Sicurezza cibernetica e dispositivi cardiaci …...internal and 3rd party testing This ensures that...

Paolo Raffaelli

Direttore Marketing EMEA, Abbott

Sicurezza cibernetica e dispositivi cardiaci impiantabili connessi

Cybersecurity e dispositivi cardiaci connessi | Agenda

• Monitoraggio remoto: struttura, benefici e rischi

• FDA: avviso di sicurezza Abbott agosto 2017

• Cosa sta facendo Abbott in area sicurezza cibernetica

2

Dispositivi cardiaci impiantabili connessi

3

In clinica

In casa

Rete Merlin.net proprietaria Abbott Certificata ISO27001:2013

Monitoraggio remoto | Benefici

4

Source: https://www.ibm.com/blogs/internet-of-things/6-benefits-of-iot-for-healthcare/ Source: Manyika, J., et al. (2015). The internet of things: Mapping the value beyond the hype. McKinsey Global Institute. Accessed 10/11/2017 from: https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/The%20Internet%20of%20Things%20The%20value%20of%20digitizing%20the%20physical%20world/Unlocking_the_potential_of_the_Internet_of_Things_Executive_summary.ashx.

“

“

- McKinsey, 2015

https://www.ibm.com/blogs/internet-of-things/6-benefits-of-iot-for-healthcare/

















https://www.mckinsey.com/~/media/McKinsey/Business Functions/McKinsey Digital/Our Insights/The Internet of Things The value of digitizing the physical world/Unlocking_the_potential_of_the_Internet_of_Things_Executive_summary.ashx




Monitoraggio remoto | Rischi

5 Source: https://www.symantec.com/content/dam/symantec/docs/infographics/symantec-healthcare-it-security-risk-management-study-en.pdf

Secondo Symantec, il settore sanitario e’ particolarmente vulnerabile:

Cybersecurity e dispositivi cardiaci connessi | Avviso di sicurezza

• 29 agosto 2017: Field action su cybersecurity richiesta dall’FDA – Aggiornamento software programmatori e firmware dispositivi – Comunicazione globale ed aggiornamenti immediati USA – Aggiornamenti in Europa all’ottenimento del marchio CE, nov 2017

• Prima occorrenza di una field action per qualcosa mai verificatosi in pazienti

– Mai accaduto un cyberattack su un paziente portatore di dispositivo attivo – Basata su illazioni da parte di aziende con motivazioni finanziarie riguardo cybersecurity dei

dispositivi Abbott

6

Source: https://www.computerworld.com/article/2981527/cybercrime-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html Source: https://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#5f849f516853 Source: http://abcnews.go.com/Health/fears-hackers-targeting-us-hospitals-medical-devices-cyber/story?id=48348384 Source: https://www.wired.com/2017/03/medical-devices-next-security-nightmare/

Interesse per la field action cybersecurity | Media

7

https://www.computerworld.com/article/2981527/cybercrime-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html



















https://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/






















http://abcnews.go.com/Health/fears-hackers-targeting-us-hospitals-medical-devices-cyber/story?id=48348384
















https://www.wired.com/2017/03/medical-devices-next-security-nightmare/










https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjOuK_b2fbWAhVF8WMKHTR3AqgQjRwIBw&url=https://www.amazon.com/Homeland-Season-1/dp/B008QTV3X0&psig=AOvVaw0k6R5GcSBBD_Av8Azumn48&ust=1508296809769226

Cybersecurity e dispositivi cardiaci connessi | Autorita’ Normative

8

Physicians

Patients

Political Leaders

Security Researchers

Med

ia C

ov

era

ge

Source: http://www.jdsupra.com/legalnews/mhra-updates-guidance-on-healthcare-90741/

Source: https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf

Source: http://www.fdanews.com/articles/180417-cfda-spells-out-cybersecurity-requirements

Source: https://www.tga.gov.au/sites/default/files/medical-devices-safety-update-volume-4-number-2-march-2016.pdf

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi0_fH54uPWAhXLqFQKHVI0BmkQjRwIBw&url=https://mhrainspectorate.blog.gov.uk/&psig=AOvVaw1giTTfO6CIWYBkI80L0Kbx&ust=1507646472321929

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwic3P2g4-PWAhUCslQKHQ-eCgwQjRwIBw&url=https://www.healthline.com/health/fda&psig=AOvVaw3UbpXtHsOzI0L2eDpmqm5Y&ust=1507646546906173

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwicuY_U4-PWAhWM0J8KHa5QDb0QjRwIBw&url=https://www.tga.gov.au/&psig=AOvVaw0rBrt_GPuB2Rpb3M7bY_gS&ust=1507646639961624

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj1jrv34-PWAhUIjlQKHWOVBmIQjRwIBw&url=https://www.linkedin.com/pulse/withdrawals-slash-china-2015-new-drug-approval-numbers-brian-yang&psig=AOvVaw35-eUwC2Z07v4bOzZ-xPZE&ust=1507646735918595

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiV9JCW5OPWAhVEjlQKHeuwCNAQjRwIBw&url=http://pacificaidsnetwork.org/2016/01/18/prescription-status-of-naloxone/&psig=AOvVaw0Nf9oK5o6GpttJdB0V7efu&ust=1507646805029592

http://www.gmp.ie/

Cybersecurity e dispositivi cardiaci connessi | Ricerca

9

• WhiteScope LLC: azienda leader nel settore training e servizi di sicurezza in area cybersecurity

• Estensiva valutazione cybersecurity dell’ecosistema dei dispositivi cardiac impiantabili delle quattro aziende principali

• Risultati consistenti tra tutte le aziende: debolezze strutturali dell’architettura di sistema

• Protezione passiva: “Security-by-Obscurity” o “Sicurezza-Tramite-Segretezza”

Source: https://drive.google.com/file/d/0B_GspGER4QQTYkJfaVlBeGVCSW8/view Source: https://whitescope.io/#features_area Source: D. Singelee, R. Willems, “On the (in)security of the latest generation implantable cardiac defibrillators and how to secure them, ACSAC 2016

• Gli aspetti di cybersecurity sono stati oggetto di ricerca per una decade almeno.

Source: https://mobile.nytimes.com/2008/03/12/business/12heart-web.html Source: http://scholarworks.umass.edu/cgi/viewcontent.cgi?article=1067&context=cs_faculty_pubs

https://drive.google.com/file/d/0B_GspGER4QQTYkJfaVlBeGVCSW8/view



https://whitescope.io/

https://whitescope.io/

https://mobile.nytimes.com/2008/03/12/business/12heart-web.html





http://scholarworks.umass.edu/cgi/viewcontent.cgi?article=1067&context=cs_faculty_pubs

http://scholarworks.umass.edu/cgi/viewcontent.cgi?article=1067&context=cs_faculty_pubs

Cybersecurity e dispositivi cardiaci connessi | Industria

10

Alcune aziende hanno implementato una strategia formale per la cybersecurity:

Cybersecurity-embedded design

Abbott conducts a thorough

cybersecurity review as we develop our products and systems

Active consideration is given to security and control measures throughout the development cycle

Ongoing threat and risk analysis

Abbott collaborates with

cybersecurity and health care specialists to ensure best-in-class response

We quickly identify new threats and work with regulators to deploy enhanced cybersecurity controls

Testing by internal and external experts

Abbott puts our products and

systems through rigorous internal and 3rd party testing

This ensures that they are aligned with current cybersecurity standards

Partnering with industry

Abbott partners with security

experts and the research community

We assess trends, share information, and establish standards that protect patients and advance medical innovation

Abbott’s Four Pillars of Cybersecurity | Forward Thinking, Patient Focused.

Image Courtesy of Abbott

Cybersecurity e dispositivi cardiaci connessi | Leading

Aggiornamenti Abbott

• Gennaio 2017: 1mo aggiornamento – Vari mesi prima dell’avviso di sicurezza richiesto dall’FDA – Merlin@home: server validation, software digital signing, whitelisting

of telemetry commands

• Novembre 2017: 2do aggiornamento

– Programmatori, Merlin.net e firmware (software nel dispositivo) – Protezione contro un numero eccessivo di tentativi di connessione – Dati paziente criptati nei dispositivi e nel programmatore – Altre misure di sicurezza cibernetica

11

Cybersecurity e dispositivi cardiaci connessi | Bluetooth

• Il monitor cardiaco iniettabile (ICM) Confirm Rx (Abbott) e’ basato su una piattaforma Bluetooth

• Un certo livello di cybersecurity implicito nella piattaforma Bluetooth – Crittografia AES-128bit Chiave univoca a 128 bit per l’app mobile associata (BLE 4.0)

• Altre misure di cybersecurity implementate

– Comunicazione e protocolli di comunicazione aggiuntivi tra il Confirm Rx e l’app MyMerlin – Comunicazione e protocolli di comunicazione tra l’app e la rete Merlin.net

12

Cybersecurity e dispositivi cardiaci connessi | Conclusioni

• Il monitoraggio remoto di pacemaker e defibrillatori impiantabili offre concreti e sostanziali vantaggi a pazienti ed operatori sanitari

• Nessun allarmismo: ad oggi, nessun dispositivo impiantabile e’ stato acceduto e riprogrammato

• E’ importante preparsi per un futuro sempre piu’ interconnesso

• Abbott impegnata negli investimenti necessari per raggiungere e mantenere un livello allo «stato dell’arte» in cybersecurity – Azione preventiva – Estende a tutti i dispositivi Abbott

13

IX Conferenza Nazionale

sui Dispositivi Medici

Roma 19 – 20 Dicembre 2016 | Auditorium Antonianum

Sicurezza cibernetica e dispositivi cardiaci …...internal and 3rd party testing This ensures that...

Documents

Transcript of Sicurezza cibernetica e dispositivi cardiaci …...internal and 3rd party testing This ensures that...