The Concern: Devices in Healthcare
* Cybersecurity and privacy issues have been on the increase
Security for Wearables Is More Important
* FDA digital health requirements
Security by Design for Healthcare Devices
* How to start security by design and get it right
Security for Healthcare Devices – Will Your Device Be Good Enough?
1. Security for Healthcare Devices –
Will Your Device Be Good Enough?
Meet FDA and CE requirements, and avoid
embarrassing and expensive security breaches
2. AGENDA
2
The Concern: Devices in Healthcare
• Cybersecurity and privacy issues have been on the increase
Security for Wearables is More Important
• FDA digital health requirements
Security By Design for Healthcare Devices
• How to start security by design and get it right
3. The Concern: Devices in Healthcare
3
Medical Systems Hacks
Are Scary, but Medical Device
Hacks Could Be Even Worse
Harvard Business Review, 2017
Medical Devices Are
the Next Security
Nightmare
Wired, 2017
4. of health care organizations have
been the victim of a cyberattack
Source:
SANS Institute94%
Critical medical devices can be hacked, potentially creating
life threating patient safety issues
Notable attacks on smart devices and infrastructure
St. Jude Medical pacemakers
vulnerable to hacking – 465,000
devices recalled – fear that hackers can
deplete batteries or even alter patient’s
heartbeat (Source: The Guardian)
Owlet’s Baby Heart Monitor
vulnerable to exploits –
unencrypted network, no
authentication required
(Source: CBS News)
20172016
TRENDnet Webcam hacking – hackers
posted live feeds of 700 cameras to the
web – failure to secure IP addresses,
unencrypted log in, not password
protected (Source: TechNewsWorld)
2012
4
5. Consumer product companies are
open to lawsuits
5
Quick Facts:
• Recent Incident: December
2019
• Hackers broke into Ring
security cameras of two families
• Hackers used device speakers
to broadcast racial slurs
• Ring advised customers to
enable two-factor
authentication, use strong
passwords on their accounts
(Source: Vice)
Now:
• Ring has faced growing
criticism over its security
practices
• Two couples who had
their devices hacked
initiated class action
lawsuits against Ring
(Source: Business Insider)
6. Ring Class Action Lawsuit
6
What is it about?
Multiple class action lawsuits have been filed against the Amazon-owned
company, Ring. The suit accuses Ring of negligence, breach of implied
contract, invasion of privacy, etc. They claim Ring has failed to
implement “even the most basic” security measures to protect its
customers.
Who is affected?
Anyone who owns a Ring home security device.
What could the class action do?
Force Ring to put stronger safeguards in place to protect user’s privacy
and award money to device owners.
(Source: ClassAction.org)
7. What Now?
Ask Questions.
7
• What elements must be considered
when designing healthcare
devices?
• Why security challenges for
wearables are greater than for an
endpoint in a fixed location.
• How to do security by design?
8. Security challenges for wearables are higher than an
endpoint in a fixed location
8
Why?
The device may not
be the correct device.
The wearer can wander around
and be almost anywhere.
The device may be used
by the wrong person.
9. How to determine if it’s authorized to send data?
9
Fall detection capabilities
Take the Apple watch for example.
The Apple Watch Series 4 and its key features were cleared by FDA in the US.
3 new heart monitoring capabilities
• Low heart rate alert
• Heart rhythm detection
• Personal electrocardiogram (ECG) monitor
Apple Watch Series 4 as a serious medical device:
(Source: Forbes)
10. How to determine if it’s
authorized to send data?
10
So, the API requires the Apple Watch to:
The Apple Watch does not have the UI
to grant data authorization.
(Source: Learning Swift)
Let the user know they need to grant that
permission on the iPhone.
Prompt the user with the health authorization
dialog on the iPhone.
Make the call once the authorization is complete
on the iPhone.
Handle the result of the authorization from the
iPhone on the Apple Watch.
11. Other Questions to Think About
11
Has it been spoofed? Is there a different
device sending data?
Is the device sending the right data?
Is the device sending data accurately?
Was data taken at the right time?
1
2
3
4
12. Security Regulations for Wearables are Changing
12
Food and Drug Administration’s (FDA) Digital Health Requirements
Issued on Oct.
18, 2018
Defined by FDA
“Content of Premarket
Submissions for
Management of
Cybersecurity in
Medical Devices”
Final release is
still pending
Non-biding later
guidance is
advisable for use
Security requirements Draft guidance only 2014 version
applies for now
13. FDA requirements
13
Higher level of security if
1. Device connects to another product or
network (wired or wirelessly)
2. A cybersecurity incident could directly result
in harm to multiple patients
Tier 1
Standard security
Tier 2
15. Medical Devices Needing High Security,
Based on NIST Cybersecurity Framework
15
Tier 1 recommends the following:
Prevent unauthorized use
• Limit access to trusted users and devices only
• Authenticate and check authorization of safety-critical
commands
Ensure trusted content by maintaining
code, data, and execution integrity
Maintain confidentiality of data
Design the device to detect cybersecurity
threats in a timely fashion
A
B
C
Design the device to respond to
and contain the impact of a
potential cyber security incident
Design the device to recover
capabilities or services that
were impaired due to a cyber
security incident
E
D
F
16. 16
Cryptographic Verification and
Authentication
Secure Configuration
Cybersecurity BOM (CBOM)
Patches and Updates (Rapid verification,
validation testing, and deployment)
Autonomous Functionality
Session Time Out
Intrusion Detection System
Routine Security and Antivirus Scanning
Forensic Evidence Capture
Vulnerability Analysis
Breach Notification
Retention and Recovery
Other Resilience Measures
Other Tier 1 design recommendations include:
17. 17
but items may be ignored if a risk-based rational shows
they are not appropriate.
Tier 2 has the same recommendations,
18. 18
Separate from security, but you must have
security to meet HIPAA.
Patient data security is very serious.
HIPAA – Patient Data Privacy
19. HIPAA is focused on the user
HIPAA Requirements
19
Requires end-to-end security
• From device to database
• Physical access control at database
If data is transmitted without patient ID, no
privacy concern
• Match a code with the patient name at the database
20. CE Security Requirements
20
CE requirements are not as specific as FDA guidance,
but have similar requirements.
Devices must be safe, effective, and secure.
There is a focus on data protection (see GDPR),
which is more strict than U.S. patient data requirements.
Documents that apply:
• Annex I of the Medical Device Regulations (MDR)
• EN62304 on software
• EN14971 on hazard analysis
21. CE Security Required Practices
21
Security managementPractice 1
Specification of security requirementsPractice 2
Secure by designPractice 3
Secure implementationPractice 4
Security verification and validation testingPractice 5
Management of security-related issuesPractice 6
Security update managementPractice 7
Security guidelines - documentationPractice 8
22. 22
CE Security Requirements
It is the manufacturers’ responsibility to determine the
minimum requirements for the operating environment
as regards IT network characteristics and IT security
measures that could not be implemented through the
product design.
From MDCG 2019-16 Guidance on Cybersecurity for
medical devices
23. Elements to consider when adopting a
security-by-design approach
23
The only way to meet FDA
and CE requirements
Benefits:
Effective and early
security flaws removal
Built-in rather than
bolt-on security
Reduced risk of liabilityMore resilient systemsLower costs
24. How to do security by design?
24
Identify requirements
before starting
product design.
Be aware of
regulatory
requirements.
Design security
as part of the
product design.
Test to ensure
the requirements
are met.
25. Medical
wearable
design
Factors to keep in mind when designing
a medical wearable, Part 1
25
Choice of Technology
Are you building your wearables on proven technology?
Technology Weaknesses
Does the technology platform have known exploits?
System Design
Where are the risks in the system? Data at rest has different vulnerability
than data in flight.
Risk Assessment
Overall Risk should be broken down into individual items each with
risk and effort required.
Cryptography
What level of cryptography is needed? Too high requires more
power and more time
Encryption
Encryption is not just protecting the data with an encryption
algorithm. Key management is actually more important.
26. Medical
wearable
design
Factors to keep in mind when designing
a medical wearable, Part 2
26
Threat Detection
How can one detect a threat before any damage is done?
Penetration testing
Ethical hackers hired to attempt to attack a system.
Developers
Are they involved in threat modeling?
Are they aware of your organization's security-by-design practice?
Maintainability
Are requirements for maintainability and tools to measure it in place?
Privacy by Design
Is privacy included in your approach (HIPAA and GDPR)?
Further Improvements
How can you continuously improve device development?
Security will get more challenging during the life of the product.
27. Security By Design for
A Consumer Product
27
Product Feature:
XEEDA cryptocurrency hardware wallet and integrated app
Voler completed the challenging design
on-time and on-budget.
About the Product:
It allows for access, exchange, and management of bitcoins
and other digital currency assets directory from a smartphone.
About the Client:
XEEDA is a blockchain and transactions startup company.
28. Voler’s security by design at every step
of product development
28
Voler developed the device with very high security (EAL Level 5), using multi-factor
authentication and built-in biometric security features.
Fingerprint
sensor and
passcode
Other security features of cold storage cryptocurrency device:
Secure
microcontroller
for private keys
Encrypted links
within and
outside the unit
OLED display for secure
storage – password is not
displayed on the phone
29. Secure Microcontroller Features
29
Advanced Physical
Level Security that
wipes data upon tamper
True Random
Number Generator
AES, DES, and
SHA accelerators
Modulo Arithmetic
Accelerator for common
crypto algorithms
Secure Boot Loader -
allows only authorized
code to run on the
processor
Fault detection –
detects tampering
with the hardware
Supports EAL
level 5 security
30. Choosing Security
by Design
30
• Have you mapped your technical
and commercial requirements
against available technical
capabilities?
• There are many technologies with
widely varying capabilities, cost,
and availability.
• Voler can help select the right
security design for your device.
• We design medical, IoT, and
wearable devices.
31. Let Voler Help You Succeed!
Voler designs IoT and wearable devices with
expertise in wireless communication and sensors
•Walt Maclay, Voler Systems
•Walt@volersystems.com
•408-245-9844 ext 101
Quality Electronic Design & Software
Wearable Devices | Sensor Interfaces | Wireless | Medical Devices