INFORMATION SECURITY - HEALTHCARE & MEDICAL DEVICES
22nd February 2017 - IET Birmingham
Join us for this masterclass in Information Security in healthcare applications and medical devices.
specialists in medical device software, connected devices and cybersecurity.
Cyber Security in MEDICAL DEVICEs
The continual flow of Cyber
Security breaches in the mainstream news has highlighted the degree of
vulnerability that exists to this type of attack and the consequences of
security failures. Whilst these attacks may cause embarrassment, inconvenience
and have serious financial implications, medical devices - by their very nature
- have the capacity to cause harm, either directly (as in the case of an
infusion pump, for example) or indirectly (through an incorrect diagnosis).
Like any other computer system, medical devices are vulnerable to security
threats and this has the potential to affect the safety and effectiveness of
the device. The trend of making devices more connected - to the Internet,
hospital networks, and to other medical devices – increases this vulnerability.
What Are The Threats
The threats can be considered to
fall into two groups. Firstly, an attacker may take control of one or more
devices with the deliberate intent of harming a patient. Motives for this could
range from “ransomware”, i.e. organised criminals aiming to blackmail
healthcare providers or device manufacturers, a new form of terrorist attack,
industrial sabotage or simply an individual with the intent to cause harm for
whatever reason he or she might have (In Australia, 49-year-old Vitek Boden
conducted a series of electronic attacks on the Maroochy Shire sewage control
system after a job application he had made was rejected by the area's Council –
he was able to take control of the sewage management system and caused millions
of litres of raw sewage to spill out into local parks, rivers and even the
grounds of a Hyatt Regency hotel. He is currently serving a two year jail
The second threat is the presence
of some unauthorised program – which could be a virus, worm or any other
program that compromises the effectiveness or safety of a medical device. Here
the intent might not be to cause harm to a patient, but it might lead to that
all the same.
Dealing with these security
issues is something the medical device industry is late to address,
particularly when compared with the commercial world, and perhaps for good
reasons – patching an operating system may well invalidate extensive software
validation efforts and lead to increased costs. However, in the commercial
world preventing an attack might be considered successful if the attacker’s
intent is blocked, even if the program under attack is prevented from
performing its intended function. In the case of a medical device, such as an infusion
pump, this might not be the case. So the need for effective (and
cost-effective) strategies for dealing with security threats is critical.
There will be no one single
answer to this problem, but effective strategies will fall into two broad
areas: prevention and detection. Prevention strategies will aim to build robust
and secure systems that are extremely difficult to penetrate. Detection
strategies will include ongoing monitoring to detect the presence of malicious
code, either directly or indirectly (e.g. through the side effects of its
presence), or to detect if any unauthorised control of a device has been
INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS)
Information Security Management System (ISMS) and the importance in protecting critical business processes.
It can be difficult to know where to begin when considering the issue of Cyber Security. At this point, it is imperative that we turn to international standards for guidance because they are the consensus amongst industry experts on what constitutes best practice.
The information standard, ISO 27001 tells us that starting with an ISMS is the most effective way to begin to protect our business and its information.
The ISMS provides protection from major failures of information systems and information security incidents. Implementing an ISMS also allows for operations to resume in a swift manner when security lapses occur.
It is not unusual for companies to be put off implementing an ISMS due to potential costs and a lack of understanding of its relevance. It’s also common for companies to believe that they already have certain operations in place for potential cyber-attacks and lapses in security.
Who is it relevant to?
An ISMS is relevant to all organisations regardless of whether they utilise stand-alone computers or complex heterogenic network systems.
The advantages of encompassing and ISO 27001 are significant and here are some of the key elements:
1. Implementing an ISMS provides procedures to not only consider antivirus software but also encompass processes, people and the IT systems themselves.
2. Compliance is a key issue when considering an ISMS. Compliance will often provide the quickest ‘return on investment’. The ISO 27001 standard allows for companies/organisations to incorporate methodology regarding data protection, privacy and IT governance. Naturally, this is particularly an issue within health organisations.
3. It allows for greater credibility with staff, clients and partner organisations. It may provide a marketing edge in a competitive market that is likely to instil confidence in clients and investors.
4. A short term cost can lead to a long term gain. Investing in implementing an ISMS will provide more robust protection and minimise risk of suffering much greater costs.
5. An ISO 27001 compliant ISMS provides a structured framework for organising roles and responsibilities. Implementing an ISMS ensures that responsibilities and duties are defined quite clearly and this naturally creates a better informed and capable workforce.
6. It protects all types of information, e.g. email, verbal information, written data.
In the medical devices sector, there is a potential for harm to patients and operators and this introduces a new dimension to information security. Risk Management in medical devices seeks to minimise risk of harm to patients and personnel. Where hazardous situations can be caused by information security breaches, either through data integrity corruption or from lack of availability of data when it is needed, then an ISMS is the best mitigation because it provides a systematic approach to the management of information security.
- Penetration Testing
- Threat Analysis & Risk Treatment
- Information Security Management System (ISMS) development
- Malware Analysis
- Security Awareness Training & Advanced Security Training
- Software architecture and design