2021 CE-IT Symposium

2021 CE-IT Symposium

“Data Availability and Security

in the Clinical Environment”

12021 ACCE CE-IT Symposium 08/09/2021

ACCE – 2021 CE-IT Symposium

Opening remarks from Ilir Kullolli, ACCE President

Welcome to the 2021 ACCE CE-IT Symposium

2

ACCE would like to thank its co-sponsors

3

BOOTH #C301 BOOTH #C359

Today’s Program• ACCE President’s Message• Keynote• Discovering and Disclosing Vulnerabilities• Aligning NIST CSF with CE Operations• Balancing Priorities During and Following Cyber Attack• Overview of Medical Device Cybersecurity Resources• Getting Ahead of Cybersecurity Risks with Contract

Language• Closing

4


Keynote“The importance of BCDR and

operational support, data impact on clinical with Data availability”

Bill HudsonSenior Vice President & CIO

John Muir Health

5ACCE – 2021 CE-IT Symposium

About the speaker

Bill Hudson is the SVP and CIO for John Muir Health, a community health system in the East Bay San Francisco He is responsible for partnering with hospital and physician network operations to drive digital transformation and the digital consumer experience – aligning JMH’s digital assets and enabling clinicians to support their community where they are in their individual care journeys.

ACCE – 2021 CE-IT [email protected]

mailto:[email protected]

• Introduction• The Evolving Risk Landscape• Managing Risk• Preparing for the Worst• The Work Ahead of Us

Agenda

If the Story of IT was a Children’s BookLessons Learned

• Cookies are awesome!

• More technology and integration increases failure points and risk.

• There is always an insatiable demand for more technology and integration

If the Story of IT was a Children’s Book Part 2

You are going to have a bad day.

You know that disaster planning is a team sport. HEICS

Is it disaster - fire or earthquake? Is it flood?

Is it significantly more nefarious?

Ransomware slides

Coordination.

Here’s a fable….

Deleting a drive, unplugging a server….

How it was dealt with. Communicated.

The after math….

Ugh

RCA process

Fair and Just Culture

Lessons learned

What this means for you.

You are going to have a bad day.

You are going to have a no good very bad horrible day

And there’s nothing that you can do to prevent that nothing.

Not all the planning in the world will forestall the inevitable.

What happens next is dependent on two things.

1. how you’ve prepared for it.2. How you’ve prepared the org.

Communication buys grace.

This is not a presentation about how you should categorize and prioritize your systems and applications into tiers

0 through 4

Establish your RPO RTO and balance that with your RTA

You know that.

ACCE – 2021 CE-IT Symposium11

The Evolving Risk Landscape


• Removing malware from infected systems.

• Increased alerts, guidance and information

• Direct attack on internet facing services

• Phishing to gain credentials or install malware

• Targeted attacks by human operators

• Multiple audits from payors• Vendor/Partner Privacy and

Security events.

Federal Engagement and Action Significantly Increased Cyber Criminal Activity

3rd Party Risk and Audit

Security News Themes

12


Changing Threat Landscape

Revealed Supply Chain Risks•Delays as vendors struggled to implement COVID-19 protocols and work from home. •Changes lead to breaches/compromise at vendors.

New Work From Home and Staff under incredible stress•The Emergency Reponses to COVID-19 has dramatically changed the way staff works. Not only do we need to provide support for folks working long shifts under very stressful conditions by providing ways for the them work securely, as well as other staff adjusting to working from.

•JMH implemented measures to protect JMH staff working from home using temporary extensions of existing controls.

Global Pandemic

US Cybersecurity and Infrastructure Agency Alert on Healthcare Hacking Attacks•Between March and November >560 HealthCare Provider Organizations were targeted or, compromised by ransomware•JMH InfoSec acted to implement a coordinated set of changes across the security toolset to block these attacks.•In late 2020 we performed the most difficult phishing test to date, and JMH staff rose to the challenge. We are leveraging existing tools to take a more industry standard educational approach to phishing.

Supply Chain attacks like SolarWinds and Microsoft Exchange•Parts of the Pentagon, Department of Homeland Security, State Department, Department of Energy, National Nuclear Security Administration and the Treasury as well as major corporations such as Microsoft, Cisco, Intel and Deloitte were impacted by software-related hacking.

•There are no indicators of compromise in JMH systems, and the coordinated set of changes would allow us to block and detect thisactivity.

Increased Aggressive Hacking activity

Microsoft March 2021: “This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organizations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.”

• 2020 was a transformative year as we think about how we work and where we work.

• JMH was well-positioned for the 2020 Covid-19 Pandemic response due to our long-standing use of virtual desktop technology, integrated security tools and change management practices

Information Security Trends

>1MM Minutes of Screen Sharing The shift from in-person meetings to virtual meetings was enabled by our collaboration tools.

>151K Tele-Health Video VisitsVideo visits became a core part of our care delivery model over the last 12 months.

Zoom: >14K Meetings and >6MM MinutesWorking and meeting virtually become best practice to maintain operations and to support the delivery of patient care.

>462K remote desktop sessions The shift to support administrative work from home and remote tele-work became the norm.

>678K Phishing Emails Received/Blocked Phishing continues to be the primary threat to JMH systems and data.


Who is Knocking on our Front Door?Scans of by Country

Security monitors internal traffic as well*RDP Blocks

*TB – Terabyte, 84MM pages of printed text.*PB – Petabyte, 500 billion pages of printed text.


The demand for skills in DR are on the rise.


Managing Risk

17



20ACCE – 2021 CE-IT Symposium 20

Common Data Breach Sources / Causes * InherentLikelihood

InherentImpact

Existing Controls Residual Risk

Insider Threat (Malicious / Well-Intentioned but Careless Insiders) High High Strong Medium

Third-party / Business Associate Errors Medium High Very Strong Low

Malware / Ransomware Very High Very High Strong Medium

Vulnerabilities / Misconfigurations Medium Very High Strong Medium

Disaster Recovery Medium Very High Strong Medium

User Access / Excessive Permissions Medium Very High Strong Medium

Theft or Loss of Assets High High Very Strong Low

Regulatory Non-Compliance Medium High Strong Low

Social Engineering / Phishing Very High High Strong Medium

Weak / Shared / Stolen Credentials High High Strong Medium

In determining the risk consider the likelihood and impact of a threat occurring or a vulnerability being exploited, as well as the strength of existing preventative and detective controls implemented.

Risk Landscape in 2021

Increase from prior year (2019)

Decrease from prior year (2019)


Preparing for the Worst

21


23


• PACs Images

• Finance• HR

• Service Desk• Project

Management

• Email• Intranet• File Storage• Teams

Service AvailabilityDetails

• Primary Data Center• Secondary Data Center• Disaster Recovery Site• Patient data replication and backup• Images/studies are archived in real-time

Tier 0o Systems to enable secure access to

JMH systems:o Physical Infrastructureo Security Tools

Tier 1o Systems to provide patient care

including:o EHRo PACso Integration

• Limited physical access• Highly Available (2 On-line Copies)• Local Backups• Off-site DR• Daily Disconnected Cloud Backup

Best Practice:Data Protection

Cloud Platforms

What is the Future?o Leverage cloud services

over physical location



Change and Release Management

25

• Change Management Team reviews all software and hardware changes and ensures that every update is properly managed and tested.• Applications Coordinator• Infrastructure Coordinator• Testing Coordinator

• During targeted attacks against healthcare, like SolarWinds and Microsoft Exchange, a rapid but comprehensive series of emergency changes were approved for immediate deployment to ensure our systems remained secure.

• Vulnerability Management process to identify and address these environmental risks, including those as a result of our core software vendors not keeping their software stacks current.

ChangeSynergistically conducts change risk and business

impact assessments across the entire clinical/business application portfolio and

technical landscape

TestingConducts rigorous review of end-to-end and integrated testing for all applications

and technical changes incorporating HRO/Team

Checking principles during testing and validation

process

ReleaseEnforcement of standard

release cycle for all changes to drive quality assurance,

better communication/coordinatio

n and ensure a protected and stable environment


The Work Ahead of Us

26

proprietary and confidential

Fair & Just Process Decision TreeAdapted from James Reason’s Decision Tree for Determining the Culpability of Unsafe Acts and

the Incident Decision Tree of the National Patient Safety Agency (United Kingdom National Health Service)

Yes

Yes

NoNoNo

Yes

Yes

Did the individual intend the act?

Would individuals in the same profession, with comparable knowledge, skills, and experience act the same under similar

circumstances?

Did the individual depart from policies,

procedures, protocols, or generally accepted

performance expectations?

Is there any suspicion of ill health,

a medical condition, or substance abuse?

Did the individual actwith malicious intent

(i.e., to cause physical/mental harm or

other damage)?

Were there any deficiencies in related training,

experience, or supervision?

Were the policies, procedures, protocols, or performance expectations available, understandable,

workable, and in routine use?

(If ill health ora medical condition):

Was the individual aware of the ill health or medical

condition?

Were there significant mitigating circumstances that

justify the act in this case?

Is there evidence thatthe individual chose to take an unacceptable risk OR has a trend in poor performance or

decision making?

Yes

Yes

Yes

No

INTENTION CAPACITY COMPLIANCE SUBSTITUTION

No

NoNo

Start

Yes

Yes

No

Yes

No No

HR Business Partner Consult

Suspected Medical Conditionor Ill health

Possible Reckless orNegligent Behavior

Possible Unintended Human Error

Possible System-Induced Error

Malevolent or Willful Misconduct. Substance Abuse

At Risk-Coaching

Reckless Behavior-Consequences

Reckless Behavior/At Risk-Consequences/Coaching

Human Error-Console/Coaching

Human Error-Console

27


Define Your Key Initiatives

Update controls library with lessons learned since over COVID-19 pandemic and align with standards: NIST CSF*, CIS Top 20*, Etc.

Framework and Controls Library Update

Define a process to assess the risk of individual initiatives, continue to update these processes to align with the updated Security Policies and the controls library, NIST CSF*, CIS Top 20*, Etc.

Data Release Form and Technical Risk Evaluation

Deploy software with the assumption that systems have vulnerabilities, no matter how you protect them. Develop a robust Vulnerability Management Program.

Vulnerability Management

Develop and deploy controls based on a common platform to allow and support a more permanent work from home environment and greater mobility, Bring Your Own Device and Telemedicine. This may include Self Service Password Reset, Expanding the Advanced Threat Detection for lateral movement and identity-based attacks inside the network and cloud.

Supporting Remote Work & Next Generation Endpoint Controls

Manage privileged access (administrator account) with a limited implementation of appropriate software to track account use and prevent misuse.

Privileged Access Management

*National Institute of Science and Technology Cyber Security Framework and The Center for Internet Security (CIS) Top 20 Critical Security Controls

29


You are going to have a bad day…

and that’s OK.

Questions & Discussion

30


Discovering and DisclosingVulnerabilities


Mike Powers, MBA, CHTM, CDP, CMDA Nader Hammoud, MBADirector, Clinical Engineering Biomedical Engineering Manager

Intermountain Healthcare John Muir Health

ACCE Education Committee Co-Chair

About the speaker

Mike Powers is a CE Director at Intermountain Healthcare, headquartered in Salt Lake City, Utah. Intermountain is a health network including 23 hospitals, a medical group, ambulatory surgery centers, instacare clinics, and imaging centers. He co-leads a task group for the Health Sector Coordinating Council on Legacy Medical Device Cybersecurity. He is a member of the AAMI Healthcare Technology Leadership Committee. Prior to Intermountain, he was the Clinical Engineering Quality Manager at Christiana Care Health System. He has an MBA in Healthcare Administration from Wilmington University and is a Certified Healthcare Technology Manager, Diversity Professional and Medical Device Auditor.


About the speaker


Nader Hammoud is currently the Biomedical

Engineering Manager, at John Muir Health.

• Biomedical Engineer with 3 degrees in Biomedical

Engineering and an MBA

• International Experience

• Active member of the HTM community

• Member of the Technology Management Council at AAMI

• ACCE Education Committee Co-Chair

• California HTM of the year for 2018

• Recognized by ECRI and FDA for efforts in the domain

Session Description


1. Inventory

2. CMDB vs CMMS

3. Discuss Mapping Device information

4. Discuss Passive Network Detection

5. Talk about CVE

6. MDS2

7. Talk about SBoM

8. VEX

Importance of Inventory

Having a comprehensive inventory is the key to timely discovery of vulnerable devices

35


Record Keeping Comparison

CMDB

Configuration Management Database – Information Technology Database that Medical Equipment Managers may not use and usually does not interface with a CMMS

36


CMMS

Computerized Maintenance Management System –Healthcare Technology Management Database that IT Managers may not use and usually does not interface with a CMDB

Mapping Device Information

At installation, or as a discovery process devices should have their relevant information captured and recorded. This may include but is not limited to:

• IP address • MAC address• Unique Software entity information – OS / Other Software Packages• Anti-Malware• Ports needed for communication

37


Passive Network Detection – Mapping the Device

• Systems that analyze traffic passively on a network to assist in the security management of medical devices

• Identification/inventory of devices• Alerting to vulnerabilities and anomalies• Recommending risk mitigations• Managing policies

• ECRI nomenclature: IoMT Security Solutions

38


Passive Network Detection – Cont’d• ECRI nomenclature: IoMT Security Solutions• IoMT security solutions are software or hardware IT systems that

aim to help providers improve the security posture of their medical device assets.

• Most products achieve this goal by monitoring network traffic within the healthcare provider's system and using the collected data to

• Infer the nature and identity of the device and • Establish baseline behaviors and detect unexpected actions, which may be

malicious. • Many of the solutions employ machine learning to aid in these

functions.

39


National Vulnerability Database

40


CVE - The Common Vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures.CVSS – Severity Scoring System for Critical Vulnerabilities. For Example, CVE-2017-0143

NVD - Home (nist.gov)

https://nvd.nist.gov/

Example of WannaCry

41


Clinical Considerations & Vulnerabilities

• Device use (diagnostic, life sustaining)• Clinical Impact (is this used in emergency situations) • Environment of use (ER, outpatient, etc.) • Available alternatives (what do you do when this device is

impacted)• Device portability/access (handheld vs MRI room)• Amount of PHI/sensitive information

42


Tools available: Pre-Purchase

• MDS2 2019

• Manufacturer Disclosure Statement for Medical Device Security Manufacturer Disclosure Statement for Medical Device Security (nema.org)

43


https://www.nema.org/standards/view/manufacturer-disclosure-statement-for-medical-device-security

Tools available: Pre-Purchase

• SBOM

• Software Build of Materials https://ntia.gov/sbom• Additional information about SBoM and how they are cool and

used.

44


https://ntia.gov/sbom

The land of Tomorrow…

• Looking forward what is on the horizon to help with these tasks?

• VEX!

45


VEX Double check with Alan before publishing one. VEX summary• VEX stands for “Vulnerability Exploitability eXchange”. It was developed by the Software Component

Transparency Initiative, which is sponsored by the National Technology and Information Administration (NTIA) of the US Department of Commerce. While the VEX concept was developed to fill a particular need regarding use of software bills of materials (SBOMs), it isn’t limited to use with SBOMs.

• The primary use cases for VEX are to help the consumer (e.g. operators, developers, and third-party services providers) understand whether a product is impacted by a specific vulnerability in a particular component and, if it is affected, whether there are actions to be taken. In fact, in a large percentage of cases, a vulnerability listed for a component will not be “exploitable” in the final product, for various reasons (e.g., the affected code is not loaded by the compiler, or some inline protections exist elsewhere in the software).

• To prevent software-using organizations from spending valuable time fruitlessly searching for non-exploitable vulnerabilities in software products they operate, the supplier can issue a VEX. This can attest to the following status types:

• Not affected - No remediation is required regarding this vulnerability.• Affected - Actions are recommended to remediate or address this vulnerability.• Fixed - Represents that these versions contain a fix for the vulnerability.• Under investigation - It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still

under investigation - the result will be provided in a later release of the document.

46


Sample VEX

47


"vulnerabilities": [ { "cve": "CVE-2018-8304", "discovery_date": "2019-10-01T17:00:00.000Z", "product_status": { "known_affected": [ "CSAFPID-0002" ] }, "scores": [ { "products": [ "MDM Product XYZ" "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" "cve": "CVE-2015-1637", "discovery_date": "2018-08-02T17:00:00.000Z", "product_status": { "known_affected": [ "MDM Product XYZ" ] }, "scores": [ { "products": [ "CSAFPID-0002" "cwe": { "id": "CWE-1320", "name": "Improper Protection for Out of Bounds Signal Level Alerts"

Questions

48


Mike Powers, MBA, CHTM, CDP, CMDA Nader Hammoud, MBADirector, Clinical Engineering Biomedical Engineering Manager

Intermountain Healthcare John Muir Health

ACCE Education Committee Co-Chair

Coffee Break

please be back by 10:50 am

to join Matt Dimino for

49


Aligning NIST Cybersecurity Framework with Clinical Engineering Operations

Aligning NIST Cybersecurity Framework with Clinical Engineering Operations

Matt Dimino, CISM, CRISC, CEH, HCISPP, CySA+Digital Asset Program Director

First Health Advisory


About the speaker • Based out of Indianapolis, IN

• 15 Years in Clinical Engineering, 6+ in IoMT Security

• Part of First Health’s Cyber Security Managed Services

• Specialized in risk management for IoMT devices

• Worked in the past for various consulting firms & HDO’s

• Associate faculty for IUPUI• CISM, CRISC, CEH, HCISPP, CySA+


Session Description


Aligning NIST Cybersecurity Framework with Clinical Engineering Operations:

• Background on the NIST CSF and the benefits of adoption• Defining the components of NIST CSF• Breaking down the Core, Profiles, and Tiers to CE operations• Determining current state, defining desired state, and measuring NIST

CSF maturity to CE operations

What is NIST Cybersecurity Framework (CSF)?

• National Institute for Standards and Technology (NIST) published version 1.0 of their Cybersecurity Framework (CSF) in February 2014

• In response to Executive Order 13636 as an effort to improve cybersecurity of critical infrastructure

• NIST released its most current version 1.1 of the Framework CSF in April 2018

53

ACCE – 2021 CE-IT SymposiumSource: https://www.cisa.gov/publication/eo-13636-ppd-21-fact-sheet

NIST CSF• Common language for addressing and understanding cybersecurity across

all industries• Establishes clear communication to upper management incorporating

cybersecurity into an organization’s overall mission• Bridges the gap between technical and business side stakeholders

• The ability to demonstrate due-diligence and due-care by adopting the framework

• Enables long-term cybersecurity and risk management• Like GAAP is to Accounting, NIST is to Cybersecurity

54


Why NIST CSF?• It’s a framework

-Not a law or regulatory mandate-Voluntary, adaptable and flexible-Enables repeatable business processes-Applies security in layers-Helps maintain security strategies

• Leverages standards, methodologies, and processes

-Not a compliance checklist or control• Risk-based approach

-Focused on top-down high impact risks-Connects executives, business, and operations

55


Source: https://www.risklens.com/cyber-risk-solutions/nist-csf-fair

Uses and Benefits of the Framework

• Provides a common language and systematic methodology for managing cybersecurity risk.

• The core identifies activities that should be incorporated into a cybersecurity program.

• The Framework is to complement, not replace, current practices.• Evaluate an enterprise-wide cybersecurity posture and maturity by

conducting an assessment against the CSF model.• Evaluation of current and proposed products and services to meet

security objectives aligned to CSF.

56


NIST CSF Components

57


Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk

appetite, and resources against the desired outcomes of the Framework Core.

Tiers describe the degree to which an organization’s cybersecurity risk

management practices exhibit the characteristics defined in the Framework.

The Core is a set of desired cybersecurity activities and outcomes

organized into categories and aligned to informative references. Tiers

Profiles

CoreNIST CSF

NIST CSF Core

58


IDENTIFY PROTECT DETECT RESPOND RECOVER

• Asset Management

• Business Environment

• Governance• Risk

Assessment• Risk

Management Strategy

• ID and Access Control

• Awareness and Training

• Data Security• Information

Protection and Procedures

• Maintenance• Protective

Technology

• Anomalies and Events

• Security Continuous Monitoring

• Detection Processes

• Response Planning

• Communications• Analysis• Mitigation• Improvements

• Recovery Planning

• Improvements• Communications

Cybersecurity activities and desired outcomes that are best practices for securing assets.

The Five Core Functions

• Highest level of abstraction is the core

• Represents five key pillars of a successful and wholistic cybersecurity program

• Assists organizations in expressing their management of cybersecurity risk at a high level

59

Framework Core

The Identify Function

60


Example Outcomes:• Identifying physical assets and software of

IoMT devices to establish an asset management program

• Identifying cybersecurity policies to define a governance program

• Conduct risk assessments on IoMT devices• Identifying a risk management strategy for

IoMT devices

The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities.

Framework Core

The Protect Function

Example Outcomes:• Establishing data security protection to

protect the confidentiality, integrity, and availability of IoMT devices

• Managing protective technology to ensure the security and resilience of IoMT systems

• Empowering staff within the organization through awareness and training

61


The Protect Function supports the ability to limit or contain the impact of potential cybersecurity events and outlines safeguards for delivery of critical services.

Framework Core

The Detect Function

Example Outcomes:• Implementing security continuous

monitoring capabilities to monitor cybersecurity events of IoMT devices

• Ensuring anomalies and events are detected, and their potential impact is understood

• Verifying the effectiveness of protective measures

62


The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.

Framework Core

The Respond Function

Example Outcomes:• Ensuring response planning processes

include IoMT devices and are executed during and after an incident

• Managing communications during and after an event

• Analyzing effectiveness of response activities for IoMT devices

63


The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident to minimize impact.

Framework Core

The Recover Function

Example Outcomes:• Ensuring the organization implements

recovery planning processes and procedures that include IoMT devices

• Implementing improvements based on lessons learned

• Be active in communications during recovery activities that involve IoMT devices

64


The Recover Function identifies appropriate activities to maintain plans for resilience and to restore services impaired during cybersecurity incidents.

Framework Core

NIST CSF Core

65


Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical services.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

NIST CSF Core

66


5 Functions 23 Categories 108 subcategories 6 informative References

NIST CSF Core

67


Subcategory Informative References CE Responsiblities CE Operations

ID.AM-1: Physical devices and systems within the organization are inventoried

NIST SP 800-53 Rev. 5 CM-8, PM-5

Medical devices are inventoried within the CMMS.

Update CMMS via CM’s & PM’s. Utilize passive scanning tool and integration.

ID.AM-2: Software platforms and applications within the organization are inventoried

NIST SP 800-53 Rev. 5 CM-8

Medical device software and applications are inventoried.

Update CMMS via CM’s & PM’s. Utilize passive scanning tool and integration

ID.AM-3: Organizational communication and data flows are mapped

NIST SP 800-53 Rev. 5 AC-4, CA-3, CA-9, PL-8, SA-17

Medical device communication data flows are mapped.

Evaluate network data flow of medical devices with the help of passive scanning tool.

ID.AM-4: External information systems are catalogued

NIST SP 800-53 Rev. 5 AC-20, PM-5, SA-9

Medical devices that process PII or ePHI has identified. External providers of services and communications to devices are identified and monitored.

Identify devices with PII and ePHI transmission and storage via CMMS. Utilize a passive scanning tool for better accountability and auditability.

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value

NIST SP 800-53 Rev. 5 CP-2, RA-2, RA-9, SA-20, SC-6

Medical device care categorized by performing a business impact analysis (BIA).

Engage clinical units to perform a business impact analysis. Use passive scanning tool to identify utilization.

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and 3rd party stakeholders are established

NIST SP 800-53 Rev. 5 CP-2, PS-7, PM-2, PM-29

N/A N/A

Function Category ID

Identify

Asset Management ID.AM

Business Environment ID.BE

Governance ID.GV

Risk Assessment ID.RA

Risk Management Strategy ID.RM

Supply Chain Risk Management ID.SC

Protect

Identity Management & Access Control PR.AC

Awareness and Training PR.AT

Data Security PR.DS

Information Protection Processes & Procedures PR.IP

Maintenance PR.MA

Protective Technology PR.PT

Detect

Anomalies and Events DE.AE

Security Continuous Monitoring DE.CM

Detection Processes DE.DP

Respond

Response Planning RS.RP

Communications RS.CO

Analysis RS.AN

Mitigation RS.MI

Improvements RS.IM

Recover

Recovery Planning RC.RP

Improvements RC.IM

Communications RC.CO

NIST CSF Core

68


Subcategory Informative References CE Responsiblities CE Operations

PR.DS-1: Data-at-rest is protected NIST SP 800-53 Rev. 5 MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28

Identify and document devices that have encryption mechanisms available, inherent or via 3rd party.

Enable encryption features on devices, test, verify, and document.

PR.DS-2: Data-in-transit is protected NIST SP 800-53 Rev. 5 SC-8, SC-11

Identify inherent device functions and features for data in transit protection.

Configure devices when applicable for data in transit protection.

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

NIST SP 800-53 Rev. 5 CM-8, MP-6, PE-16, PE-20

Medical device lifecycle management policies and procedures.

Have formal processes to decommission with media sanitization policies, document chain of custody.

PR.DS-4: Adequate capacity to ensure availability is maintained

NIST SP 800-53 Rev. 5 AU-4, CP-2, PE-11, SC-5

Have contingency plans for high utilization and high impact devices.

Test and share contingency plans for systems that are essential to business operations.

PR.DS-5: Protection against data leaks are implemented

NIST SP 800-53 Rev. 5 AC-4, AC-5, AC-6, AU-13, PE-19, PS-6, SC-7, SI-4

Identify and document devices that have data loss prevention mechanisms.

If DLP agents can be installed, enable for data loss prevention. Use AV and NGFW if applicable.

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

NIST SP 800-53 Rev. 5 SI-7, SI-10

Identify inherent controls to verify integrity checking of device software.

Integrity checking mechanisms where an when applicable are utilized on devices.

PR.DS-7: The development and testing environments are separate from the production environment

NIST SP 800-53 Rev. 5 CM-2

Identify applicable development instances and VM opportunities for testing patches or changes.

Ensure changes to major systems and applications are tested in a development instance first.

Function Category ID

Identify

Asset Management ID.AM

Business Environment ID.BE

Governance ID.GV

Risk Assessment ID.RA

Risk Management Strategy ID.RM

Supply Chain Risk Management ID.SC

Protect

Identity Management & Access Control PR.AC

Awareness and Training PR.AT

Data Security PR.DS

Information Protection Processes & Procedures PR.IP

Maintenance PR.MA

Protective Technology PR.PT

Detect

Anomalies and Events DE.AE

Security Continuous Monitoring DE.CM

Detection Processes DE.DP

Respond

Response Planning RS.RP

Communications RS.CO

Analysis RS.AN

Mitigation RS.MI

Improvements RS.IM

Recover

Recovery Planning RC.RP

Improvements RC.IM

Communications RC.CO

CSF Implementation Tiers

• Allow entities to identify their priorities• Based on the assumption that different entities face different

cybersecurity risks• Enterprises can read through the tier qualifications and identify which

tier, and subsequent guidelines, best fit their businesses• How you want to manage risk and how mature you want the processes

to be• How well integrated cyber activities are into business processes

69


NIST CSF Implementation Tiers

70


• Incomplete inventory and utilize manual processes

• Software and applications on devices are unknown or ad-hoc

• Continuous updating of inventory and reconciliation

• Understand data flows between devices and clinical systems

• Inventory is accurate within the CMMS

• Software and applications are accounted for on devices

• Encryption on critical medical devices

• Inventory is updated in real-time

• Software and applications versions for devices are updated in real-time

• Data flows are mapped and active

Partial Informed Repeatable Adaptive

Maturity Level – Identify Implementation Tiers

Tier 1 Tier 2 Tier 3 Tier 4

NIST CSF Implementation Tiers

71


• Some basic protections in place such as firewall enabled and/or anti-virus installed

• Security awareness training

• Continuous vulnerability management for a majority of medical devices

• Continuous risk assessments and training

• Partial network segmentation and ACL’s

• Encryption on critical medical devices

• Proactive vulnerability management (threat hunting)

• Zones and zero trust• Penetration testing

on network segments and controls

Partial Informed Repeatable Adaptive

Maturity Level – Protect Implementation Tiers

Tier 1 Tier 2 Tier 3 Tier 4

Framework Profiles• Profiles guide entities through a self-assessment• Optimizing the CSF to best serve the organization• Alignment of organizational requirements and objectives, risk appetite, and

resources against desired outcomes of the Framework Core• Profiles are opportunities to improving cybercity posture by comparing a

“Current” profile with a “Target” profile

72


CurrentIdentifyProtectDetect RespondRecover

Tier 1 2 3 4

Target

1 2 3 4

NIST CSF Profiles

Subcategory Priority Gaps Budget Activities (year 1) Activities (year 2)

1 High Large $$$ X

2 Low Small $$ X

3 Moderate Medium $$ X

…… ….. ….. ……

108 Moderate None $$$ Reassess

73


Target Profile

Organizational Risk –Biomedical Device Mitigations• January 5, 2021, HITECH Act

Amended to provide a “Safe Harbor” in the event of a cyber incident.

• Organizations that take effort to adopt an industry standard (NIST CSF) for all systems 12 months prior to a breach reduce audit time and face reduced fines.

• Biomedical devices require specific mitigations to comply with the NIST CSF.

Identify

Protect

DetectRespond

Recover

74

Identify

Protect

DetectRespond

Recover

ID.AM Asset Management• All medical devices are inventoried• Software and applications on medical devices are inventoried• Medical devices criticality and sensitivity to the organization is

identifiedID.BE Business Environment• Medical device critical business functions must be identified• Medical device system dependencies need established• Resilience requirements for medical devices supporting critical

functions need establishedID.GV Governance• Risk management process need to be applied to medical devicesID.RA Risk Assessment• Medical device vulnerabilties must be identified and documented• Threats to medical devices are identified and documented• Business impacts and likelihoods are identifiedID.RM Risk Management Strategy• Risk management processes are established, managed, and agreed

to by stakeholders• Risk tolerance for medical devices is must be determined

75

Identify

Protect

DetectRespond

Recover

PR.AC Access Control• Access to medical device it limited to authorized users and

processes• Remote access to medical devices must be managedPR.AT Awareness & Training• Privileged users of medical devices need to understand their roles

and responsibilitiesPR.DS Data Security• Data on medical devices is protected• Data transmitted by medical devices is protectedPR.IP Information Protection• Medical device security baselines are established• Media sanitization for medical devices is establishedPR.MA MaintenancePR.PT Protective Technology• Removable media for medical devices is restricted

76

Identify

Protect

DetectRespond

RecoverDE.AE Anomalies & Events• Anomalies and event detection for medical

devices must be established DE.CM Continuous Monitoring• Monitoring of medical devices network activity to

detect cybersecurity events• Monitoring for unauthorized devices and

connections is performedDE.DP Detection Processes• You have event detection processes in place and

tested for medical devices

77

Identify

Protect

DetectRespond

RecoverRS.RP Response Planning• Medical devices are including in response

planningRS.CO CommunicationRS.AN AnalysisRS.MI Mitigation• Medical device incidents are contained and

mitigatedRS.IM Improvement• Medical device incident response strategies

are updated

78

Identify

Protect

DetectRespond

RecoverRC.RP Recovery Planning• A recovery plan is executed during or after a

cybersecurity incident involving a medical deviceRC.IM Improvements• Medical device response strategies must be updated

with improvementsRC.CO Communications• Recovery activities for medical devices are

communicated to internal and external stakeholders as well as executive and management teams

79

Identify

Protect

DetectRespond

Recover

ID.AM Asset Management• All medical devices are inventoried• Software and applications on medical devices are inventoried• Medical devices criticality and sensitivity to the organization is identified

ID.BE Business Environment• Medical device critical business functions must be identified• Medical device system dependencies need established• Resilience requirements for medical devices supporting critical functions need

established

ID.GV Governance• Risk management process need to be applied to medical devices

ID.RA Risk Assessment• Medical device vulnerabilties must be identified and documented• Threats to medical devices are identified and documented• Business impacts and likelihoods are identified

ID.RM Risk Management Strategy• Risk management processes are established, managed, and agreed to by

stakeholders• Risk tolerance for medical devices is must be determined

RC.RP Recovery Planning• A recovery plan is executed during or after a cybersecurity

incident involving a medical device

RC.IM Improvements• Medical device response strategies must be updated with

improvements

RC.CO Communications• Recovery activities for medical devices are communicated to

internal and external stakeholders as well as executive and management teams

RS.RP Response Planning• Medical devices are including in response planning

RS.CO CommunicationRS.AN AnalysisRS.MI Mitigation• Medical device incidents are contained and mitigated

RS.IM Improvement• Medical device incident response strategies are updated

DE.AE Anomalies & Events• Anomalies and event detection for medical devices must be established

DE.CM Continuous Monitoring• Monitoring of medical devices network activity to detect cybersecurity

events• Monitoring for unauthorized devices and connections is performed

DE.DP Detection Processes• You have event detection processes in place and tested for medical

devices

PR.AC Access Control• Access to medical device it limited to authorized users and processes• Remote access to medical devices must be managed

PR.AT Awareness & Training• Privileged users of medical devices need to understand their roles and

responsibilities

PR.DS Data Security• Data on medical devices is protected• Data transmitted by medical devices is protected

PR.IP Information Protection• Medical device security baselines are established• Media sanitization for medical devices is established

PR.MA MaintenancePR.PT Protective Technology• Removable media for medical devices is restricted

80

Measuring NIST CSF Maturity

81


0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

5.0Overall

AssetManag… Business

Environ…

Governance…

RiskAssess…

RiskManag…

SupplyChain…

IdentityManag…

Awareness and…

DataSecurity…

Information…Maintena

nce…Protectiv

e…

Anomalies and…

SecurityContinu…

DetectionProcess…

ResponsePlannin…

Communications…

Analysis(RS.AN)

Mitigation (RS.MI)

Improvements…

RecoveryPlannin…

Improvements…

Communications…

NIST Cyber Security FrameworkMaturity Levels

TargetScore

5 - Optimal4 - Managed3 - Defined2 - Acknowledged1 - Initial0 - Non-existent

NIST CSF CategoriesTarget Score

Policy Score

Practice Score

Overall 3.00 2.68 2.95

IDEN

TIFY

(ID)

Asset Management (ID.AM) 3.00 3.42 5.00Business Environment (ID.BE) 3.00 3.00 5.00Governance (ID.GV) 3.00 5.00 3.00Risk Assessment (ID.RA) 3.00 2.00 4.00Risk Management Strategy (ID.RM) 3.00 4.00 2.00Supply Chain Risk Management (ID.SC) 3.00 1.00 3.00

PRO

TECT

(PR)

Identity Management, Authentication and Access Control (PR.AC) 3.00 3.00 3.00Awareness and Training (PR.AT) 3.00 5.00 3.00Data Security (PR.DS) 3.00 1.00 3.00Information Protection Processes and Procedures (PR.IP) 3.00 3.00 1.00Maintenance (PR.MA) 3.00 5.00 4.00Protective Technology (PR.PT) 3.00 1.00 2.00

DETE

CT (D

E) Anomalies and Events (DE.AE) 3.00 3.00 5.00Security Continuous Monitoring (DE.CM) 3.00 5.00 2.00Detection Processes (DE.DP) 3.00 2.00 5.00

RESP

ON

D (R

S)

Response Planning (RS.RP) 3.00 2.00 2.10Communications (RS.CO) 3.00 2.20 2.90Analysis (RS.AN) 3.00 2.30 2.40Mitigation (RS.MI) 3.00 1.22 2.30Improvements (RS.IM)

RECO

VER

(RC) Recovery Planning (RC.RP) 3.00 1.20 1.90

Improvements (RC.IM) 3.00 2.10 1.90Communications (RC.CO) 3.00 1.50 1.50

82

Questions

Lunch Break

Please move to next room (Brahms 3) for lunch buffet

Next session will start at 1:00 pm with David Finn“Balancing priorities during and following Cyber Attack”

83


Balancing Priorities During and Following Cyber Attack

David S. Finn, CDPSE, CISM, CISA, CRISCExecutive VP, External Affairs, Information Systems & Security

CynergisTek


• Almost 40 years experience in the planning, management and control of information technology and business processes.

• CIO of one of the largest pediatric IDN’s in the United States. • Also served as the Privacy and Security Officer• Health Information Technology Officer for Symantec• Co-authored The Journey Never Ends: Technology’s Role in Perfecting

Health Care Outcomes. Boca Raton: CRC Press for HIMSS Media, writing Chapter 10: “The Future of Information Security in Healthcare.”

• He has published on topics ranging from IT Management to Security in publications such as Baseline and Reflections on Nursing Leadership

• Boards of both HIMSS and CHIME• Two degrees in Theatre


About the Speaker

Session Description

• A little background on balancing priorities during/after a cyber attack. • Understanding that you can both under- and over- react to any situation. Neither is

good.• Surviving a cyber attack is, ultimately, about preparation.• Thinking about what can happen - - without having it happen• Discussion

86


Agenda

87

BALANCING PRIORITIES

STRATEGY TACTICS PLANS VS. EXERCISES

CLOSING THOUGHTS

Q & A


Crisis Management 1011. Get the cow out of the fence

2. Figure out how the cow got stuck in the fence

3. Create a plan to make sure the cow doesn’t wind up back in the fence

88

Stages of Crisis Management1. Pre-crisis

• Develop and practice various crisis scenarios

2. Crisis Response• Execute the Plan

3. Post-Crisis• Review, adjust, and update plan for the future


Balancing Priorities

89

You can’t balance priorities, if you don’t have any.

If you don’t have priorities, nothing will get done.

If you have too many priorities, nothing will get done.

“Everyone’s” priorities cannot be the organization’s priorities.


Strategy

ACCE – 2021 CE-IT Symposium 90

Involve Leadership in Managing the Response Strategy

The best executive is the one who has sense enough to pick good men to do what he wants done, and self-restraint enough to keep from meddling with them while they do it. —Theodore Roosevelt

91

Anyone can hold the helm when the sea is calm. — Publilius Syrus


Business Continuity

1. Resiliency1

2. Recovery1

3. Contingency1


1 This applies to People, Processes and Technology. It cannot be just a technology issue, if it is addressed that way, operations will still fail.

Supply Chain Business Continuity Framework• Have a plan

• Maintain visibility• Leverage decision support

• Backup routine operations

• Learn from prior experience

• Re-Think Supply Chain Risk• Promote increased collaboration among supply

chain and business stakeholders.


What’s never in the

strategy (or it is but no one does

it)


Tactics


Address Post Incident Responses Comprehensively

96

• We’re already seeing this post COVID-19• Users added• Machines unprotected (personal)• “Group” logons• Unmanaged WiFi networks• Remote/mobile work sites

• We get it, it had to be done fast!• Now, clean it up and bring it back to standards.


Tie Cyber Risk Management to Business Continuity Plans and Exercises. Or Vice Versa.

Cyber Security Risk Management should be a catalyst for business continuity Planning and Exercising

• Continuity during a Cyber Incident• Coordination• Communications• Resource requirements (not traditional)• Public information challenges• Reporting challenges• Investigation• Private sector (insurance, Continuity of

Operations plans within jurisdictions)


Crisis Communication Must be for (Every)one


Business Impact Analysis as an Integral Part of the Cyber Risk Management Process• Business continuity planners and cyber teams

show work together in the BIA process• Planning to Execution

• Identify 3rd Parties engaged and the impact of 3rd Party disruption

• One Team, One Dream approach allows faster:

• Response to disruptions• Response to cyber incidents• Recovery


Plan vs Exercises

100


Closing Thoughts

101


Q & A

102

David [email protected]/in/davidfinn@DavidSFinn


mailto:[email protected]

https://www.linkedin.com/in/davidfinn?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_contact_details%3BCirymItJToy2O0T2%2ByW0Qw%3D%3D

Overview of Cybersecurity ResourcesMike Powers, MBA, CHTM, CDP, CMDA

Director, Clinical EngineeringIntermountain Healthcare


About the speaker

Mike Powers is a CE Director at Intermountain Healthcare, headquartered in Salt Lake City, Utah. Intermountain is a health network including 23 hospitals, a medical group, ambulatory surgery centers, instacare clinics, and imaging centers. He co-leads a task group for the Health Sector Coordinating Council on Legacy Medical Device Cybersecurity. He is a member of the AAMI Healthcare Technology Leadership Committee. Prior to Intermountain, he was the Clinical Engineering Quality Manager at Christiana Care Health System. He has an MBA in Healthcare Administration from Wilmington University and is a Certified Healthcare Technology Manager, Diversity Professional and Medical Device Auditor.


Session Description


Medical Device Cybersecurity Resources

A Brief List of some of the best, and when you might use them

AAMI Medical Device Cybersecurity

• Medical Device Cybersecurity (PDF) - AAMI CommunityA tome from Stephen Grimes and Axel Wirth including chapters on cybersecurity fundamentals, the regulatory and standards environment, and inventory and configuration management from over 15 healthcare industry experts. It provides templates of purchase agreements and vendor contracts, risk assessment and management practices, and cybersecurity guidance from leading healthcare industry experts.

106


https://store.aami.org/s/store#/store/browse/detail/a152E000006j66qQAA

Healthcare and Public Health Sector Coordinating Council• The HSCC and the responsibility of all Sector Coordinating Councils (SCC) is

captured in three iterations of a Presidential Executive Order dating to 1998, the most recent being Presidential Policy Directive 21 in 2013, which calls on 16 critical industry sectors to self-organize – in partnership with the government –around the mission to protect essential assets and services from existential threats, both physical/operational and cyber. Every critical industry sector, including healthcare, has been stepping up to this mission. We do this with the day-to-day operational protection, threat analysis and incident response of the Health Information Sharing and Analysis Center (H-ISAC) and related information sharing and analysis organizations, and the longer-term strategic and policy-oriented mission of the HSCC. Under the executive order, the HSCC is recognized as the private industry partner to the Department of Health and Human Services, which looks to us – in a non-regulatory, partnership posture – to help develop policy and operational improvements that enable our sector to better protect against and respond to threats, vulnerabilities and incidents.

107


https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

HSCC Products

• Cybersecurity Act of 2015, Section 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): The HICP aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the healthcare industry. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes that enhance patient care. The document focuses on several threats, including email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or data loss; and attacks against connected medical devices that may affect patient safety. The publication includes a main document, two technical volumes, and resources and templates.

108


https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx

HSCC Products

• Health Care Industry Cybersecurity Task Force – Health Sector Council Report on Improving Cybersecurity in the Healthcare Industry in 2016 – discusses the recommendations and six imperatives along with cascading action items.

109


https://healthsectorcouncil.org/health-care-industry-cybersecurity-task-force/

HSCC Products• The Joint Security Plan (JSP) – Health Sector Council – the JSP is

a total product lifecycle reference guide to developing, deploying and supporting cyber secure technology solutions in the healthcare environment, specifically

• Cybersecurity practices in design and development of medical technology products

• Handling product complaints relating to cybersecurity incidents and vulnerabilities

• Managing security risk throughout the lifecycle of medical technology• Assessing the maturity of a product cybersecurity program

110


https://healthsectorcouncil.org/the-joint-security-plan/

HSCC Products on the Horizon

• Cybersecurity of Legacy Medical Equipment • Model Contract Language for the implementation of

Cybersecure partnerships in purchases

111


Medical Device Cybersecurity Lifecycle Management - (h-isac.org)

• This document provides an overview of a lifecycle-based approach to managing medical device cybersecurity from the perspective of Medical Device Manufacturers and Healthcare Delivery Organizations. It provides a high-level overview of the four main lifecycle phases and the relationship between them. Further, it provides references to key regulations and standards as well as other leading practices provided in the literature

112


https://h-isac.org/medical-device-cybersecurity-lifecycle-management/

IMDRF Guidance• IMDRF Principles and Practices for Medical Device Cybersecurity

• The purpose of this IMDRF guidance document is to provide fundamental concepts and considerations on the general principles and best practices to facilitate international regulatory convergence on medical device cybersecurity. The document is structured as follows:

• the scope of the document is defined in Section 2 • followed by defined terms in Section 3. • Section 4 provides an overview of the general principles of medical device

cybersecurity, • while Sections 5 and 6 provide a number of recommendations for stakeholders

regarding best practices in the pre-market (focus is on medical device manufacturers) and post-market (includes numerous stakeholders) management of medical device cybersecurity.

113


http://www.imdrf.org/consultations/cons-ppmdc.asp

ASPR – TRACIE Readiness & Response Considerations• Healthcare System Cybersecurity: Readiness & Response

Considerations (hhs.gov)• ASPR TRACIE designed this resource to help healthcare facilities, and the

systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident. Information within this document is specifically related to the effects of a cyber incident on the healthcare operational environment, specifically the ability to effectively care for patients and maintain business practices and readiness during such an event. While the focus of this document is on disruptions associated with a large-scale cyberattack, many strategies and principles outlined are relevant to a range of cybersecurity incidents and healthcare facilities.

114


https://files.asprtracie.hhs.gov/documents/aspr-tracie-healthcare-system-cybersercurity-readiness-response.pdf

Cyber Resource Hub | CISA

• Free vulnerability assessment by CISA based on your region of the United States. CISA services can help gain visibility into effective mitigations to implement for better protection of networks.

115


https://www.cisa.gov/cyber-resource-hub

Wrap – Up

• These resources are just a few of the many out there. There are several reasons to become familiar with them, and leverage their information to the benefit of your organization and patients.

116


117

Coffee Break

please be back by 3:20pm

to join Chris Falkner for

118


“Getting Ahead of Cybersecurity Risk with Contract Language”

Getting Ahead of Cybersecurity Risk with Contract Language

Christopher Falkner, MS, CCEProduct Owner of Cybersecurity Governance & Standards

Kaiser Permanente


About the speaker

Mr. Falkner currently oversees a team of Healthcare Technology Managers leading Kaiser Permanente’s Edge Cybersecurity Program. In his role as Product Owner & Principal Program Manager, he oversees all aspects of a comprehensive Integrated Risk Management (IRM) program and supports the technical development and implementation of cybersecurity solutions across 150k+ medical and IoT devices.

In his previous roles at Kaiser Permanente, Mr. Falkner has led the National Clinical Systems Engineering program and has directed the Technology Innovations Program at KP’s Sydney Garfield Innovation Center. Prior to joining Kaiser Permanente, he was a Clinical Engineering leader at the Veteran’s Health Administration.

Mr. Falkner is currently an adjunct professor of Biomedical Engineering at the University of Connecticut. He holds a Master’s and Bachelor’s degree in Biomedical Engineering and is a Certified Clinical Engineer (CCE).


Thank you to: Michael Kushner, Patrick Townsend Wells, Michelle Bentley, Kevin Tambascio, Greg Garcia, and more…

Session Description


As cybersecurity threats to healthcare grow, so too does the availability of advanced tools & controls that enable Healthcare Delivery Organizations to protect their ecosystems. However, the cost of these controls can be high, and often increase the complexity of the healthcare environment. Contract language for medical device cybersecurity provides a cost-effective way to ensure inherently more secure devices, improved support from Suppliers, and better awareness of residual risks that may need to be managed. Leveraging a mature set of contract language is a great way to balance the costs of cybersecurity controls while still reducing cybersecurity risks to your organization.

Learning ObjectivesBy the end of this session, you should be able to: Articulate the value of cybersecurity contract language to your leadership. Find key frameworks & resources for improving your contract language. Build a robust process for leveraging contracts throughout the device lifecycle.


Session Agenda

1. Cybersecurity at Kaiser Permanente

2. Why we care about contracts

3. What makes a good cybersecurity contract

4. How to operationalize cybersecurity contracts


Cybersecurity at Kaiser Permanente

Key Take-Aways: Think Big – consider the expanding technology universe Be a Bridge between IT and Business Divide and conquer across specialized teams

10 minutes


Expanding Cybersecurity @ KPThe Edge Cybersecurity Program (Edge) is a business-led initiative to design, develop, and implement a framework and common solutions that allow Kaiser Permanente to consistently manage the safety and security of Edge devices.

Leading From the Middle


The Edge Cybersecurity Program will reduce both business and cyber risk for Edge devices, while increasing patient safety, improving business operations, and preventing member data theft and loss.


Comprehensive Risk Management


Why do we care about contracts?

Key Take-Aways: Cybersecurity is founded in Risk Management Compensating controls have high cost and uncertainty, Inherent Controls are preferred Contract language is the front-line of defense against cybersecurity risks

15 minutes


Risk Management & CybersecurityThere are many definitions of risk management – most are good – but here is my working definition:

“Risk management is the pro-active design & maintenance of an ecosystem to ensure stability and predictability under any stresses.

This is achieved by implementing controls (people, process, technology) that mitigate the effects of stresses such that they are minimally realized by the business or it’s customers.”

Let’s see how Cybersecurity in healthcare sizes up against this definition: Focused on implementing controls across a highly integrated ecosystem of devices that are network

connected, contain PHI, and are dependencies for care delivery operations.

Primary goal is to ensure stable and predictable outcomes when vulnerabilities threaten our ecosystem –i.e., business continuity, care delivery.

Secondary goal is to reduce the effects of vulnerabilities such as financial, regulatory, and reputational burden on the organization – i.e., reduce Annualized Loss Expectancy.

Cybersecurity controls come in the form of people (behaviors), process (Policy/SOPs) , and technology(Agents/Configurations/etc.).

Stress Event

Consequence

Stress Event

Controls

“Sea-sick sailor” risk model

Lack of controls creates instability & disruption during an event.

Pro-active controls creates stability, even during an event.

Consequence


Moving Controls Upstream

Inherent ControlsCompensating Controls Inherent Capabilities

COSTRISK

Nothing or Not Knowing

Most cybersecurity programs focus on Compensating Controls that can be implemented and managed by the business.

This approach is OK, but Compensating Controls can be expensive to implement & manage, and introduces uncertainty as to whether they are consistently implemented effectively.

$$$$!!!!

$!

Business owned & implemented controls to fill the risk “gaps” on a device.

Control capabilities that need to be “turned on” through

configuration.

Controls that are enabled out of the box or “by default”.

Good cybersecurity contract language drives the risk management discussion with MDMs before you commit to buying devices & services (aka maximum purchasing power!).

It also provides a platform to influence “Inherent Controls” which will reduce uncertainty and costs for your cybersecurity program.


Setting Control Expectations

Control Examples:• Whitelisting or Anti-malware• Central Authentication• Physical security

Control Examples:• Perimeter Control• Logging & Monitoring• Network segmentation

Control Examples:• Security Patching• End-point Management• Threat Intelligence

Control Examples:• Data Encryption at Rest• Vendor supported remediation• Good Incident Response

Good cybersecurity contract language is an opportunity to set clear expectations for a comprehensive portfolio of control requirements for devices or services provided by an MDM.

It also identifies controls not being met, which informs HDO costs & effort to manage residual risk by implementing compensating controls or risk acceptances.


Example: Product Design (battery analogy)

Poor Inherent Controls, low awareness of HDO cost to manage risk

Compensating Controls – high costs & effort for HDOs on top of device costs due to inadequate design.

Residual Risk – higher risk, more time spent on risk management & IR.

Compensating Controls –“trickle charge” to enable inherent capabilities and protect HDO network.

Very Good Inherent Controls, high awareness of HDO cost to manage risk

Residual Risk – lower risk, less time spent on risk management & IR.

vs.

Limited contract language leads to uncertainty, higher risk management costs, and higher residual risk for selected product.

Good contract language leads to predictability and lower risk management costs for selected product.

Lessons Learned: RFPs are not legally binding and may not always reflect what devices & services are delivered. Contract language can be used in the sourcing process to define “must haves” upstream. Compensating controls transfer cybersecurity costs to the HDO and often do not fully remediate risk.

Scenario – Your organization is evaluating new mobile digital x-ray solutions and is considering the costs to manage cybersecurity risks on the preferred product. The RFP has some “nice to have” features, but leadership is looking for more certain commitment on risk posture & total cost of ownership.

Hospital A Hospital B


Example: Vendor Remediation Support

20 Day HDO remediation SLA

?? SLA for MDM impact assessment

?? SLA for MDM patch validation

20 Day HDO remediation SLA

5 Day SLA for MDM impact assessment

15 Day SLA for MDM patch validation

Limited cybersecurity contract language = Unclear MDM SLAs = Policy non-compliance

Good cybersecurity contract language = Clear MDM SLAs = Policy compliance

Policy Non-compliance!!

vs.HDO

MDM

HDO

MDM

Policy compliance

Lessons Learned: HDOs are dependent on MDM partners to meet remediation timelines. Unclear expectations of MDM support SLAs can lead to non-compliance and greater risk exposure. Good contract language will establish the “must have” SLA requirements for MDM support.

Scenario – A new critical vulnerability is identified, and your organization’s policies indicate that an accelerated 20-day remediation timeline is needed to adequately manage the risk. However, you are dependent on your MDMs to validate the security patch before you can push to your medical devices.

Hospital A Hospital B


Getting Ahead of Cybersecurity Risk

Sets clear expectations for HDO cybersecurity requirements (not just “nice-to-haves”)

Drives more inherent controls = lower cost, lower uncertainty for HDOs

Proactively informs HDO costs & efforts to manage device risks

Starts a conversation with MDMs about current & future capabilities

Cybersecurity Contract Language

Good cybersecurity contract language is a very powerful tool that can be used to pro-actively ensure that adequate risk management controls are in place for all devices and services, and any gaps in controls are known.


What makes a good cybersecurity contract?

Key Take-Aways: Collaboration between HDOs and MDMs is key to improving cybersecurity practices. Cybersecurity contract language should focus on 14 core principles. HSCC is developing a modular framework for contract language that can be used by HDOs.

10 minutes


Prioritizing HDO & MDM Partnership Starting in 2018, Kaiser Permanente partnered with

Mayo Clinic, Cleveland Clinic, and Froedtert Health to compare medical device cybersecurity contract language.

We discovered that we had a lot to learn from each other by sharing lessons learned and best practices.

Together we developed the “Bar of Goodness”, which is a framework outlining 14 core principles that should be included in medical device cybersecurity contract language for medical devices.

Supplier Maturity

Product Design Maturity

Supplier Performance

The Bar of Goodness

Supplier MaturityHDOs & MDMs should consider these principles when setting expectations around capabilities and consistent practices.

Universal Coverage

Industry Standards Alignment

Security Development Lifecycle

Current OS Accountability

Security Patch Program

Responsible Data Handling

Product Design MaturityHDOs & MDMs should consider these principles when setting expectations around the inherent capabilities of the product at the time of delivery.

Supplier PerformanceHDOs & MDMs should consider these principles when setting expectations around timeliness and consistency of support.

Secure by Default

Standard Security Controls

Supplier Transparency

Vulnerability Management

Incident Management

Security Patch Validation

Customer Support

CC/FH/KP/MC Framework for HDO & MDM Data Security Partnership

Remote Access Controls

14 Core Principles

136

CC/FH/KP/MC Framework for HDO & MDM Data Security Partnership The Bar of Goodness

Universal Coverage – Security requirements apply to all Customer locations, all Supplier infrastructure, and all Sub-contractors of the Supplier.

Industry Standards Alignment – Supplier demonstrates maximum adherence to industry regulations & standards, with timely adoption of new standards versions.

Security Development Lifecycle – Supplier will support a program for pre-market and post-market penetration and vulnerability testing, Supplier maintains awareness of SANS top 25 and OWASP, and Supplier infrastructure is monitored 24x7.

Current OS Accountability – Supplier demonstrates accountability for validating product on supported Operating Systems.

Security Patch Program – Supplier demonstrates accountability for validating security patches for their software and any 3rd party software on their products.

Responsible Data Handling – Good practices for storage, availability, backup, and handling of data and logs, including at the time of product disposal. Controls that enable HIPAA & other privacy requirements.

Supplier Transparency – Known vulnerabilities should be disclosed, default accounts and settings are documented, and strategic roadmaps for product/controls development are shared with customer, reference architectures are clearly documented.

Why are these principles important?

How do HDOs & MDMs partner on this?

CIS Control #3: Continuous Vulnerability Management

Dialogue at the time of new partnership between HDO & MDM

Demonstrated through pre- and post-market audits & reporting from MDM

Ongoing dialogue about evolving standards (e.g. FDA Regulations)

NIST SP 800-53 CA-7, RA-4, SI-2, CA-8

Health Sector Council Joint Security Plan

Always: Industry Standards & Best Practice

Indicate the values, culture, and ethos of an MDM

Emphasize the importance of adaptability

Industry Alignment Examples:

Contract Example

Industry Standard Documentation:“Supplier shall provide a complete Manufacturer Disclosure Statement for Medical Device Security (MDS2) and a complete Software Bill of Material (SBOM) that outlines at a minimum: (i) All Open-Source Software (OSS), (ii) as-built version of all OSS, (iii) all default user accounts…”

Maturity

137


Contract Example

Secure by Default – Product should by default have all security features enabled, attack surfaces are reduced, and should be free of malware or unnecessary code and services.

Standard Security Controls – Product should have:

• Network Controls• Physical Security• Anti-Malware• Audit & Logging

• Intrusion Detection• Data Encryption• Access Management• Security Patching

• Protection against malicious code• Privilege Escalation Controls• Documented reference architecture• Remote Access Controls



CIS Top 20 Controls (all)

ISO/IEC 27000

FDA Pre- & Post-Market Cybersecurity Guidance


“All Supplier Product cybersecurity features shall either be enabled by default or be clearly identified as requiring initial configuration. Product documentation shall specify how to enable, configure, and use of all Product cybersecurity features.”

Secure By Default:


Default security reduces error opportunities

Clear guidance indicates where to invest in controls

Incorporated into product evaluations and ongoing audits

Leverage industry standard surveys & shared intelligence Evaluate once, share many times

Maturity

Maturity

138


Vulnerability Mgmt. – Supplier proactively discloses high risk vulnerabilities and action plans to remediate.

Incident Mgmt. – Supplier actively engages during an incident and provide all necessary support to remediate in a timely manner.

Security Patch Validation – Supplier consistently validates newly released security patches for their software as well as any 3rd party software on their products.

Customer Support – Supplier consistently demonstrates secure behavior in all onsite and remote access to Customer infrastructure




Contract Example

NIST SP 800-53 IR-5, IR-8

ISO 29147 & ISO 30111

Health Sector Council Joint Security Plan


Threat landscape is constantly evolving

Incidents are high risk, high visibility

Dialogue about Key Performance Indicators (KPIs), which could include: Service Level Agreements (SLAs) How success is defined and demonstrated Roles & responsibilities for both HDO and MDM Penalties of incentives for performance against KPIs

Performance should be reviewed regularly

Communication Strategy:“Supplier shall coordinate with KP to define and document a communications strategy for urgent and non-urgent engagement related to Vulnerability management. The strategy must at a minimum outline …”

Maturity

Maturity

139


Practicing Partnership via HSCC WorkgroupStarting in 2019, the Health Sector Coordinating Council initiated the Model Contract Technical Working Group to adapt the Bar of Goodness into a set of industry standard medical device cybersecurity contract clauses.

Purpose: Provide a forum for HDO and MDM collaboration on the refinement of standard

contract language that improves coordination on cybersecurity requirements for medical devices.

Publish a set of modular contract clauses that can be easily leveraged by HDOs to accelerate partnerships between HDOs & MDMs.

Approach: Roll the sleeves up and get it done! Over 30+ HDOs, MDMs, GPOs, and other

stakeholders have reviewed and redlined each contract clause.

Clauses are divided into one of the 3 Bar of Goodness Pillars, with each clause aligned to one of the 14 core principles.

Background for each pillar and principle will be provided to help HDOs and MDMs understand the full intent of the contract language.

Next Steps: Following approval vote from HSCC stakeholders, the framework will be published in late 2021.

It’s in your hands! We encourage HDOs to leverage the framework and provide feedback & lessons learned.

A period of stability (i.e. no changes to the framework) will allow time for HDOs and MDMs to adopt.

Roadmap for the Model Contract framework adoption & improvement.


How do we operationalize cybersecurity contracts?

Key Take-Aways: Prioritize content that is most relevant to your organization. Make contract language a team sport. Find opportunities to use contracts throughout equipment lifecycle. Consider piloting process to reduce change management challenges.

15 minutes

a.k.a lessons learned the hard way for Kaiser Permanente


Building our Cybersecurity Contract Language Consider what pain-points or problems you want to solve for.

Do not just grab every clause unless you have a valid need – longer contracts take longer to sign.

Be sure to understand any existing data security & privacy requirements in your master contract template. Align your medical device contract language to what exists to be sure it is complimentary.

Look for content you might change to better meet your organization’s needs – such as SLAs. Don’t be afraid to ask for what you want, even if it gets redlined it still starts a conversation about your expectations.

Kaiser Permanente cross-walk between IT and Edge cybersecurity requirements.


Plan for Reviews and SocializationBuilding the right contract language for your organization takes time, plan accordingly!

Review industry guidance, such other HDO contract language and the HSCC Model Contract framework.

Plan for time to weave improvements or additions into the flow of your current contract language – it must make sense to your sourcing team and to MDMs for it to be affective.

Get review & approval from your HDO sourcing leadership and legal departments.

Get review & approval from your Group Purchasing Organization (GPO), as needed.

Share the updated contract language with your strategic MDM partners – even if it’s not a renewal window.

Kaiser Permanente timeline for development of Edge Security Requirements v2.0.


Finding where to use Contract Language

RFP – Product Evaluations

Hardening Guide Development

Contracting Solution Design & Onboarding Lifecycle Mgmt.

Share contract language with Suppliers early so that you can

evaluate their capabilities before you get to contracting.

Contract language can identify key gaps in Supplier capabilities that need to be accounted for in compensating

controls & configurations.

Agreed-on contract language will set the tone and expectations for the duration of the partnership.

When rubber hits the road, contract language helps to hold Suppliers

accountable for capabilities.

Ongoing support from Suppliers can be monitored against the

agreed-on SLAs and behaviors in the contract language.

Observed Supplier growth in maturity against contract requirements can inform

renewal decisions.

Contract Renewal or Decom

Good cybersecurity contract language can be leveraged throughout the product lifecycle and helps HDOs get ahead of avoidable cybersecurity & operational risks.


Be Prepared to Support Contract Activities

Provide guidance on when to include

your clauses

Make your clauses easily accessible to your sourcing team

Decide how best to include your clauses

in the contract

Identify resources to review contract

negotiations

Consider approvals and escalations

For KP: Target is all new contracts

and renewal windows.

A “cheat sheet” is provided to sourcing to help them recognize Edge device contracts.

Our master contract supersedes any local service contracts.

For KP: The Edge Security

Requirements (ESR) is posted to an external supplier website so that it can be viewed by anyone.

For KP: The Edge Program has 3

team members trained to review redlines.

We can be contacted by a “group email” that makes it easy for Sourcing to engage our team.

Our SLA for review of redlines is 3 days, not including follow-up meetings with Suppliers.

For KP: The Edge Security

Requirements (ESR) is included as an exhibit or addendum to Edge device contracts.

This prevents unnecessary redlining for non-Edge contracts.

For KP: All redlines are approved

by the Governance & Standards Product Owner.

Escalations or higher-level approvals go to the Edge Program Executive Director or VP.

Supplier C-Suite is engaged on critical conflicts, as needed.

Easier said than done… Contract activities can be time consuming and involves many stakeholders.


Monitor Performance & MaturitySupplier Maturity All approved variance from Edge requirements (i.e. non-compliance) will be tracked by the Edge Program as a measure of % Requirements Compliance. Suppliers will be required to provide a roadmap for maturing their offerings to meet Edge requirements over the course of the contract term. Improvements in Supplier offerings will be tracked by the Edge Program as a measure of Delta % Requirements Compliance (i.e. growth in maturity).

Mean Time to Disclosure (MTTD) Measures the amount of time between any knowledge (public or otherwise) of a cybersecurity vulnerability and vendor’s disclosure of the impact to KP including

the vendor’s response plan.

Mean Time to Remediation (MTTR) Measures the amount of time between any knowledge (public or otherwise) of a cybersecurity vulnerability and vendor-provided remediation solution (e.g.

validated security patch).

Consider how your organization will monitor Supplier performance against contract requirements & SLAs.

Kaiser Permanente model for Supplier Management Workgroup, which leads strategic engagement and monitoring of key suppliers.


Thank You! Questions?

Let’s continue the discussion!Connect with me on LinkedIn:

https://www.linkedin.com/in/christopher-falkner-b2049746/

Helpful Resources Kaiser Permanente Sourcing website: https://supplier.kp.org/

Kaiser Permanente Data Security Requirements: https://supplier.kp.org/requirements-guidelines/privacy-security-technology/data-security-requirements/

Kaiser Permanente Edge Security Requirements: https://supplier.kp.org/requirements-guidelines/privacy-security-technology/edge-security-requirements/

Health Sector Coordinating Council website: https://healthsectorcouncil.org/

Resources referenced in Edge Security Requirements: FDA Post Market Management of Cybersecurity, NIST 800-53, NIST 800-88, NIST 800-63b, NIST 800-111, ISO 14971, ISO 29417, ISO 30111, OWASP, CWE/SANS, Section 889(a)(1)(B) of the FY19 National Defense Authorization Act (NDAA), NIA Common Vulnerability Scoring System (CVSS), US-CERT, HSCC HIC-MISO

https://www.linkedin.com/in/christopher-falkner-b2049746/

https://supplier.kp.org/

https://supplier.kp.org/requirements-guidelines/privacy-security-technology/data-security-requirements/

https://supplier.kp.org/requirements-guidelines/privacy-security-technology/edge-security-requirements/

https://healthsectorcouncil.org/

https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices

https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

https://pages.nist.gov/800-63-3/sp800-63b.html

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf

https://www.iso.org/obp/ui#iso:std:iso:14971:ed-3:v1:en

https://www.iso.org/standard/72311.html

https://www.iso.org/standard/69725.html

https://owasp.org/www-project-top-ten/

https://www.sans.org/top25-software-errors/

https://www.congress.gov/bill/115th-congress/house-bill/5515/text

https://www.cisa.gov/publication/niac-common-vulnerability-scoring-final-report

https://us-cert.cisa.gov/

https://healthsectorcouncil.org/hic-miso/

148


Closing remarks

149


Thank you to our sponsors

150

BOOTH #C301

BOOTH #C359


Thank you to our task force team:

Nader HammoudTony Cody

Juuso LeinonenPriyanka Upendra

Suly Chi

151

Sponsored by

You are invited!

Join us at the HTA/ACCE reception

Date: Tuesday, 8/10/21, 6:00-7:30pm

Location: Wynn/Encore – Palmer 2

RSVP to enter the evening drawing

Documents

2021 CE-IT Symposium