How to Avoid Medical Device Security Failures

People often think of Security only in terms of “confidentiality.” However, the security industry defines itself in terms of confidentiality + availability + integrity. In healthcare, two of the largest security risks are not having the data you need when you need it (availability) and missing or corrupted data (integrity). There have been plenty of talks about preventing malware and avoid data breaches. In contrast, this meeting will focus on the risk landscape for devices and databases concerning inadvertent corruption or blockage of data, which can be life-threatening.

Mike Ahmadi from Codenomicon (the software testing firm that recently discovered the Heartbleed bug (http://www.healthcareinfosecurity.com/how-to-treat-heartbleed-bug-a-6731)) will explore a variety of ways that things can go wrong and some of the techniques to anticipate and minimize these risks. For example, what can go wrong with mobile devices and remote monitoring? How can prevention protocols be
set up and/or improved?

One of the ways to find and fix vulnerabilities in a technique called “fuzz testing.” “Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.” ( http://en.wikipedia.org/wiki/Fuzz_testing )

Fuzz testing is now recommended by the FDA. According to Codenomicon, “There is only one solution to the security and safety threat posed by low quality code: Fuzz Testing. The more critical the solution is for patients health the more rigorous fuzzing is needed. The FDA is developing a cybersecurity laboratory in which a fuzz testing capability is to be integrated. The FDA has chosen Codenomicon Defensics as their tool of choice for fuzzing.” ( http://www.codenomicon.com/solutions/medical/ )

Relevant articles:

"It’s Insanely Easy to Hack Hospital Equipment" http://www.wired.com/2014/04/hospital-equipment-vulnerable/

http://medicaldesign.com/design-engineering/security-requirements-medical-devices-whats-really-needed

http://www.ihealthbeat.org/articles/2013/6/24/homeland-security-warns-about-safety-of-300-medical-devices

http://www.fda.gov/medicaldevices/productsandmedicalprocedures/connectedhealth/ucm373213.htm

See interview with Mike regarding Heartbleed and medical devices at http://www.healthcareinfosecurity.com/interviews/how-heartbleed-affects-medical-devices-i-2307

http://www.blackhat.com/presentations/bh-dc-10/Sullivan_Bryan/BlackHat-DC-2010-Sullivan-SDL-Agile-wp.pdf

[Added benefit: One Medical is happy to offer all attendees a 3 month discounted membership to its practice, simply for coming by! They will provide a code for all attendees at the event with specific sign up instructions.]

[Also see other upcoming events listed below…]

6:30-7:00 networking and refreshments

7:00-7:15 introductory remarks

7:15-8:15 presentation/panel discussion

8:15-8:45 Q&A

8:45-9:00 adjourn and networking

Free for SVForum Members; otherwise, $20. Register & pay at http://svforum.org/Healthcare-IT/Healthcare-IT-How-Avoid-Medical-Device-Security-Failures .

SPEAKER:

Mike Ahmadi, CISSP, Global Director of Business Development at Codenomicon

Mike is well known in the field of critical infrastructure security, including industrial control systems and health care systems. He served on the California Office of Health Information Integrity Security Steering Committee in drafting the state level policies on HIPAA HITECH, and is an active member of the Medical Device Innovation Safety and Security Consortium (MDISS), where he introduced the Vendor Security Practices project, and is also an active member of the Association for the Advancement of Medical Instrumentation (AAMI) Medical Device Security Working Group, where he has contributed to technical industry reports. Mike has also worked closely with the US Food and Drug Administration in assisting them with developing their cybersecurity testing capabilities.Mike also currently serves as an active member of the US Department of Homeland Security Industrial Control Systems Joint Working Group, and as part of the advisory board for the US Secret Service Electronic Crimes Task Force. Mike has been a co-author in several publications, including the American Bar Association Security and Privacy guide, AAMI Journals, and also serves on the editorial board of ISSA Journal.

Thank you to our sponsors, NEA and Qualcomm, and to OneMedical for hosting the event.

++++++++++++

OTHER MEETINGS OF INTEREST:

++++++++++++

Healthcare Track - TiEcon 2014

Saturday, May 17, 2014

10:15 AM to 12:30 PM

Santa Clara Convention Center

http://tiecon.org/healthcare

To get a special pricing and $100 off, please use this link to register and use the promo code “TiEvalue”: https://www.123signup.com/register?id=dbnfb&ref=4187654

++++++++++++

Patient Engagement

Monday, May 19, 2014

1:00 PM to 8:00 PM

HIMSS Northern California Chapter

Parc 55 Wyndham Hotel, San Francisco, CA

“Leveraging engagement technologies to drive personal behavior change and improve patient experience”

Agenda and Registration (only $55 for HFMA & SVForum members): http://www.nocalhimss.org/2014StateHITWeekMay19/2014StateHITWeekMay19.html

++++++++++++

Launch: Silicon Valley 2014 - The World Cup Tech Challenge

May 20, 2014

7:30 AM to 5:00 PM

SVForum

Microsoft Building 1, 1065 La Avenida St, Mountain View, CA 94043

For 8 years Launch: Silicon Valley has been firmly established as the premier product launch platform for startups from around the world. On May 20th, 30 startups from 16 countries will pitch their product to a panel of top Silicon Valley and International investors. This includes six Health Technology companies.

Website: http://www.launchsiliconvalley.org

++++++++++++

ANNUAL INNOVATION CONFERENCE: PATHWAYS TO SUSTAINABLE HEALTH

May 20, 2014

8:00 AM-7:30 PM

Health Tech Forum

Parc 55 Wyndham Hotel, San Francisco

"Pathways to Sustainable Health will feature a day full of compelling keynotes, panels, discussions, product demonstrations and an expo. Learn how technology is being leveraged to drive successful outcomes across geographic and cultural boundaries."

Agenda: http://healthtechnologyforum.com

Registration: http://www.eventbrite.com/e/2014-htf-innovation-conference-pathways-to-sustainable-health-registration-10730373837

SAVE $80! Apply this promo code when registering: HTF14-HTFMEMBER

++++++++++++

Healthcare IT Advocacy Day

Thursday, May 22, 2014

8:00 AM to 4:00 PM

HIMSS Northern California Chapter

Esquire Building, 1215 K St #1650, Sacramento, CA 95814

HIMSS Northern California Chapter’s annual opportunity to hear about policies affecting HIT, visit legislators, and become educated on what is going on in California around HIT legislation.

Agenda and Registration: http://www.nocalhimss.org/2014StateHITWeekMay22/2014StateHITWeekMay22.html