A Security Risk Management Framework for Networked Medical

THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013.

A Security Risk Management Framework for Networked Medical Devices

Anita Finnegan, Fergal Mc Caffery, Gerry Coleman

Regulated Software Research Centre & Lero Dundalk Institute of Technology

Dundalk

THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide 2

Problem Background

New / Proposed Guidance

Overview of Solution • Security Risk Management Life Cycle • IEC/TR 80001-2-2 • Security Assurance Cases • Summary of Solution

Conclusion

Overview


Advancements in Medical Devices Increased Use of Software Device Communication Abilities

Controlled Hacking Demonstrations of Devices Black Hat Security Conference, Las Vegas Breakpoint Conference, Melbourne ICS-ALERT, Medical Devices hard-coded passwords

Medical Device Security Inquiry - US

2012 - Government Accountability Office (GAO) Report

Challenge Balancing Security with Safety & Effectiveness

Problem Background

Problem Background Recent Guidance & Standards Solution Conclusion


Issued: FDA Safety Communication: Cybersecurity for Medical

Devices and Hospital Networks

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Draft Guidance for Industry and Food and Drug Administration Staff

IEC/TR 80001-2-2 - Guidance for the communication of medical device security needs, risks and controls

Proposed: IEC/TR 80001-2-8 - Guidance on standards for establishing the

security capabilities identified in IEC/TR 80001-2-2

Guidance & Standards



Solution Framework

Security Capabilities Security Controls

Product Risk Analysis

Provides Additional Processes to Extend the PRM

ISO/IEC 15026-4 Assurance in the Life Cycle

NIST SP 800-53, ISO/IEC 27k, IEC 62443, ISO/IEC 15408, IEC/TR 80001-2-2

ISO/IEC 15026-4, 15288

Process Reference Model

Provides Description of Processes Assessed by:

Security Requirements Management

Tool

Threat Modeling

+

Threat Identification

ISO/IEC 15026-4, 15504-6

Process Assessment Model

HDO

Security Assurance Case


HDO User Needs

Process

Product


Security Risk Management Life Cycle


Design Coding Testing

HDO Requirements

Security Requirements

Security Risk Management & SDLC Assurance Case Development

Test Results Requirements Operations

Security Risk Management

HDO Assurance Case Maintenance

Retirement

Feedback


IEC/TR 80001-2-2


A framework for the disclosure of security-related capabilities necessary for managing the risk of connecting medical devices to IT-networks This technical report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls The capability descriptions in the report are intended to supply healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) with a basis for discussing risk and their respective roles and responsibilities for the management of this risk


IEC/TR 80001-2-2


IEC/TR 80001-2-2 Security Capabilities

Automatic Logoff Audit Controls Authorization Configuration of Security Features

Cyber Security Product Upgrades

Data Backup and Disaster Recovery

Emergency Access Health Data De-identification

Health Data Integrity and Authenticity

Health Data Storage Confidentiality

Malware Protection/ Detection

Node Authentication

Person Authentication Physical Locks on Devices

Security Guides System & Application Hardening

Third Party Components in Product Lifecycle Roadmaps

Transmission Confidentiality

Transmission Integrity


IEC/TR 80001-2-2



Security Mapping


IEC/TR 80001-2-2 Security Capabilities

Security Controls required for the implementation of each Security

Capability

ISO/IEC 27002

ISO 27799

IEC 62443

NIST SP 800-53

ISO/IEC 15408


Security Mapping


IEC/TR 80001-2-2 Capability

Security Control

Source

Automatic Logoff (ALOF) SR 1.4 Authenticator Management IEC 62443-3-3

SR 1.5 Strength of Password Based Authentication IEC 62443-3-3

SR 2.5 Remote session termination IEC 62443-3-3

11.1.1 Access Control Policy ISO/IEC 27002

11.3.1 Password Use ISO/IEC 27002

11.3.2 Unattended User Equipment ISO/IEC 27002

11.3.3 Clear desk & Clear Screen Policy ISO/IEC 27002

11.5.5 Session Time-out ISO/IEC 27002

11.5.6 Limitation of connection time ISO/IEC 27002

7.8.1.2 Access Control Policy ISO 27799

7.8.3 Password Use ISO 27799

7.8.3 Unattended User Equipment ISO 27799

7.8.3 Clear desk & Clear Screen Policy ISO 27799

7.8.4 Session Time-out ISO 27799

7.8.4 Limitation of connection time ISO 27799

AC-1 Access Control Policy & Management NIST 800-53

AC-2 Account Management NIST 800-53

AC-11 Session Lock NIST 800-53

SI-1 System & Information Integrity Policy & Procedures

NIST 800-53

FDP-ACC Access control policy ISO/IEC 15408-2

FIA_UAU User Authentication ISO/IEC 15408-2

FIA_UID User Identification ISO/IEC 15408-2

FMT_MOF Management of Functions in TSF ISO/IEC 15408-2

FTA_SSL Session Locking & Termination ISO/IEC 15408-2




1. HDO Internal Risk Assessment

Identify ‘user needs’ to determine required security capability of a medical device

2. Agreement between MDM and HDO

Serves as the basis for one or more responsibility agreements as specified in IEC 80001-1

3. MDM Security Risk Assessment




4. Delivery

Medical device accompanied by tailored assurance case detailing the security capability of the product

5. HDO Risk Management

Ongoing security risk management using HDO tailored assurance

case


Security Assurance Cases


An assurance case is a body of evidence organised into an argument demonstrating some claim that a system holds i.e. is acceptably safe. Required when it is important to show that a system exhibits some complex property such as safety, security, or reliability.

1. Must make a claim or set of claims about a property of a system; 2. Provide a set of arguments; 3. Make clear the assumptions and judgements underlying the

arguments; 4. Produce the supportive evidence


Assurance Case Structure












SDLC Security Assurance Case

Problem Background Guidance & Standards Solution New/Proposed Guidance Conclusion

MDM Assurance Case




MDM Assurance Case




MDM Assurance Case




MDM Assurance Case




MDM Assurance Case




MDM Assurance Case




MDM Assurance Case


HDO Security Assurance Case


HDO Assurance Case


The aim of this risk management framework it to assist both HDOs and MDMs better understand the required security capabilities of networked devices IEC/TR 80001-2-2 sets out to develop a common framework for the communication of security needs, risks and controls. This will be further compounded with the MDS2 revision and also the potential IEC/TR 80001-2-8 Guidance on interpreting and updating the IEC/TR 80001-2-2 assurance case will be sufficiently covered and supported by these documents

Conclusion


THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2013. Slide

This research is supported by the Science Foundation Ireland (SFI) Stokes Lectureship Programme, grant number 07/SK/I1299, the SFI Principal Investigator Programme, grant number 08/IN.1/I2030 (the funding of this project was awarded by Science Foundation Ireland under a co-funding initiative by the Irish Government and European Regional

Development Fund), and supported in part by Lero - the Irish Software Engineering Research Centre (http://www.lero.ie) grant 10/CE/I1855

Lero© 2012 THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE Lero© 2012. Slide 34

Thank You for Listening

Anita Finnegan

[email protected]

http://www.lero.ie/

mailto:[email protected]


500,000 world wide insulin pump users

Conclusion


Documents

A Security Risk Management Framework for Networked Medical