A week ago plus, I attended the workshop on the FDA White Oak Campus, Silver Springs, MD, (January 20-21, 2016). Moving Forward” Collaborative Approaches to Medical Device Cybersecurity. This was sponsored by the FDA Center or Devices & Radiological Health (CDRH), National Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS). www.fda.gov/medicalcountermeasures. The PDF of the two session can be found on the web site.
A jam packed agenda of meetings and discussions over two days and the content covered a wide range of very interesting topics. Cybersecurity overall is a hot topic and very relevant to us today from not only financial security, but network security.
A lot of buzz centered regarding the issues regarding a manufacture’s infusion pump as well as software patches (will shed some light on this).
Over fifteen years ago I was asked to conduct a research study by a medical device company to network connect a medical device on a wireless basis. They asked me if I could actually make their non-networked medical device wireless. (In this case it was an infusion pump). Mind you that was in 2001. I Had a client bridge (from the company that I worked for (out of my black bag) which was traditionally used for POS (point of sales) that on one end had a RS-232 connection but also in the bridge was a RS-232 Ethernet to 802.11b interface. Connected on the other end of the network connection a WLAN PCMCIA card to a laptop and then had a WLAN AP in between. After a couple of minutes I was able to control the infusion pump from the laptop on/off, change settings, etc., with a custom program running on the laptop. Felt at this time we were way ahead of the game, because infusion pumps did not even have WLAN adapters built in! I found this to be an interesting R&D experiment.
The important thing to note today is pretty much all infusion pumps have a networked interface, in this case 802.11a/g/n, with the purposes of downloading drug libraries and then uploading log files. These pumps are all connected the “enterprise network” of which will employ the most up to date security best of practices.
For example: On the security side of things from Cisco “best security practices” which enteprises now deploy include: The best practice is to disable or avoid using local EAP. Although the WLAN controller and Access points do support WLAN with SSID using WiFi Protected Access (WPA) and WPA2 simultaneously, it is very common that some wireless client drivers cannot handle complex SSID settings. Whenever possible, Cisco recommends WPA2 only with Advanced Encryption Standard (AES). However due to standards and mandatory WiFi Alliance certification process, TKIP support is required across future software versions. Keep the security policies simple for any SSID such as a separate WLAN/SSID with WPA and Temporal Key Integrity Protocol (TKIP), and a separated one with WPA2 and Advanced Encryption Standard (AES). Since TKIP is being deprecated, Cisco recommends to use TKIP together with WEP, or migrate out of TKIP completely and use PEAP if possible. If designing for identity based networking services, where the wireless clients should be separated in several sub-networks for security reasons, such as each one with different security policies, use one or two WLANs together with the AAA-Override feature. AAA-Override feature allows you to assign per user settings. For example, move the user to either a specific dynamic interface in a separated VLAN or apply a per user Access Control List (ACL). For 802.1x, it is recommended to have the lowest configured RADIUS timeout as possible for a big or busy network. Since the longer the timeout is defined, the longer a frame re-transmission for the queue for RADIUS is held. Depending on the capacity of the network, and how busy the queue may be, a longer timeout may increase chance of retransmission failure rate. It may take longer to discover that a radius server is down with a longer timeout. For most network deployment with high authentication count, a smaller timeout is better to improve capacity handling in the controller. Smaller timeouts can also make the WLC to recover faster from an unresponsive radius server. However, for Radius NAC (ISE) and Radius over slow WAN, it is recommended to have a longer timeout (5 seconds). The Cisco Unified Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) is part of the Cisco Self-Defending Network and is the first integrated wired and wireless security solution in the industry. The Cisco Unified IDS/IPS takes a comprehensive approach to security—at the wireless edge, wired edge, WAN edge, and through the data center. When an associated client sends malicious traffic through the Cisco Unified Wireless Network, a Cisco wired IDS device detects the attack and sends shun requests to Cisco Wireless LAN Controllers (WLCs), which then disassociate the client device.
The Cisco IPS is an inline, network-based solution, designed to accurately identify, classify, and stop malicious traffic, including worms, spyware / adware, network viruses, and application abuse, before they affect business continuity.
With the utilization of Cisco IPS Sensor software version 5, the Cisco IPS solution combines inline prevention services with innovative technologies to improve accuracy. The result is total confidence in the provided protection of your IPS solution, without the fear of legitimate traffic being dropped. The Cisco IPS solution also offers comprehensive protection of your network through its unique ability to collaborate with other network security resources and provides a proactive approach to the protection of your network.
The Cisco IPS solution helps users stop more threats with greater confidence through the use of these features:
• Accurate inline prevention technologies—Provides unparalleled confidence to take preventive action against a broader range of threats without the risk of dropping legitimate traffic. These unique technologies offer intelligent, automated, contextual analysis of your data and help ensure that you receive the most out of your intrusion prevention solution.
• Multi-vector threat identification—Protects your network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7.
• Unique network collaboration—Enhances scalability and resiliency through network collaboration, including efficient traffic capture techniques, load-balancing capabilities, and visibility into encrypted traffic.
• Comprehensive deployment solutions—Provides solutions for all environments, from small and medium-sized businesses (SMBs) and branch office locations to large enterprise and service provider installations.
• Powerful management, event correlation, and support services—Enables a complete solution, including configuration, management, data correlation, and advanced support services. In particular the Cisco Security Monitoring, Analysis, and Response System (MARS) identifies, isolates, and recommends precision removal of offending elements, for a network wide intrusion prevention solution. And the Cisco Incident Control System prevents new worm and virus outbreaks by enabling the network to rapidly adapt and provide a distributed response.
It also recommended going forwarded that any such medical device do have some form auto log on and log off biometric authentication, (obviates the requirement for passwords).
The majority of legacy and even current WLAN networked medical devices do have available RS-232 ports for biomedical service maintenance.
While yes, someone could realistically bring a laptop into a patient room and connect to the individual medical device that more than likely would be very difficult since it already more then likely connected to the network in general with the proper authentication and IDS. Proper facilities security should prevent any person from being in the patient care area in the first place. Lastly, RS-232 ports simply could just be disabled from use.