VA VA Medical Device Protection Program Medical Device Protection - - PowerPoint PPT Presentation

va va medical device protection program medical device
SMART_READER_LITE
LIVE PREVIEW

VA VA Medical Device Protection Program Medical Device Protection - - PowerPoint PPT Presentation

Oct 25, 2022 44 likes •258 views

VA VA Medical Device Protection Program Medical Device Protection Program presented to presented to Information Security and Privacy Information Security and Privacy Advisory Board Advisory Board March 4, 2011 March 4, 2011 March 4, 2011

slide-1
SLIDE 1

VA VA Medical Device Protection Program Medical Device Protection Program

presented to presented to

Information Security and Privacy Information Security and Privacy Advisory Board Advisory Board

March 4, 2011 March 4, 2011

March 4, 2011

slide-2
SLIDE 2

March 4, 2011

2

Table of Contents Table of Contents

  • Introduction
  • MDPP Timeline and Evolution
  • What’s Next
  • Conclusion
slide-3
SLIDE 3

March 4, 2011

Achieving security takes Achieving security takes teamwork teamwork… …

Photo Source: Idaho Department of Commerce

3

slide-4
SLIDE 4

March 4, 2011

Data protection and patient safety Data protection and patient safety are critical VA priorities are critical VA priorities

“Any Personally Identifiable Information (PII) and electronic Patient Health Information (ePHI) that is collected, stored,

  • r transmitted across medical device

systems should be protected with the best possible security tools for the deployed systems.”

– Health Information Portability and Accountability Act (HIPAA)

Photo Source: Depa rtment of Health and Human Services

VA must secure medical devices in order to maintain data integrity and prevent invalid results that may negatively impact patient safety!

4

slide-5
SLIDE 5

Threats to VA Medical Devices Threats to VA Medical Devices

  • Medical devices can restrict the application of operating system

patches and malware protection updates. This can potentially cause:

  • An increased vulnerability to malware attacks and potential to serve as an entry

point for attacks into the trusted network

  • A risk to patient safety and protection of patient sensitive information

A medical device is defined as any component(s) [hardware, software] that is/are:

  • FDA 510K certified;
  • Any device that is used in patient healthcare for

diagnosis, treatment or monitoring;

  • Any ancillary support device including but not

limited to external disk storage, database servers, gateway or middleware interface devices - that are required for the medical device to function properly Networked medical device: Any medical device that is connected to the VA network. Networked medical system: Any group of devices that make up a complete medical system. These are multiple devices that are required for the medical system to function as intended by the

Photo Source: Department of Veterans Affairs

manufacturer/vendor. March 4, 2011 5

slide-6
SLIDE 6

March 4, 2011

Threats to VA Medical Threats to VA Medical Devices Devices… …(con (con’ ’t) t)

  • The VA-NSOC is tracking reported incidents on

networked devices.

(Source: VA-NSOC Weekly Threat Briefs) * 30% of unauthorized USB incidents result in malware infection

6

USB Device Incidents and Infections Mar 2010 – Feb 2011 * Medical Device Infections Mar 2010 – Feb 2011

slide-7
SLIDE 7

March 4, 2011

7

Table of Contents Table of Contents

  • Introduction
  • MDPP Timeline and Evolution
  • What’s Next
  • Conclusion
slide-8
SLIDE 8

Medical Device Protection Medical Device Protection Program Program

  • To better safeguard medical devices, VA developed a

comprehensive security initiative that encompasses:

  • Communication
  • Training
  • Validation
  • Scanning
  • Remediation
  • Patching
  • Medical device

isolation architecture (MDIA)

March 4, 2011

8

slide-9
SLIDE 9

MDPP has evolved over time MDPP has evolved over time… …

  • MDPP has grown and changed over time to meet the challenge of

evolving threats to VA medical devices

  • The program will continue to grow and change to create a service
  • riented architecture that meets the needs of the organization and

addresses the risks of medical devices

March 4, 2011 9

slide-10
SLIDE 10

MDIA has been implemented VA MDIA has been implemented VA-

  • wide

wide

  • As of September 30th, 2010, more

than 50,000 medical devices have been isolated behind nearly 3,200 virtual local area networks (VLANs)

  • It took approximately 7 months

to isolate the medical devices behind VLANs to meet MDIA guidance

MDPP is now in an operation and maintenance MDPP is now in an operation and maintenance (O&M) phase (O&M) phase… …

March 4, 2011

10

slide-11
SLIDE 11

March 4, 2011

MDPP is currently focused on the MDPP is currently focused on the validation phase of the O&M process validation phase of the O&M process… …

  • The Office of Information and

Technology (OI&T) is reviewing all ACLs that have been put in place

  • The Office of IT Oversight &

Compliance (ITOC) and Office of Inspector General (OIG) will begin validation assessments of the program in FY11 Q2, ensuring that the VLANs are in place and maintained

  • ITOC and OI&T compliance and
  • versight audits occur

independently of one another

Validation

11

fimsinfo.doe.gov Photo fimsinfo.doe.gov

slide-12
SLIDE 12

March 4, 2011

MDPP Progress: Where are we MDPP Progress: Where are we now, and where are we going? now, and where are we going?

  • Over the time period of ACL implementations

the infection rate has trended down

Source: VA-NSOC Weekly Threat Briefs

12

Medical Device Infections Trending Mar 2010 – Feb 2011

slide-13
SLIDE 13

March 4, 2011

13

Table of Contents Table of Contents

  • Introduction
  • MDPP Timeline and Evolution
  • What’s Next
  • Conclusion
  • Appendix
slide-14
SLIDE 14

VA is moving forward with VA is moving forward with numerous MDPP activities numerous MDPP activities

  • Building solutions through collaboration to

reduce risk and promote innovation in the U.S biomedical device network

  • Participating in the launch and development of the

Medical Device and Electronic Health Record Innovation, Safety and Security Consortium (MDEISS)

  • Continuing training initiatives
  • MDPP Incident Response training scheduled March

2011

  • Presenting MDPP at all ISO & CIO regional meetings

and orientations

March 4, 2011 14

slide-15
SLIDE 15

MDPP activities MDPP activities… …(con (con’ ’t) t)

  • Employing OIG and ITOC assessments to

maintain the integrity of the MDIA implementation

  • ITOC Validation begins 2nd Qtr FY11
  • Publishing Medical Device Sanitization

Guidance developed jointly with OI&T and VHA HTM

  • Scheduled for release 2nd Qtr FY11
  • Working with FDA on medical device security*
  • Looking to IT staff, biomedical engineers, and

medical device manufacturers to resolve problems

  • Helping to develop technical solutions and

providing oversight to ensure medical device manufacturers are doing their fair share

  • Relying on user facilities to keep FDA informed of

medical device malfunctions

* FDA has stated no legal restriction on patching of medical devices or anti-virus updates except that

March 4, 2011

they must be tested by the vendor prior to VA implementation

15

slide-16
SLIDE 16

MDPP activities MDPP activities… …(con (con’ ’t) t)

  • VHA Biomedical Engineer is leading a pilot

test of a vendor patching solution.

  • This solution is limited by Vendor and Device
  • Developing a strategy for the deployment
  • f

firewalls to medical device VLANs for tighter security boundary and audit capabilities (MDIA)

March 4, 2011

16

slide-17
SLIDE 17

zyxwvutsrponmlkihgfedcbaWVUTSPONIHGFDCBA

March 4, 2011

Firewalls allow medical devices to Firewalls allow medical devices to communicate while maintaining best security communicate while maintaining best security and networking practices and networking practices

Using firewalls to protect medical device systems is required!

  • Ensures that only allowed traffic from

inside the VA network flows through the firewalls

  • Reduces the risk that medical device

systems will be compromised Firewalls provide packet inspection, audit capability and are hardened against attacks directed at them Inbound firewall rule sets are applied to each VLAN interface coming into the firewall

VA MDIA

(Guidance established in 2004 and updated in 2009)

17

slide-18
SLIDE 18

March 4, 2011

18

Table of Contents Table of Contents

  • Introduction
  • MDPP Timeline and Evolution
  • What’s Next
  • Conclusion
slide-19
SLIDE 19

MDPP is only as good as the sum MDPP is only as good as the sum

  • f its parts
  • f its parts

… …Success depends on Success depends on teamwork teamwork, , communication communication, , and and compliance compliance with established protocols with established protocols

March 4, 2011 19

slide-20
SLIDE 20

Wrap Up: MDPP Best Practices Wrap Up: MDPP Best Practices

Hard outer shell Hard outer shell… …. . Soft in the middle Soft in the middle… ….. ..

  • Pre-procurement

assessments must be complete

  • No Internet access

Author Geoff Lane/Wikimedia Commons

  • Update DAT files often

can be applied beyond medical device security! can be applied beyond medical device security!

  • Always scan media
  • No changes to ACLs

without Change Control Board (CCB) approvals

  • Use the Patch Repository

These are best practices for good computing and These are best practices for good computing and

March 4, 2011 20

slide-21
SLIDE 21

Questions? Questions?

MDPP guidance documents can be found on the MDPP guidance documents can be found on the HISD portal: HISD portal:

https://vaww.infoprotection.va https://vaww.infoprotection.va.gov/fieldsecurity/HISD.aspx .gov/fieldsecurity/HISD.aspx

Field Security Services Field Security Services Health Information Security Division Health Information Security Division vafsohisd@va.gov vafsohisd@va.gov

March 4, 2011 21