Presentation on Medical device security and emerging standards for the Internet of Things. Presented by Anura Fernando of UL at The Security of Things Forum, Sept. 10, 2015.
2. Anura S Fernando
Anura S. Fernando is UL’s Principal Engineer for Medical Software &
Systems Interoperability.
Background:
• Degrees in Electrical Engineering, Biology/Chemistry, and Software Engineering
• Over 17 years experience at UL with safety critical software and control systems certification;
as well as research across many industries – process automation, alternative energy, medical,
hazardous locations, appliances, optical radiation, nanotechnology, battery technologies, etc.
• Research and publications in Predictive Modeling and Risk Analysis, Cybersecurity, Systems of
Systems, Software, Health IT, Apps, and Medical Device safety.
• Projects with numerous Fortune 500 companies, DoD, DoE, DHS, FDA, FCC, ONC, NASA
and several U.S. National Laboratories
Additional experience relevant for this discussion/audience:
• Contributed to the development of several standards involving software and Functional Safety
as a member in IEC, ISO, ASME committees and Expert Task Force member.
• UL lead for the development of the AAMI/UL 2800 family of eHealth standards for
interoperable medical device interface safety.
• Member of the Federal Advisory Committee FDASIA WG to the Health IT Policy Committee,
FDA Medical Device Interoperability Coordinating Council, Medical Device Interoperability
Safety Working Group, Health Information Management Systems Society, Association for the
Advancement of Medical Instrumentation, and the International Council on Systems
Engineering
3. Not too long ago, we were pretty focused on
what could be done in the cloud…
Slide 3
http://gcn.com/Blogs/Pulse/2012/12/VA-cloud-Office-365-for-600000-users.aspx
4. Now we’re equally interested in what is
happening around the cloud…
Slide 4
http://www.slate.com/blogs/future_tense/2014/08/05/oregon_gulch_fire_photos_show_pyrocumulus_clouds_and_fighter_jets_over_wildfire.html
5. What do we call this new domain?...the “Fog”
Slide 5
http://www.bahrainweather.gov.bh/education_fog
16. Understanding new science…what makes “fog”
Slide 16
Image extracted from Systems Engineering Fundamentals. Defense Acquisition University Press, 2001
18. Slide 18
Hazardous
Energy
Source
Transfer
Mechanism
Susceptible
Part
HBSE Premise
ENERGY TRANSFER
INJURY
AND
INADEQUATE
PERSONAL
SAFEGUARD
PERSONAL
SAFEGUARD
FAILURE
NO
PERSONAL
SAFEGUARD
OR
INADEQUATE
PERSONAL
AVOIDANCE
AVOIDANCE
NOT
POSSIBLE
AVOIDANCE
NOT
ATTEMPTED
OR
BODILY
EXPOSURE
AND
INADEQUATE
EQUIPMENT
SAFEGUARD
EQUIPMENT
SAFEGUARD
FAILURE
NO
EQUIPMENT
SAFEGUARD
OR
INADEQUATE
EQUIPMENT
SAFEGUARD
EQUIPMENT
SAFEGUARD
FAILURE
NO
EQUIPMENT
SAFEGUARD
OR
HAZARDOUS
ENERGY
AND
(EVENT)
OR
(EVENT)
OR
HBSE Standard Injury Fault Tree
No
No
IDENTIFY ENERGY
SOURCE
IS SOURCE
HAZARDOUS?
IDENTIFY MEANS BY WHICH
ENERGY CAN BE
TRANSFERRED TO A BODY PART
DESIGN SAFEGUARD WHICH
WILL PREVENT ENERGY
TRANSFER TO A BODY PART
MEASURE SAFEGUARD
EFFECTIVENESS
IS SAFEGUARD
EFFECTIVE?
DONE
Yes
Yes
HBSE Process
…or Data …or Process
Analysis Drives UL’s Safety Testing and Certification
19. Applying HBSE to Wearable Technologies
19
Hazardous
Energy
Source
Transfer
Mechanism
Susceptible
Part
HBSE Premise
…or Data …or Process
Are there any hazards?
20. We can see some WT IoE risks
20
Optical Radiation
(LASER, UV, etc…)
Privacy, Security, Performance if used by Dr
(Cryptographic verification, HIPAA)
Acoustic Energy Data Integrity, Usability
21. Even some unique new problems can
arise…”cybersickness”
21
• Eye strain
• Headache
• Pallor
• Sweating
• Dryness of mouth
• Fullness of stomach
• Disorientation
• Vertigo2
• Ataxia3
• Nausea
• Vomiting. Viola, SIGCHI Bulletin Volume 32, Number 1 January 2000
22. Different layers of the IoE system require different
risk considerations
22
http://sebokwiki.org/wiki/Applying_Life_Cycle_Processes
23. What about “big data” from the IoE…
23
http://www.districtoffuture.eu/index.php/mod.pags/mem.detalle/id.10/relcategoria.1077/relmenu.5
24. Where is all this data stored? Is it secure?
Is it correct? Can I trust it?...
Slide 24
25. Big data problems can be due to little
differences in context
Slide 25
https://blogs.synopsys.com/configurablethoughts/2012/05/sensing-your-world/
26. Who should get a reduced premium?
Slide 26
http://www.unfitbits.com/http://www.nutripro.net/become-a-morning-jogger/
27. Who is a hacker?
Slide 27
http://www.unfitbits.com/
http://impulse.coreatcu.com/opinions/2014/10/30/hacker-culture-bank-account-mine/
http://www.gizmag.com/funtoro-bus-coach-infotainment-system/15056/
28. A hacker is…
• Someone who exploits imperfections of the system for personal or
organizational (e.g. nation state) gain.
Slide 28
http://sebokwiki.org/wiki/Applying_Life_Cycle_Processes
http://www.ibis-instruments.com/index.php?link=en/menu/2211/protocol-analysis
http://www.quora.com/What-is-wireless-sensor-network-WSN-technology
29. Different kinds of wearables bring different risks
Slide 29
Created by Beecham Research in Partnership with Wearable Technologies Group
http://www.hl7standards.com/blog/2013/09/12/redesigning-wearable-tech/
30. Managing complexity is a key to security
Slide 30
http://scholar.lib.vt.edu/ejournals/JOTS/v32/v32n1/images/mcquade1.jpg
31. Defense in depth
Security risk
control
Asset
Breach
Privilege
Control
Managing breaches and elevation of privilege
32. Architecture can promote safety, security, and
robustness
Sensor A and B fail
dangerously due
to CCF
Sensor A fails
dangerously
Sensor B fails
dangerously
Sensor system
fails dangerously
33. Specifications, standards, codes, and regulations
can help guide architects and developers
Slide 33
Regulations
Standards
Specifications
Codes
34. Case Study – Healthcare
(ASTM F2761 ICE architecture)
Slide 34
FDA Recognized Consensus Standard
37. All this data could help improve healthcare
Slide 37
http://www.cs.purdue.edu/homes/bertino/IIS-eHealth/images/ehealth_full.jpg
38. The medical Internet of Things (mIoT)
Digital health devices — defined as “an internet-connected
device or software created for detection or treatment of a
medical indication”
— saved the US healthcare system $6 billion last year in
the form of improved medication adherence, behavior
modifications and fewer emergency room visits. They
predict that savings will grow to $10 billion in 2015,
$18 billion in 2016, $30 billion in 2017 and $50 billion in
2018.
- Accenture
38
39. UL participates with government agencies to
establish perspectives on risk
39
http://www2.idexpertscorp.com/images/uploa
ds/ehr.jpg
http://static.ddmcdn.com/gif/wireless-
network-1a.jpg http://www.commercialintegrator.com/
FDA Safety and Innovation Act (FDASIA WG)
40. Regulators are balancing risk and innovation…
FCC Requirements for MBAN and FDA MOU – 24 May 2012
FDA Guidance: RF Wireless Technology…– 13 Aug 2013
FDA Guidance for Home Use Devices – 24 Nov 2014
FDA Draft Guidance: General Wellness (Low Risk) – 20 Jan 2015
FDA Guidance: Mobile Medical Applications – 25 Sept 2013
EC Guidance Document – Qualification and Classification of stand alone
software (MEDDEV 2.1/6) – Jan 2012
FDA Final Rule: MDDS – 15 Feb 2011
FDA Guidance: Medical Device Data Systems, Medical Image Storage
Devices, and Medical Image Communications Devices – 9 Jan 2015
FDA Guidance: Management of Cybersecurity – 2 Oct 2014
41. Consumer product or medical device?
A medical device1 is "an instrument, apparatus, implement, machine,
contrivance, implant, in vitro reagent, or other similar or related article,
including a component part, or accessory which is:
recognized in the official National Formulary, or the United States
Pharmacopoeia, or any supplement to them, intended for use in
the diagnosis of disease or other conditions, or in the
cure, mitigation, treatment, or prevention of disease, in
man or other animals, or
intended to affect the structure or any function of the
body of man or other animals, and which does not achieve any
of its primary intended purposes through chemical action within or on
the body of man or other animals and which is not dependent upon
being metabolized for the achievement of any of its primary intended
purposes."
http://www.fda.gov/aboutfda/transparency/basics/ucm211822.htm
41
42. Labeling can make all the difference…
42
http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/Ob
esityDevices/ucm350134.htm
Treat Obesity vs. Manage Weight
43. The struggle to characterize relative risk
Proposed in 2015 draft guidance on low risk general wellness
devices
Whether a device is low risk for purposes of this guidance is
determined by whether or not the product:
1) is invasive;
2) involves an intervention or technology that may pose a risk to a
user’s safety if device controls are not applied, such as risks from
lasers, radiation exposure, or implants;
3) raises novel questions of usability; or
4) raises questions of biocompatibility.
43
44. Consumer products may be regulated too
US Consumer Product Safety Commission
- Consumer Product Safety Improvement Act (e.g. wearable tech considered
childrens’ “jewelry”)
- Mechanisms to facilitate recalls
US Federal Trade Commission
- Federal Trade Commission Act (e.g. FTC levies fines against melanoma
detection apps…”lacks adequate evidence to support their claims”…)
- …”unfair or deceptive acts or practices in or affecting commerce; (b) seek
monetary redress and other relief for conduct injurious to consumers”…
Occupational Safety and Health Administration
- Most employees in the US come under OSHA jurisdiction (e.g. NIOSH
recommendations for body-worn RFID)
44
45. Not just in the US
EU data protection reform allows penalties up to 100m Euros
Ongoing attempts to strictly regulate cybersecurity in China has
included tight controls of supply chain and significant IP disclosures for
imported products.
Cyber security is one of Australia's national security priorities under the
Prime Minister's 2008 National Security Statement. Australia's national
security, economic prosperity and social wellbeing rely on the
availability, integrity and confidentiality of a range of information and
communications technology. This includes desktop computers, the
internet, telecommunications, mobile communications devices and
other computer systems and networks.
45
47. Is the data properly encrypted?
47
)))))))
Cryptographic Verification
http://img.mit.edu/newsoffice/images/article_images/20110214123646-1.jpg
48. What if my wearable interacts with health IT systems?
WWW
Acme Insurance
49. Are there new risks to consider?
49
WWW
Acme
Insurance
50. How secure are my data exchanges?
1001010010100101101010
51. Has my data been compromised (even a little)?
51
1001010010100101101010X
Single Event Upset or Data Corruption
EXAMPLE:
52. How do I respond when service is lost?
52
No Data
EXAMPLE:
53. Reduce the likelihood of breaches
53
Addressing such system robustness issues in general can minimize
weaknesses that hackers could exploit.
Slide 53
http://sebokwiki.org/wiki/Applying_Life_Cycle_Processes
http://www.ibis-instruments.com/index.php?link=en/menu/2211/protocol-analysis
http://www.quora.com/What-is-wireless-sensor-network-WSN-technology
54. Standards can help establish assurance cases
Slide 54
https://buildsecurityin.us-cert.gov/bsi/1051-BSI/version/default/part/ImageData/data/Assurance_Cases_and_LifeCycle_Processes.png
Safety Standards
55. Regulators Leverage Standards
Aug 6, 2013 FDA Recognized Consensus Standards Support
Interoperability:
There are 25 new standards grouped mainly into three categories:
1. Managing risk in a connected and networked environment;
2. Nomenclature, frameworks and medical device specific communications,
including system and software lifecycle process;
3. Cybersecurity including standards from the industrial control systems arena
that are relevant to medical devices.
Coming soon:
AAMI / UL 2800 – interoperable medical device safety