4 Security verification and validation testingPractice 5 Management of security-related issuesPractice 6 Security update managementPractice 7 Security guidelines - documentationPractice 8
22 CE Security Requirements It is the manufacturers’ responsibility to determine the minimum requirements for the operating environment as regards IT network characteristics and IT security measures that could not be implemented through the product design. From MDCG 2019-16 Guidance on Cybersecurity for medical devices
Elements to consider when adopting a security-by-design approach 23 The only way to meet FDA and CE requirements Benefits: Effective and early security flaws removal Built-in rather than bolt-on security Reduced risk of liabilityMore resilient systemsLower costs
How to do security by design? 24 Identify requirements before starting product design. Be aware of regulatory requirements. Design security as part of the product design. Test to ensure the requirements are met.
Medical wearable design Factors to keep in mind when designing a medical wearable, Part 1 25 Choice of Technology Are you building your wearables on proven technology? Technology Weaknesses Does the technology platform have known exploits? System Design Where are the risks in the system? Data at rest has different vulnerability than data in flight. Risk Assessment Overall Risk should be broken down into individual items each with risk and effort required. Cryptography What level of cryptography is needed? Too high requires more power and more time Encryption Encryption is not just protecting the data with an encryption algorithm. Key management is actually more important.
Medical wearable design Factors to keep in mind when designing a medical wearable, Part 2 26 Threat Detection How can one detect a threat before any damage is done? Penetration testing Ethical hackers hired to attempt to attack a system. Developers Are they involved in threat modeling? Are they aware of your organization's security-by-design practice? Maintainability Are requirements for maintainability and tools to measure it in place? Privacy by Design Is privacy included in your approach (HIPAA and GDPR)? Further Improvements How can you continuously improve device development? Security will get more challenging during the life of the product.
Security By Design for A Consumer Product 27 Product Feature: XEEDA cryptocurrency hardware wallet and integrated app Voler completed the challenging design on-time and on-budget. About the Product: It allows for access, exchange, and management of bitcoins and other digital currency assets directory from a smartphone. About the Client: XEEDA is a blockchain and transactions startup company.
Voler’s security by design at every step of product development 28 Voler developed the device with very high security (EAL Level 5), using multi-factor authentication and built-in biometric security features. Fingerprint sensor and passcode Other security features of cold storage cryptocurrency device: Secure microcontroller for private keys Encrypted links within and outside the unit OLED display for secure storage – password is not displayed on the phone
Secure Microcontroller Features 29 Advanced Physical Level Security that wipes data upon tamper True Random Number Generator AES, DES, and SHA accelerators Modulo Arithmetic Accelerator for common crypto algorithms Secure Boot Loader - allows only authorized code to run on the processor Fault detection – detects tampering with the hardware Supports EAL level 5 security
Choosing Security by Design 30 • Have you mapped your technical and commercial requirements against available technical capabilities? • There are many technologies with widely varying capabilities, cost, and availability. • Voler can help select the right security design for your device. • We design medical, IoT, and wearable devices.
Let Voler Help You Succeed! Voler designs IoT and wearable devices with expertise in wireless communication and sensors •Walt Maclay, Voler Systems •Walt@volersystems.com •408-245-9844 ext 101 Quality Electronic Design & Software Wearable Devices | Sensor Interfaces | Wireless | Medical Devices

Recomendados

313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - MEEQS Group
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfICS
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up ICS
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network securityIGZ Software house
 
EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9ITpreneurs
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaLearn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaEdureka!
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...SBWebinars
 

Recomendados

313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - MEEQS Group
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfICS
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up ICS
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network securityIGZ Software house
 
EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9ITpreneurs
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaLearn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaEdureka!
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...SBWebinars
 
information security technology
information security technologyinformation security technology
information security technologygarimasagar
 
Digital Right Management
Digital Right ManagementDigital Right Management
Digital Right ManagementRatul Alahy
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process EC-Council
 
Security Onion
Security OnionSecurity Onion
Security Onionn|u - The Open Security Community
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Biometric Access Control Systems
Biometric Access Control SystemsBiometric Access Control Systems
Biometric Access Control SystemsSafe-Systems Inc.
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsDr. Ramchandra Mangrulkar
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specificationsSsendiSamuel
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesFrédéric Sagez
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standardsVaughan Olufemi ACIB, AICEN, ANIM
 
Chapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problemsChapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problemsRaja Waseem Akhtar
 
Seguridad Lógica
Seguridad LógicaSeguridad Lógica
Seguridad LógicaXavier
 
Pruebas Caja negra y Caja Blanca
Pruebas Caja negra y Caja BlancaPruebas Caja negra y Caja Blanca
Pruebas Caja negra y Caja BlancaManuel Murcia
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 

Mais conteúdo relacionado

Mais procurados

information security technology
information security technologyinformation security technology
information security technologygarimasagar
 
Digital Right Management
Digital Right ManagementDigital Right Management
Digital Right ManagementRatul Alahy
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process EC-Council
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Biometric Access Control Systems
Biometric Access Control SystemsBiometric Access Control Systems
Biometric Access Control SystemsSafe-Systems Inc.
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specificationsSsendiSamuel
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesFrédéric Sagez
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Chapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problemsChapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problemsRaja Waseem Akhtar
 
Seguridad Lógica
Seguridad LógicaSeguridad Lógica
Seguridad LógicaXavier
 
Pruebas Caja negra y Caja Blanca
Pruebas Caja negra y Caja BlancaPruebas Caja negra y Caja Blanca
Pruebas Caja negra y Caja BlancaManuel Murcia
 

Mais procurados (20)

information security technology
information security technologyinformation security technology
information security technology
 
Digital Right Management
Digital Right ManagementDigital Right Management
Digital Right Management
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
Biometric Access Control Systems
Biometric Access Control SystemsBiometric Access Control Systems
Biometric Access Control Systems
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devices
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
 
Chapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problemsChapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problems
 
Seguridad Lógica
Seguridad LógicaSeguridad Lógica
Seguridad Lógica
 
Pruebas Caja negra y Caja Blanca
Pruebas Caja negra y Caja BlancaPruebas Caja negra y Caja Blanca
Pruebas Caja negra y Caja Blanca
 

Semelhante a Security for Healthcare Devices – Will Your Device Be Good Enough?

Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfICS
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Securing IoT medical devices
Securing IoT medical devicesSecuring IoT medical devices
Securing IoT medical devicesBenjamin Biwer
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityEMMAIntl
 
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...JustinFinch11
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devicesFlaskdata.io
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceValdez Ladd MBA, CISSP, CISA,
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical DevicesSuresh Mandava
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesHealthegy
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODSierraware
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverThe Security of Things Forum
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidancePam Gilmore
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 

Semelhante a Security for Healthcare Devices – Will Your Device Be Good Enough? (20)

Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Securing IoT medical devices
Securing IoT medical devicesSecuring IoT medical devices
Securing IoT medical devices
 
FDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on CybersecurityFDA’s Updated Guidance on Cybersecurity
FDA’s Updated Guidance on Cybersecurity
 
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
Data Security and Confidentiality in eCTD Publishing Tools Safeguarding Sensi...
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
 

Mais de Walt Maclay

5G what's real and what's hype learn what it can really do 2020
5G what's real and what's hype learn what it can really do 20205G what's real and what's hype learn what it can really do 2020
5G what's real and what's hype learn what it can really do 2020Walt Maclay
 
5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really Do5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really DoWalt Maclay
 
5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really Do5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really DoWalt Maclay
 
Voler capabilities presentation with examples 2019-4 md rev wm 10-12
Voler capabilities presentation with examples 2019-4 md rev wm 10-12Voler capabilities presentation with examples 2019-4 md rev wm 10-12
Voler capabilities presentation with examples 2019-4 md rev wm 10-12Walt Maclay
 
Developing Product Requirements For Medical Devices
Developing Product Requirements For Medical DevicesDeveloping Product Requirements For Medical Devices
Developing Product Requirements For Medical DevicesWalt Maclay
 
Overview of wearable device sensors2017 rev9
Overview of wearable device sensors2017 rev9Overview of wearable device sensors2017 rev9
Overview of wearable device sensors2017 rev9Walt Maclay
 
Universal Health Sensor Platform Use Cases
Universal Health Sensor Platform Use CasesUniversal Health Sensor Platform Use Cases
Universal Health Sensor Platform Use CasesWalt Maclay
 
Medical device innovation_handbook
Medical device innovation_handbookMedical device innovation_handbook
Medical device innovation_handbookWalt Maclay
 
Voler Systems - case history - and more
Voler Systems - case history - and moreVoler Systems - case history - and more
Voler Systems - case history - and moreWalt Maclay
 
Iot and wearables meetup July 2019 by Ryan Kraudel, Valencell
Iot and wearables meetup July 2019 by Ryan Kraudel, ValencellIot and wearables meetup July 2019 by Ryan Kraudel, Valencell
Iot and wearables meetup July 2019 by Ryan Kraudel, ValencellWalt Maclay
 
Wearable Devices 2019
Wearable Devices 2019Wearable Devices 2019
Wearable Devices 2019Walt Maclay
 
Voler's Top 20 Resources for 2019
Voler's Top 20 Resources for 2019Voler's Top 20 Resources for 2019
Voler's Top 20 Resources for 2019Walt Maclay
 
Trends in Sensors, Wearable Devices and IoT
Trends in Sensors, Wearable Devices and IoTTrends in Sensors, Wearable Devices and IoT
Trends in Sensors, Wearable Devices and IoTWalt Maclay
 

Mais de Walt Maclay (13)

5G what's real and what's hype learn what it can really do 2020
5G what's real and what's hype learn what it can really do 20205G what's real and what's hype learn what it can really do 2020
5G what's real and what's hype learn what it can really do 2020
 
5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really Do5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really Do
 
5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really Do5G Is Overhyped - Learn What It Can Really Do
5G Is Overhyped - Learn What It Can Really Do
 
Voler capabilities presentation with examples 2019-4 md rev wm 10-12
Voler capabilities presentation with examples 2019-4 md rev wm 10-12Voler capabilities presentation with examples 2019-4 md rev wm 10-12
Voler capabilities presentation with examples 2019-4 md rev wm 10-12
 
Developing Product Requirements For Medical Devices
Developing Product Requirements For Medical DevicesDeveloping Product Requirements For Medical Devices
Developing Product Requirements For Medical Devices
 
Overview of wearable device sensors2017 rev9
Overview of wearable device sensors2017 rev9Overview of wearable device sensors2017 rev9
Overview of wearable device sensors2017 rev9
 
Universal Health Sensor Platform Use Cases
Universal Health Sensor Platform Use CasesUniversal Health Sensor Platform Use Cases
Universal Health Sensor Platform Use Cases
 
Medical device innovation_handbook
Medical device innovation_handbookMedical device innovation_handbook
Medical device innovation_handbook
 
Voler Systems - case history - and more
Voler Systems - case history - and moreVoler Systems - case history - and more
Voler Systems - case history - and more
 
Iot and wearables meetup July 2019 by Ryan Kraudel, Valencell
Iot and wearables meetup July 2019 by Ryan Kraudel, ValencellIot and wearables meetup July 2019 by Ryan Kraudel, Valencell
Iot and wearables meetup July 2019 by Ryan Kraudel, Valencell
 
Wearable Devices 2019
Wearable Devices 2019Wearable Devices 2019
Wearable Devices 2019
 
Voler's Top 20 Resources for 2019
Voler's Top 20 Resources for 2019Voler's Top 20 Resources for 2019
Voler's Top 20 Resources for 2019
 
Trends in Sensors, Wearable Devices and IoT
Trends in Sensors, Wearable Devices and IoTTrends in Sensors, Wearable Devices and IoT
Trends in Sensors, Wearable Devices and IoT
 

Último

Glomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxGlomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxDr.Nusrat Tariq
 
LUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdfLUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdfDolisha Warbi
 
POST NATAL EXERCISES AND ITS IMPACT.pptx
POST NATAL EXERCISES AND ITS IMPACT.pptxPOST NATAL EXERCISES AND ITS IMPACT.pptx
POST NATAL EXERCISES AND ITS IMPACT.pptxvirengeeta
 
Basic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdfBasic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdfDivya Kanojiya
 
Report Back from SGO: What’s New in Uterine Cancer?.pptx
Report Back from SGO: What’s New in Uterine Cancer?.pptxReport Back from SGO: What’s New in Uterine Cancer?.pptx
Report Back from SGO: What’s New in Uterine Cancer?.pptxbkling
 
Radiation Dosimetry Parameters and Isodose Curves.pptx
Radiation Dosimetry Parameters and Isodose Curves.pptxRadiation Dosimetry Parameters and Isodose Curves.pptx
Radiation Dosimetry Parameters and Isodose Curves.pptxDr. Dheeraj Kumar
 
Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.ANJALI
 
Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?bkling
 
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaurMETHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaurNavdeep Kaur
 
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptxPERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptxdrashraf369
 
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...saminamagar
 
Informed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxInformed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxSasikiranMarri
 
call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
world health day presentation ppt download
world health day presentation ppt downloadworld health day presentation ppt download
world health day presentation ppt downloadAnkitKumar311566
 
Hematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsHematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsMedicoseAcademics
 
SWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptSWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptMumux Mirani
 
PULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdfPULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdfDolisha Warbi
 
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdfPULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdfDolisha Warbi
 
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...sdateam0
 
PNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdfPNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdfDolisha Warbi
 

Último (20)

Glomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxGlomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptx
 
LUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdfLUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdf
 
POST NATAL EXERCISES AND ITS IMPACT.pptx
POST NATAL EXERCISES AND ITS IMPACT.pptxPOST NATAL EXERCISES AND ITS IMPACT.pptx
POST NATAL EXERCISES AND ITS IMPACT.pptx
 
Basic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdfBasic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdf
 
Report Back from SGO: What’s New in Uterine Cancer?.pptx
Report Back from SGO: What’s New in Uterine Cancer?.pptxReport Back from SGO: What’s New in Uterine Cancer?.pptx
Report Back from SGO: What’s New in Uterine Cancer?.pptx
 
Radiation Dosimetry Parameters and Isodose Curves.pptx
Radiation Dosimetry Parameters and Isodose Curves.pptxRadiation Dosimetry Parameters and Isodose Curves.pptx
Radiation Dosimetry Parameters and Isodose Curves.pptx
 
Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.
 
Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?
 
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaurMETHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
 
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptxPERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
 
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
 
Informed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxInformed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptx
 
call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in green park DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
world health day presentation ppt download
world health day presentation ppt downloadworld health day presentation ppt download
world health day presentation ppt download
 
Hematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsHematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes Functions
 
SWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptSWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.ppt
 
PULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdfPULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdf
 
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdfPULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
 
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
 
PNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdfPNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdf
 

Security for Healthcare Devices – Will Your Device Be Good Enough?

  • 1. Security for Healthcare Devices – Will Your Device Be Good Enough? Meet FDA and CE requirements, and avoid embarrassing and expensive security breaches
  • 2. AGENDA 2 The Concern: Devices in Healthcare • Cybersecurity and privacy issues have been on the increase Security for Wearables is More Important • FDA digital health requirements Security By Design for Healthcare Devices • How to start security by design and get it right
  • 3. The Concern: Devices in Healthcare 3 Medical Systems Hacks Are Scary, but Medical Device Hacks Could Be Even Worse Harvard Business Review, 2017 Medical Devices Are the Next Security Nightmare Wired, 2017
  • 4. of health care organizations have been the victim of a cyberattack Source: SANS Institute94% Critical medical devices can be hacked, potentially creating life threating patient safety issues Notable attacks on smart devices and infrastructure St. Jude Medical pacemakers vulnerable to hacking – 465,000 devices recalled – fear that hackers can deplete batteries or even alter patient’s heartbeat (Source: The Guardian) Owlet’s Baby Heart Monitor vulnerable to exploits – unencrypted network, no authentication required (Source: CBS News) 20172016 TRENDnet Webcam hacking – hackers posted live feeds of 700 cameras to the web – failure to secure IP addresses, unencrypted log in, not password protected (Source: TechNewsWorld) 2012 4
  • 5. Consumer product companies are open to lawsuits 5 Quick Facts: • Recent Incident: December 2019 • Hackers broke into Ring security cameras of two families • Hackers used device speakers to broadcast racial slurs • Ring advised customers to enable two-factor authentication, use strong passwords on their accounts (Source: Vice) Now: • Ring has faced growing criticism over its security practices • Two couples who had their devices hacked initiated class action lawsuits against Ring (Source: Business Insider)
  • 6. Ring Class Action Lawsuit 6 What is it about? Multiple class action lawsuits have been filed against the Amazon-owned company, Ring. The suit accuses Ring of negligence, breach of implied contract, invasion of privacy, etc. They claim Ring has failed to implement “even the most basic” security measures to protect its customers. Who is affected? Anyone who owns a Ring home security device. What could the class action do? Force Ring to put stronger safeguards in place to protect user’s privacy and award money to device owners. (Source: ClassAction.org)
  • 7. What Now? Ask Questions. 7 • What elements must be considered when designing healthcare devices? • Why security challenges for wearables are greater than for an endpoint in a fixed location. • How to do security by design?
  • 8. Security challenges for wearables are higher than an endpoint in a fixed location 8 Why? The device may not be the correct device. The wearer can wander around and be almost anywhere. The device may be used by the wrong person.
  • 9. How to determine if it’s authorized to send data? 9 Fall detection capabilities Take the Apple watch for example. The Apple Watch Series 4 and its key features were cleared by FDA in the US. 3 new heart monitoring capabilities • Low heart rate alert • Heart rhythm detection • Personal electrocardiogram (ECG) monitor Apple Watch Series 4 as a serious medical device: (Source: Forbes)
  • 10. How to determine if it’s authorized to send data? 10 So, the API requires the Apple Watch to: The Apple Watch does not have the UI to grant data authorization. (Source: Learning Swift) Let the user know they need to grant that permission on the iPhone. Prompt the user with the health authorization dialog on the iPhone. Make the call once the authorization is complete on the iPhone. Handle the result of the authorization from the iPhone on the Apple Watch.
  • 11. Other Questions to Think About 11 Has it been spoofed? Is there a different device sending data? Is the device sending the right data? Is the device sending data accurately? Was data taken at the right time? 1 2 3 4
  • 12. Security Regulations for Wearables are Changing 12 Food and Drug Administration’s (FDA) Digital Health Requirements Issued on Oct. 18, 2018 Defined by FDA “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” Final release is still pending Non-biding later guidance is advisable for use Security requirements Draft guidance only 2014 version applies for now
  • 13. FDA requirements 13 Higher level of security if 1. Device connects to another product or network (wired or wirelessly) 2. A cybersecurity incident could directly result in harm to multiple patients Tier 1 Standard security Tier 2
  • 14. Tier 1 recommends the following: 14 Authentication Encryption IdentificationAuthorization Correction
  • 15. Medical Devices Needing High Security, Based on NIST Cybersecurity Framework 15 Tier 1 recommends the following: Prevent unauthorized use • Limit access to trusted users and devices only • Authenticate and check authorization of safety-critical commands Ensure trusted content by maintaining code, data, and execution integrity Maintain confidentiality of data Design the device to detect cybersecurity threats in a timely fashion A B C Design the device to respond to and contain the impact of a potential cyber security incident Design the device to recover capabilities or services that were impaired due to a cyber security incident E D F
  • 16. 16 Cryptographic Verification and Authentication Secure Configuration Cybersecurity BOM (CBOM) Patches and Updates (Rapid verification, validation testing, and deployment) Autonomous Functionality Session Time Out Intrusion Detection System Routine Security and Antivirus Scanning Forensic Evidence Capture Vulnerability Analysis Breach Notification Retention and Recovery Other Resilience Measures Other Tier 1 design recommendations include:
  • 17. 17 but items may be ignored if a risk-based rational shows they are not appropriate. Tier 2 has the same recommendations,
  • 18. 18 Separate from security, but you must have security to meet HIPAA. Patient data security is very serious. HIPAA – Patient Data Privacy
  • 19. HIPAA is focused on the user HIPAA Requirements 19 Requires end-to-end security • From device to database • Physical access control at database If data is transmitted without patient ID, no privacy concern • Match a code with the patient name at the database
  • 20. CE Security Requirements 20 CE requirements are not as specific as FDA guidance, but have similar requirements. Devices must be safe, effective, and secure. There is a focus on data protection (see GDPR), which is more strict than U.S. patient data requirements. Documents that apply: • Annex I of the Medical Device Regulations (MDR) • EN62304 on software • EN14971 on hazard analysis
  • 21. CE Security Required Practices 21 Security managementPractice 1 Specification of security requirementsPractice 2 Secure by designPractice 3 Secure implementationPractice 4 Security verification and validation testingPractice 5 Management of security-related issuesPractice 6 Security update managementPractice 7 Security guidelines - documentationPractice 8
  • 22. 22 CE Security Requirements It is the manufacturers’ responsibility to determine the minimum requirements for the operating environment as regards IT network characteristics and IT security measures that could not be implemented through the product design. From MDCG 2019-16 Guidance on Cybersecurity for medical devices
  • 23. Elements to consider when adopting a security-by-design approach 23 The only way to meet FDA and CE requirements Benefits: Effective and early security flaws removal Built-in rather than bolt-on security Reduced risk of liabilityMore resilient systemsLower costs
  • 24. How to do security by design? 24 Identify requirements before starting product design. Be aware of regulatory requirements. Design security as part of the product design. Test to ensure the requirements are met.
  • 25. Medical wearable design Factors to keep in mind when designing a medical wearable, Part 1 25 Choice of Technology Are you building your wearables on proven technology? Technology Weaknesses Does the technology platform have known exploits? System Design Where are the risks in the system? Data at rest has different vulnerability than data in flight. Risk Assessment Overall Risk should be broken down into individual items each with risk and effort required. Cryptography What level of cryptography is needed? Too high requires more power and more time Encryption Encryption is not just protecting the data with an encryption algorithm. Key management is actually more important.
  • 26. Medical wearable design Factors to keep in mind when designing a medical wearable, Part 2 26 Threat Detection How can one detect a threat before any damage is done? Penetration testing Ethical hackers hired to attempt to attack a system. Developers Are they involved in threat modeling? Are they aware of your organization's security-by-design practice? Maintainability Are requirements for maintainability and tools to measure it in place? Privacy by Design Is privacy included in your approach (HIPAA and GDPR)? Further Improvements How can you continuously improve device development? Security will get more challenging during the life of the product.
  • 27. Security By Design for A Consumer Product 27 Product Feature: XEEDA cryptocurrency hardware wallet and integrated app Voler completed the challenging design on-time and on-budget. About the Product: It allows for access, exchange, and management of bitcoins and other digital currency assets directory from a smartphone. About the Client: XEEDA is a blockchain and transactions startup company.
  • 28. Voler’s security by design at every step of product development 28 Voler developed the device with very high security (EAL Level 5), using multi-factor authentication and built-in biometric security features. Fingerprint sensor and passcode Other security features of cold storage cryptocurrency device: Secure microcontroller for private keys Encrypted links within and outside the unit OLED display for secure storage – password is not displayed on the phone
  • 29. Secure Microcontroller Features 29 Advanced Physical Level Security that wipes data upon tamper True Random Number Generator AES, DES, and SHA accelerators Modulo Arithmetic Accelerator for common crypto algorithms Secure Boot Loader - allows only authorized code to run on the processor Fault detection – detects tampering with the hardware Supports EAL level 5 security
  • 30. Choosing Security by Design 30 • Have you mapped your technical and commercial requirements against available technical capabilities? • There are many technologies with widely varying capabilities, cost, and availability. • Voler can help select the right security design for your device. • We design medical, IoT, and wearable devices.
  • 31. Let Voler Help You Succeed! Voler designs IoT and wearable devices with expertise in wireless communication and sensors •Walt Maclay, Voler Systems •Walt@volersystems.com •408-245-9844 ext 101 Quality Electronic Design & Software Wearable Devices | Sensor Interfaces | Wireless | Medical Devices