Healthcare IT: How to Avoid Medical Device Security Failures
[Added benefit: One Medical is happy to offer all attendees a 3 month discounted membership to its practice, simply for coming by! They will provide a code for all attendees at the event with specific sign up instructions.]
People often think of Security only in terms of “confidentiality.” However, the security industry defines itself in terms of confidentiality + availability + integrity. In healthcare, two of the largest security risks are not having the data you need when you need it (availability) and missing or corrupted data (integrity). There have been plenty of talks about preventing malware and avoid data breaches. In contrast, this meeting will focus on the risk landscape for devices and databases concerning inadvertent corruption or blockage of data, which can be life-threatening.
Mike Ahmadi from Codenomicon (the software testing firm that recently discovered the Heartbleed bug) will explore a variety of ways that things can go wrong and some of the techniques to anticipate and minimize these risks. For example, what can go wrong with mobile devices and remote monitoring? How can prevention protocols be set up and/or improved?
One of the ways to find and fix vulnerabilities in a technique called “fuzz testing.” “Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.” (http://en.wikipedia.org/wiki/Fuzz_testing)
Fuzz testing is now recommended by the FDA. According to Codenomicon, “There is only one solution to the security and safety threat posed by low quality code: Fuzz Testing. The more critical the solution is for patients health the more rigorous fuzzing is needed. The FDA is developing a cybersecurity laboratory in which a fuzz testing capability is to be integrated. The FDA has chosen Codenomicon Defensics as their tool of choice for fuzzing.”(http://www.codenomicon.com/solutions/medical/)
"It’s Insanely Easy to Hack Hospital Equipment" http://www.wired.com/2014/04/hospital-equipment-vulnerable/
See interview with Mike regarding Heartbleed and medical devices at http://www.healthcareinfosecurity.com/interviews/how-heartbleed-affects-medical-devices-i-2307
SPEAKER:Mike Ahmadi, CISSP, Global Director of Business Development at CodenomiconMike is well known in the field of critical infrastructure security, including industrial control systems and health care systems. He served on the California Office of Health Information Integrity Security Steering Committee in drafting the state level policies on HIPAA HITECH, and is an active member of the Medical Device Innovation Safety and Security Consortium (MDISS), where he introduced the Vendor Security Practices project, and is also an active member of the Association for the Advancement of Medical Instrumentation (AAMI) Medical Device Security Working Group, where he has contributed to technical industry reports. Mike has also worked closely with the US Food and Drug Administration in assisting them with developing their cybersecurity testing capabilities.Mike also currently serves as an active member of the US Department of Homeland Security Industrial Control Systems Joint Working Group, and as part of the advisory board for the US Secret Service Electronic Crimes Task Force. Mike has been a co-author in several publications, including the American Bar Association Security and Privacy guide, AAMI Journals, and also serves on the editorial board of ISSA Journal.+++++++++++++++++++++++++++++++++++++++++++++++++++
STANDARD HEALTHCARE IT SIG AGENDA:
6:30 - 7:00 p.m. Registration / Networking / Refreshments
7:00 - 7:15 p.m. Announcements and Introductions
7:15 - 8:30 p.m. Presentation and Discussion
8:30 - 8:45 p.m. Wrap-up / Networking