FDA Cybersecurity Regulations: Medical Devices

A cardiac pacemaker is a lifesaver for many and is considered an implantable medical device. The FDA imposes regulations to protect these devices. Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine FDA Quality System Regulations, ISO standards, and FDA guidelines used by Sterling Medical Devices that are essential to the manufacturing practices.

FDA Cybersecurity regulations in medical devices is a tough topic! Consider the cardiac pacemaker, probably the most notable life-saving implantable medical device. Did you know that it is operated by a computer chip? Just like any other computer they can be vulnerable to cybersecurity breaches.

Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine the FDA’s Cybersecurity quality system regulations, ISO standards, and guidelines followed by Sterling Medical Devices to ensure cybersecurity for all their devices.

Tune in to Part 2 of our 3 Part Series on Medical Devices

The FDA Cybersecurity Regulations: Medical Devices Video Transcript Follows.

Lee Neubecker (LN): Hi, I’m back on the show today with Keith Handler, Keith, thanks for being back on.

Keith Handler (KH): Thanks again for having me.

LN: And Keith, again, is from Sterling Medical Devices, and today we’re going to talk about what measures are in place, that the FDA imposes to help ensure cybersecurity on medical devices, especially safety of PHI, and safety of the operation of those devices for end-users. Thanks again for being here.

KH: Yeah, thanks for having me. So, cybersecurity. It’s a tough topic, and the FDA is still figuring out how exactly to deal with it. They have issued guidance that attempts to categorize how high the risk is of cybersecurity for a device and the basic standards you need to follow in designing, and testing, and documenting your processes for developing that device. That guidance is currently how we generally implement most of our analysis processes and controls. The FDA has chosen to recognize certain certifications, such as UL 2100-1-2.

LN: And what is UL 2100-1?

KH: 2100-1 is a certification for network-connected systems, as far as cybersecurity is concerned, and 2100-1-2 is a subset of that standard, specifically for medical devices connected to the internet or a network. Mostly that standard follows the 2100-1, with a couple of modifications, based on the fact that medical is safety-related.

LN: Have you seen any changes in the standard since the WannaCry attack that took out a lot of the UK hospitals?

KH: Nothing that I can point to specifically. You know, that really comes down to changing specific vulnerabilities, our knowledge about them, and the attack vectors that we know that are capable of executing these things, cataloging them, making sure that we plan for them in future designs.

LN: So I know Bluetooth is a protocol that’s vulnerable to exploitation. I think at one point in time, there was a warning that everyone should take their pacemaker and get it updated. Were you familiar with that?

KH: Yes.

LN: Can you tell people a little bit more about what happened?

KH: Yeah, well, in that specific case, I’m not actually 100% sure what occurred there, but most of the time your issues are, with a lack of authentication, a lack of encryption, you need to be sure that what the device is talking to on the other end is exactly who they expect it to be, what they expect it to be, and you have to make sure that that communication is secured and unchanged, unaltered. Typically, that’s done by using specific security libraries, integrating them in careful ways, making sure that all communication over the wire is encrypted, things like an asynchronous key generation.

LN: I think, just from my memory of events, one of the problems they discovered is that these protocols, there’s a period of time before authentication occurs, in the preamble when there’s broadcast of the Mac address, the wireless name, and whatnot, where there’s a potential to create an overflow situation, to actually compromise a device before encryption and authentication occurs.

KH: Yes, in certain system designs it is that way.

LN: And, unfortunately, these protocols are, you know, they’re everywhere. So, at the time, I believe that the chip makers and various equipment providers, not just only in the medical area, but across the board, had to create fixes that help protect against these types of cyber-attacks.

KH: Yes.

LN: So, you were talking about UL 2100-1-2, what about TIR57? Can you explain what that is?

KH: So, AAMI TIR57 describes how to marry up the processes of medical safety risk analysis and security analysis. It’s an attempt to show that the security analysis process is actually very similar and very familiar for anybody that’s done the safety risk analysis before. More of less, it takes ISO 14971 and applies security risk management to it with a mix of a little bit of some NIST standards in as well. But the general idea is to really categorize what assets you’re protecting in your system, and the known vulnerabilities that your system has, and then from there, you attempt to determine a list of known attack vectors and categorize the profiles of your possible attackers. With a combination of that type of information, you can assess what the real vulnerabilities and risks are for your system, and design in controls, from the ground up, to make sure that you’ve protected against them.

LN: Yeah, well, this is really fascinating stuff. I appreciate you being on the show, and I look forward to our next segment talking more about cybersecurity and how to keep these devices safe.

KH: Thanks again for having me, Lee.

Don’t Miss Part 1 of this 3-Part Series on Medical Devices

Part 1 of the 3-Part Series on Medical Devices

View Related Articles

To Learn More About Sterling Medical Devices

https://sterlingmedicaldevices.com/company/

FDA Cybersecurity Medical Devices Regulations

https://www.fda.gov/medical-devices/digital-health/cybersecurity

Please follow and like us:

Energy Sector: Global Cyber Insecurity

Global Energy Sector Cyber Insecurity can lead to complete chaos that will be felt throughout the world. Neubecker and Geary Sikich who are experts in cyber security and incident response share their solutions.

Energy Sector: Global Cyber Insecurity can lead to global calamity. If a major attack happens there would be a cascading effect with catastrophic results. In lieu of the most recent Iranian conflicts, the Energy Sector, as well as Corporate America, has been warned by our government to be aware of imminent security threats. Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. take apart the many threats that will affect the Global Energy Sector. Starting with SCADA, which is a computer system for gathering and analyzing real-time data. Cyber Insecurity means if hacked the SCADA systems would have a rippling effect.

In this four-part series, Lee and Geary will discuss cyber threat detection, protection and global incident response in the Global Energy Sector.

The video transcript for Energy Sector: Global Cyber Insecurity follows.

Lee Neubecker (LN): Hi, I’m here again with Geary Sikich on my show. Geary is the president of Logical Management Systems, a business consulting and risk advisory firm. Geary, thanks for being on the show again.

Geary Sikich (GS): Thanks for having me back, Lee.

LN: So today we’re going to talk about the current state of global cyber insecurity. News events have been published detailing Iran’s potential cyber response. The energy sector has been put on notice to be looking out for attacks, as well as corporate America. So Geary, what is the current state of cyber risk as you see it?

GS: I think it’s kind of appropriate to begin to look at it as you introduce it, global insecurity. One has to begin to look at how secure are you? And in the context of how secure are you, how secure is our infrastructure. All the things we depend on for our day to day lives. And how we live, literally. So everything from your food on the table to the heat, to clean water, to your heat in your home, et cetera, all become potentially

LN: Transportation, travel, and fulfillment.

GS: Road systems, everything that’s out there.

LN: So we’re going to be talking about the highest areas of concern where a rogue terrorist organization might want to strike or a nation state that we’re at odds with. And unfortunately, we have quite a few. Later on in the second, third, and fourth segment we’ll be talking about detecting threats. In the third segment, we’ll be talking about protection against that, things that can be done proactively. And then finally, in the fourth and last segment we’ll be talking about responding to compromises, incident response, and how to recover and get back up online. So Geary, can you give everyone an understanding of what encompasses SCADA devices and what SCADA means?

GS: SCADA systems were developed for the use to control operations and utilities and other areas. It’s called the Supervisory Control and Data Acquisition.

LN: So what kind of devices make up SCADA devices?

GS: Everything from the control of pipelines, utility, electricity functions, all the way onto healthcare, pacemakers and other types of systems.

LN: CPAPs. So these are critical systems. These are systems that if someone wanted to cyber attack and really hurt us, they’re natural targets. And they’re classified as such because they have to be regulated and handled in a way to help keep them safe.

GS: Yeah. And the problem we face is not that these are systems that are so vulnerable, the problem we face is that because of the technology that we’ve embraced over the years since 1999, so that’s what, almost 20 years now. Or it is 20 years now. That those systems have become so embedded that we have gotten rid of the manual systems that they replaced. So things like switching for railroads. You would be hard pressed to find manual switches available to the industry. Because they got rid of ’em, and they were scrapped, and they’re gone. No once produces them, or should I say, they’re produced in limited quantities. And they’re hard to get. The things we depend on in a lot of respects for the smooth running of our infrastructure become very critical to us because there are no alternatives for those systems. And as a result, we become more and more vulnerable to a infiltration of the systems for disruption.

LN: And then we also have what’s known as FPGA’s, Field Programmable Gateway Arrays. They’re microprocessor controllers that can be programmed that can actually be altered by an attacker to change how these systems function, the logic that works. We can only think of, what would happen, Geary, if a nation state that we’re in a conflict with, what would happen if the water filtration system sensors were altered to put water out that appears safe but isn’t?

GS: I think you see a lot of that today simply because the threat levels are such that we have to make sure these systems are so well protected. And unfortunately, the ability to protect the systems is not necessarily as good as it should be, let me put it that way. It’s not that they’re bad, it’s not that they’re behind the times, it’s just that they’re trying to keep up with things that are changing so rapidly. Technology disruptions, and disruptive technologies today have made a lot of systems sort of antiquated before their time. And the problem is that, to keep up with replacement, to keep up with the viability systems becomes another burden to the system. Another critical issue in this global insecurity aspect is look at the talent pool that’s out there in the workforces, and you start to begin to realize that there are very few people that are talented in the areas where we need them. I think in our last segment that we did I mentioned that in the energy industry, nuclear engineers, petrochemical engineers, desperately needed areas because their workforce is transitioning and the skill levels are not there. So that becomes a real challenge.

LN: Just the past, in this month alone, cybersecurity firm Dragos issued a report showing that there is a number, I think around 11 groups that are actively targeting the energy sector and trying to take out various providers of energy. Oil, gas, you know, nuclear. There’s other threats there. You know, locally here in Chicago, you’re in Indiana, we’re in Illinois, what part of the energy sector to you think is at greatest risk?

GS: Well, I think the interesting point with that is that the bigger players, Commonwealth Edison, NIPSCO, Northern Indiana Public Service, are doing their part to ensure that their infrastructure is well maintained and protected. The problem we run into is that they’re not the only utility providers. If you look at across the United States, there are so many smaller utility providers, co ops, small utility companies, that don’t necessarily have the resources

LN: They don’t have the scale.

GS: Yeah, the skills. And the problem that they encounter and we encounter as a result is that they are critical links in the grid system. So everything from water, gas, electric, telecommunications, et cetera, all dependent on a lot of these small players. And getting one to go could potentially offer cascade effects to all the others. And as it cascades, things can get even more disruptive.

LN: So you could actually take down the big electrical utility by getting enough of the small, vulnerable electrical co ops and launching a cyber attack on the electrical co ops to then take out the big giant. Because when these happens, you have power imbalance. And Kirchhoff’s Law dictates the flow of electricity, and it will flow where it’s weak, and the current flows, well that can cause line tripping and power outages.

GS: Yeah. And I think the thing that people have to realize is that the apparently most vulnerable things are not necessarily the ones that are the most visible. And I say that in this respect, we look at power plants, we look at nuclear plants, and there’s a fear of someone attacking the plant. In reality, it’s the part of the system that are not related, or that are related, linked to the power plant, but not directly.

LN: It’s an interconnected system.

GS: It’s the transformers

LN: Everything from endpoint demand to supply. And in our prior video we talked about manipulation of endpoint demand that could cause a cyber attack.

GS: And it’s the step up and step down systems. When you generate it, electricity’s stepped up, it goes over transmission lines, it goes to a point, it’s stepped down and then it goes in the user groups, the residential, your cities, your smaller industries. So you start seeing these as being potentially vulnerable in a respect. In terms of vulnerability is that we have to begin to look at the users and begin to differentiate which ones are what we call interruptible and which ones aren’t.

LN: So in our next segment, we’ll be talking about detection of these threats, and then finally after that, the third segment we’ll talk about protecting and what organizations should do such as electrical co ops, things they can do to get ahead of this. And then when things invariably do go wrong, finally we’ll talk about incident response. So tune in next time, and please, we appreciate your shares, likes. Sign up for my YouTube channel if you liked this and you’ll get alerted when we publish the next one. Thank you.

Learn more about Global Cyber Security from Enigma Forensics

More on Global Security …

Here is the bulletin issued by the Department of Homeland Security on Global Security

https://www.dhs.gov/national-terrorism-advisory-system

Check out this article warning about Iranian Cyberattacks

https://fortune.com/2020/01/16/iran-cyberattack-false-flag-russia/

Please follow and like us:

Understanding EMR Audit Trails

Understanding EMR Audit Trails is important to any company dealing with (PHI). They must have all the necessary security measures in place and follow them to ensure HIPAA Compliance.

Understanding EMR Audit Trails is essential to a patient’s medical history In medical malpractice litigation. The Health Insurance Portability and Accountability Act (HIPAA) requires that the Electronic Medical Records (EMR) maintain an audit trail including all of the metadata. This EMR audit trail is a piece of highly relevant evidence as to who accessed what in the record, what entries were made and/or changed, by whom and when. Computer Forensic experts are key to effective electronic discovery during medical malpractice litigation.

How do hospitals record, protect, and store data? HIPAA sets the guidelines for the most highly sought after information by the world’s best technology hackers. Medical records are worth 4 times more than credit card information. Managing Personal Healthcare Information (PHI) places Healthcare facilities at risk of cyber attack 24/7, 365 days a year.

Check out this video with Enigma Forensics, President & CEO, Lee Neubecker, and John Blair, a noted Healthcare Industry Cyber Security Expert where they discuss the importance of protecting Personally Identifiable Information (PII).

Lee Neubecker and John Blair

Understanding EMR Audit Trails video transcript follows:

This is the third of the last video in the three-part series on Health Care Industry Cyber Threats:
Watch Part 1, Watch Part 2

Lee Neubecker: Hi, I have John Blair, a cyber security expert in the field of healthcare, and John is also involved with understanding patient medical, electronic medical record (EMR) audit trails, so I asked him to come on the show and talk a little bit about that with me. John, thanks for coming back on the show.

John Blair: Thanks, Lee. Glad to be back.

LN: So John, can you tell everyone a little bit about what HIPAA requires of healthcare organizations as it relates to tracking data of caregiving and the patients?

JB: Sure. Most of this is obviously directed at hospitals, but HIPAA also has things called business associates, and any interaction from any entity with, or any user with, PHI is going to be subject to these audit logging. Hospitals use systems called EMRs, so generally those, the audit trails are built into the EMRs by default, but obviously entities can turn those off if they so choose or configure them differently. HIPAA requires that you pretty much log any interaction, whether it’s read-only, view-only, edit, whatever that interaction might be. Identify the user, identify the time, what was done to the record, and that has to be maintained for several years. So it doesn’t matter what a user does with the record. Even if they just view it, that counts as a valid interaction and has to be logged and maintained.

LN: In fact, all of these hospital software systems out there have to be HIPAA compliant, or else the hospitals wouldn’t be able to use the software packages. Isn’t that true?

JB: Right, right. There’s a lot of federal regulations regarding that, that the standards that these systems have to meet in order to get refunds or rebates from the government.

LN: So Medicare funding, reimbursement, obviously is important.

JB: All of that stuff. And audit logs of user activity and interactions, or any interaction with PHI, is a critical component of that.

LN: You know, what I’ve seen is sometimes despite the software packages being EMR, audit trail compliant, that there’s the ability for the software that’s deployed to be altered so that the audit trails aren’t retained as long as required by law.

JB: Yeah, sometimes the storage of the audit logs, it can be overwhelming. So oftentimes they are archived offsite or inappropriate access is given to the audit log itself. And then it possibly can be changed, which ruins the integrity of the log, obviously, and that would be a very bad thing should something come up down the road and you needed that log.

LN: Yeah, and certainly, someone who has the master database administrator password to that back-end system, they could do whatever they wanted.

JB: Yup. But there’s supposed to be logs of that activity, as well, and reviews of those logs, but you’re absolutely right. If you’re an administrator, you can do a lot of damage.

LN: Yeah, I’ve assisted clients before involved in litigation, medical malpractice litigation, with just seeking the truth of what’s there in the records. Most of the time, they think many hospitals are compliant and do have those audit trail records.

JB: Absolutely.

LN: But, they don’t necessarily want to make that data readily available.

JB: No, they don’t. And it depends, it’s a case-by-case scenario, under the advice of counsel and things like that, but it’s very, very sensitive information, and obviously, it’s a public relations nightmare to have a breach of patient data, so they take those things very, very seriously.

LN: Absolutely. So can you tell everyone what PHI stands for?

JB: It’s Protected Health Information, as defined by HHS, there are 18 very specific fields that comprise PHI. PHI is a subset of PII, which is Personally Identifiable Information, but with respect to healthcare, it’s primarily PHI that we’re worried about and those 18 identifiable fields.

LN: Why would hackers want to target health care records?

JB: It’s far more valuable now than several years ago, it was credit card information, basically for year after year. Now, the credit card companies and technology with respect to how quickly a card can be replaced and deactivated. And so, just more money in it to steal medical information. And there’s more flexibility, as well. You can go get drugs, you can do a variety of things, whereas, with the credit card, it’s just money.

LN: If people wanted to launch a targeted scam on individuals, certainly having records that would enable them to filter patients that have Alzheimer’s, might give them an unfair advantage at duping people out of their savings.

JB: Absolutely. Because generally if you get someone’s entire record, you’re getting everything about them: their Soc number, their address, phone numbers, relatives, I mean, all this information is now at your disposal. And loans can be taken out in their names, it’s just a disaster waiting to happen.

LN: So Electronic Medical Records, known as EMR, represent an important target that hackers seek, because of the value of that information, and the uniqueness.

JB: Yup. The price of those records, per record, now varies, but I believe it’s in the $150, $200 range per record if it’s a breach now, and laptops can hold hundreds of thousands of records. So it can be very, very expensive.

LN: But it seems that this is a problem, too, that it isn’t just localized to any one area, it’s universal.

JB: Yeah, it’s across the board. Anyone dealing with PHI has this problem.

LN: How does the cost of a patient medical record compare to a credit card record, compare to the black market?

JB: Yeah, for the last several years, medical records have gained in value every year, while financial records, credit card information have devalued. And it’s to the point now where medical information’s worth four times as much as financial information. And that’s only increasing.

LN: So does that mean that people that work in the healthcare sector in IT and security are going to get paid four times as much as the people of the financial sector?

JB: I wish.

LN: Well, thanks again for being on the show, this was a lot of good stuff. I appreciate this.

JB: Thanks, Lee, appreciate it.

Other related stories about EMR Audit Trails

Other resources to learn more about EMR Audit Trails.

https://www.cdc.gov/phlp/publications/topic/hipaa.html

Please follow and like us:

Cyber Security Summit in Chicago

WGN Midday News Steve Sanders interviews Chicago Cyber Security Expert Lee Neubecker.

Chicago’s Enigma Forensics CEO & President Lee Neubecker Video Interview with WGN on Cyber Security

WGN’s Midday News Reporter Steve Sanders, interviewed Enigma Forensics CEO Lee Neubecker and Cyber Security Chicago Conference Event Director David Juniper today.  The conference debuted last year and was successful.  Chicago is becoming a National Cyber Security and technology hub. 

Tomorrow’s event is taking place at McCormick Place on Sept. 26 and 27 featuring 90+ speakers and 4,000+ attendees.

Watch the interview on video by clicking below:

More on Cyber Security

Please follow and like us: