Uncategorized

Cybersecurity in a Complex Healthcare Ecosystem

11/19/2020: This is a work in progress. Watch for updates to this post and the full article, including, but not limited to…
The NCCoE has released the draft version of NIST Cybersecurity Practice Guide SP 1800-30, Securing Telehealth Remote Patient Monitoring Ecosystem. https://www.nccoe.nist.gov/projects/use-cases/health-it/telehealth
The new Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM) v.2.0 from the Healthcare and Public Health Sector Coordinating Councils. https://healthsectorcouncil.org/hic-scrim-v2/

Cybersecurity risk management for supply chains with multiple vendors is complicated. Each vendor is clearly responsible for its own system, but who minds the overall end-to-end concerns? This article asserts that coordination across organizational boundaries is needed to assess and mitigate cybersecurity risks in remote patient monitoring (RPM) systems.

Examples of network-connected RPM devices include wearables (e.g., smart watches), glucose monitors, pacemaker monitors, blood pressure cuffs, pulse oximeters, continuous positive airway pressure (CPAP) machines, scales, and more. Such devices are part of the family of the Internet of Things (IoT).

A 2019 survey of physicians showed “Two in three, or 68 percent, of physicians surveyed strongly intend to use remote patient monitoring technology…” However, the survey report also indicates “Health care professionals view data security as the main barrier to technology uptake.”[1]

The majority of recent cybersecurity analysis for medical devices has focused on devices used within hospitals and clinics. Cybersecurity for RPM is different in a number of ways.

RPM is a “system of systems” – a physical and digital chain consisting of devices connected to networks, connected to other networks. Typically, there are multiple stakeholders involved in the provision and operation of these systems These include device manufacturers that depend on a supply chain for software and hardware components, communications networks, data integrators, and the clinicians who are the ultimate users of the data (Figure 1). Also, various interfaces with humans, including patients, caregivers, developers, network engineers, and system administrators. 

Figure 1

Attacks on healthcare delivery organization (HDO) networks via device or interim partner vulnerabilities are a bigger concern than attacks on individual devices. This is because more harm can be done if a healthcare delivery organization network is compromised. Attacks on these networks can not only result in theft of personally identifiable information, but also interruption of service, such as what occurs in a ransomware attack. 

In a RPM digital supply chain with multiple vendors involved, it is necessary to take a “trust, but verify” approach. Clauses can be put in a contract or a “Business Associate Agreement” to require a supplier/partner (vendor) to maintain a good cybersecurity posture, but it is unlikely that the vendor can absolutely guarantee protection. When only written assurances of “best efforts” to prevent cybersecurity incidents are provided, it behooves the buyer/user to perform due diligence and monitor whether these efforts are effective.

One possible solution is for the healthcare delivery organization that is the receiver of the data to oversee the end-to-end process. Alternatively, the data platform vendor that consolidates, analyzes, and formats the data may be in a position to provide the needed coordination. On the other hand, it is difficult to imagine how device manufacturers could coordinate all of the stakeholders.

As a final thought, remember that the ever-changing cybersecurity landscape means it may not be possible to anticipate and mitigate all threats. In the event an incident occurs, there needs to be a plan to respond and recover. In an environment with multiple vendors, response coordination has to be planned and rehearsed before something happens. The objective is to make sure the entire remote patient monitoring system is resilient.

If you work for a health care delivery organization that is on the receiving end of a remote patient monitoring system, what are you doing to make sure all of the components in that system are secure and that you are ready to respond to problems?

If you are one of the vendors in remote patient monitoring system, what are you doing to make sure your upstream and downstream partners in the system are secure?

If you are not sure how to do this, you’ll probably want to obtain assistance to reach out to each of the organizations that comprise the end-to-end system and figure out an approach to make sure a holistic security framework is conceived and implemented.

* * *

David Snyder is a cybersecurity professional experienced at facilitating discussions among ecosystem members, analyzing complex processes, and orchestrating cross-functional and cross-organizational efforts.

Inquiries: https://42tek.com/contact/


[1] CTA Survey Finds High Demand for Remote Patient Monitoring Devices, 11 April 2019, https://www.cta.tech/Resources/Newsroom/Media-Releases/2019/April/CTA-Survey-Finds-High-Demand-for-Remote-Patient-Mo#/

HIMSS ePatient 2020 – Cybersecurity & the Future of Remote Patient Monitoring – Webinar

An updated and shorter online version of my well-received December conference workshop. Noon (Pacific) on May 12, 2020.

Factors driving increased adoption of RPM. RPM as a “system of systems” requiring coordination among stakeholders. Cybersecurity best practices.

A version of the slides is posted at https://www.42tek.com/RPM_Cybersecurity.pdf. Video at https://www.youtube.com/watch?v=iZ-QUo8XTPA&feature=youtu.be

Cybersecurity and the Future of Remote Patient Monitoring – December 10, 2019 Workshop in San Francisco

This 3-hour workshop on December 10, 2019 in San Francisco explored similarities and differences between network-connected medical devices in clinical settings versus residential environments, relative cybersecurity challenges, and best practices throughout the lifecycle of remote devices.

See https://connected-devices-summit.com.

Several trends are driving increased interest and adoption for using network-connected medical devices outside the clinical environment to diagnose, monitor, and treat patients. These include an aging population living longer, often with multiple chronic illnesses, looming shortages of doctors and nurses, and incentives to reduce hospital readmissions.

“88% of health systems and hospitals surveyed have invested or plan to invest in remote patient monitoring solutions to support their organizational transitions to value-based care.” (Spyglass Consulting Group)

The FDA, hospitals, researchers, and device manufacturers have been working hard to define best practices for cybersecurity for network-connected medical devices in hospitals. Attend and see what you need to consider.

Longer description at https://42tek.com/Cybersec_RPM.pdf.

DEFCON27 – Biohacking Village

8-11 August 2019 – Las Vegas, Nevada
Planet Hollywood

This is where hackers had a chance to explore medical devices to discover potential cybersecurity vulnerabilities and, hopefully, how to defend against them. Read more at

https://www.villageb.io and https://www.defcon.org

I volunteered at the Biohacking Village and was able to network with some excellent people about developing and maintaining network-connected medical devices securely. Ten medical device manufacturers provided approximately 40 devices for hackers to examine and explore. There were about 30 workshops, presentations, and panels, including some of the premier security researchers in this space and representatives from the FDA.

Recent Workshop

Connected Devices: Cybersecurity & Compliance Summit

http://connected-devices-summit.com

December 11-12, 2018 at the Hotel Kabuki in San Francisco.

On December 11th, I was joined by a great team to conduct a 2.5-hour workshop entitled “Cybersecurity for Medical Devices is a “Team Sport.” Assisting with the workshop were:

  • Jason Johnson, Information Security Officer, Marin General Hospital
  • Matthew Jones, Clinical Engineering Security Specialist, Intermountain Healthcare
  • Deb Muro, Chief Information Officer, El Camino Hospital
  • Christine Sublett, President & Principal Consultant, Sublett Consulting, LLC

The workshop focused on how device developers can collaborate with hospitals and clinics to help make sure medical devices are set up and managed to protect patients’ privacy and safety.

The highly interactive session was conducted by a team with diverse backgrounds, including a hospital CIO, a clinical engineer, a hospital information security officer, and two neutral cybersecurity consultants to facilitate and moderate. Topics covered included:

  • Considerations during procurement, integration and operations
  • Defining best practices for device inventory management and monitoring device behavior and network traffic for potential cybersecurity attack indications
  • Ways of thinking about the issues in terms of people, process, and technology
  • Views on how connected medical device cybersecurity can be approached as a ‘team sport’ involving collaboration among manufacturers, regulators, providers (hospitals and physicians), supply chain, and patients
  • Understanding how hackers plan their attacks
  • Ideas for ways potential risks may be mitigated

Group exercises and case studies were included.

Cybersecurity for Medical Devices is a “Team Sport”

There are over 5,000 hospitals in the U.S. and I’ve seen the number 6,000 as the number of medical device manufacturers. Medical devices are increasingly built with network connectivity. Examples include heart monitors, infusion pumps, glucose monitors, and assorted other treatment and diagnostic devices.

Cybersecurity has traditionally been concerned with Confidentiality, Availability, and Integrity of data. However, in medical devices and critical infrastructure (such as the electric power grid), the potential for harm means we have to include Safety when we think about cybersecurity.

On December 11, 2018, I’ll be leading the INTERACTIVE WORKSHOP: Cybersecurity For Medical Devices Is A “Team Sport” at the Connected Devices: Cybersecurity & Compliance Summit in San Francisco at the Kabuki Hotel. See http://connected-devices-summit.com. This interactive workshop will focus on how device developers can collaborate with hospitals and clinics, who purchase network-connected medical devices and need to operate them in their complex networks. This highly interactive and hands-on session will be conducted by a team with diverse backgrounds, including a hospital CIO, a clinical engineer, a hospital information security officer, and two neutral cybersecurity consultants to facilitate and moderate.

My collaborators for this workshop include:

  • Deb Muro, Chief Information Officer, El Camino Hospital
  • Jason Johnson, Information Security Officer, Marin General Hospital
  • Matthew Jones, Clinical Engineering Security Specialist, Intermountain Healthcare
  • Christine Sublett, President & Principal Consultant, Sublett Consulting, LLC

If you’d like to read more on the subject, see the following or contact me for more references.

Medical Device Cybersecurity Session at IoT Security Symposium

Free Sneak Preview Event:

Network-Connected Medical Devices: What Could Possibly Go Wrong?

A presentation at Triple Ring Technologies’ MedTech Frontiers the evening of March 1, 2018. See http://www.tripleringtech.com/march-1-2018-network-connected-medical-devices-possibly-go-wrong-examining-iot-security-blockchain-technologies/

The Main Event:

The Symposium on Securing The Internet of Things (http://securingthenet.com) took a deep dive on what it will take to protect the billions of devices on which we depend for critical infrastructure, healthcare, and our homes. I led a panel discussion on Security for Network-Connected Medical Devices.

The event was March 5 – 7, 2018 at the Crowne Plaza Hotel in Burlingame, CA (near San Francisco Airport). [See agenda at https://42tek.com/STIOTAGENDArev6.pdf
My session addressed security topics in medical device design and manufacturing, usage in hospitals, remote monitoring, and related legislative, regulatory, and standards initiatives. Bill Saltzstein of Code Blue CommunicationsPeyton Paulick Kochel, Ph.D. of Proteus Digital Health, and Eric Pancoast of Medcrypt participated in the panel and May Wang of Zingbox gave a keynote presentation.

Please use the contact form if you would like to request the slides.

Some references on the medical devices topic may be found here.

Upcoming Events of Interest; Snyder Update

I gave a webinar on Blockchain and IoT at Global IoT DevFest Virtual Conference Nov 7-8, 2017. See http://globaliotfest.withthebest.com [link to video]

I gave a presentation on Blockchain and IoT for the Silicon Valley Insurance Accelerator Blockchain Bootcamp in Palo Alto on December 6, 2017. See http://sviaccelerator.com/insurtech-bootcamp-block-chain-01/.

I am helping a Fortune 500 company prepare for its annual assessment for compliance with the Payment Card Industry Data Security Standard (PCI DSS). I should be done with this around May 2018.

Did you know that Northeastern University has a Silicon Valley campus? Not only that, but they offer a 13-week course on the Internet of Things (http://info.leveledu.com/iot). I’m just wrapping up the capstone project for the class. Among other things, we did some interesting work with small sensors and some Arduino devices, worked with networks and Raspberry Pi devices, and explored Fog Computing. My capstone project involves a sensor to detect when a collection box is full. Of course, one of my main interests in this is how to design and maintain security for Internet-connected devices.

Blockchain References

In addition to the talks I have been giving, here is a selection of references to help you get up to speed on Blockchain Technology and how it may be used. Please use the Contact Form if you want to get in touch to discuss a specific question or need that you may have for Product Development, Implementations, or Program Management.

 

YouTube

“Blockchain 101 – A Visual Demo” at https://www.youtube.com/watch?v=_160oMzblY8 and a great interactive tool to try out at https://anders.com/blockchain/hash.html (click on the tabs at the top to see different parts)

How Bitcoin Works Under the Hood: https://www.youtube.com/watch?v=Lx9zgZCMqXE

Building a Blockchain in Under 15 Minutes – Programmer explains: https://www.youtube.com/watch?v=baJYhYsHkLM

Books

The Business Blockchain: Promise, Practice, and Application of the Next Internet Technology by William Mougayar

Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World by Don Tapscott

Blockchain and IoT

http://infocastinc.com/insights/technology/blockchain-using-bitcoins-robust-architecture-to-secure-the-internet-of-things/

https://www.ericsson.com/hyperscale/cloud-infrastructure/data-centric-security/data-integrity-assurance

http://www.bloomberg.com/news/articles/2016-05-19/built-for-bitcoin-blockchain-goes-beyond-crypto-currency

Trusted IoT Alliance: https://www.trusted-iot.org

More Articles & Blog Posts

A Beginner’s Guide to Blockchain Technology: https://www.coindesk.com/information/

https://hbr.org/2017/01/the-truth-about-blockchain

http://fortune.com/2017/08/22/bitcoin-ethereum-blockchain-cryptocurrency

http://fortune.com/2017/08/22/fortune-500-blockchain-ledger-delaware/

http://www.newsweek.com/blockchain-technology-will-remake-global-financial-system-462537

https://www.coindesk.com/us-centers-disease-control-launch-first-blockchain-test-disaster-relief/

http://fortune.com/2016/05/23/blockchain-definition/

http://www.cio.com/article/3055847/security/what-is-blockchain-and-how-does-it-work.html

http://www.kayescholer.com/docs/IntrotoBitcoinandBlockchainTechnology.pdf

http://www.economist.com/news/briefing/21677228-technology-behind-bitcoin-lets-people-who-do-not-know-or-trust-each-other-build-dependable

https://www.hyperledger.org

https://www.ethereum.org

Courses

The Basics of Blockchain: https://www.udemy.com/the-basics-of-blockchain/

Blockchain 101: https://www.udemy.com/blockchain101/

Bitcoin and Cryptocurrency Technologies: https://www.coursera.org/learn/cryptocurrency

Blockchain for Business – An Introduction to Hyperledger Technologies: https://www.edx.org/course/blockchain-business-introduction-linuxfoundationx-lfs171x

Blockchain Basics: A Practical Approach: https://www.creded.ai/Course/udemy/blockchain-basics-a-practical-approach-by-toshendra-sharma

Congressional Proposal for Blockchain Study Needs a Little Work

“$700 Billion Senate Defense Bill Calls for Blockchain Cybersecurity Study”

https://www.coindesk.com/700-billion-senate-defense-bill-calls-blockchain-cybersecurity-study/

“A $700 billion defense bill passed by the US Senate includes a mandate for a blockchain study to be conducted by the Department of Defense.”

“Yesterday, the US Senate passed a massive defense spending package that provides hundreds of billions of dollars to the US military. Public records show that an amendment included in that bill, proposed by Senator Rob Portman of Ohio, would “require a report on cyber applications of blockchain technology” if signed into law.”

Perhaps a good idea, but probably deserves some discussion.

The amendment specifically calls for

“…a report on the potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies and an assessment of efforts by foreign powers, extremist organizations, and criminal networks to utilize these technologies. Such report shall also include an assessment of the use or planned use of blockchain technologies by the United States Government or critical infrastructure networks and the vulnerabilities of such networks to cyber attacks.”

For one thing, I would recommend deleting the option for the report to be submitted in classified form, while possibly still allowing it to be submitted “…in unclassified form with a classified annex.” I hope people will discuss this, or at least get the issue into the legislative history, before this goes through. It would be a shame to spend taxpayer dollars for such a study, only to have it buried as a classified document.

Here’s an excerpt from the Sept 18, 2017 version of the proposed amendment to the National Defense Authorization Act for Fiscal Year 2018:

https://www.congress.gov/amendment/115th-congress/senate-amendment/1055/text

AMENDMENT NO. 1055

(Purpose: To require a report on cyber applications of blockchain technology)

At the end of subtitle C of title XVI, add the following:

SEC. 1630C. REPORT ON CYBER APPLICATIONS OF BLOCKCHAIN

TECHNOLOGY.

(a) Report Required.–Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense, in consultation with the heads of such other agencies and departments as the Secretary considers appropriate, shall submit to the appropriate committees of Congress a report on the potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies and an assessment of efforts by foreign powers, extremist organizations, and criminal networks to utilize these technologies. Such report shall also include an assessment of the use or planned use of blockchain technologies by the United States Government or critical infrastructure networks and the vulnerabilities of such networks to cyber attacks.

(b) Form of Report.–The report required by (a) may be submitted–

(1) in classified form; or

(2) in unclassified form with a classified annex.

(c) Appropriate Committees of Congress Defined.–In this section, the term “appropriate committees of Congress” means–

[[Page S5795]]

(1) the Committee on Armed Services, the Select Committee on Intelligence, and the Committee on Homeland Security and Governmental Affairs of the Senate; and

(2) Committee on Armed Services, the Permanent Select Committee on Intelligence, and the Committee on Homeland Security of the House of Representatives.