Software Associates specializes in helping medical device vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments.

A threat analysis was performed on a medical device used in intensive care units.  The threat analysis used the PTA (Practical threat analysis) methodology.

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures was built and implemented including the issue of propagation of viruses and malware into the hospital network (See Section III below).

Installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate more severe threats – ePHI leakage, software defects and USB access.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by medical device vendors and customers to model changes in risk profile as technology and operating environment evolve. The threat modelling software can be downloaded here.

I.             Introduction

A threat analysis was performed on a medical device used in intensive care units. The analysis considers the security implications of deploying the devices inside a hospital network. Different stakeholders have different security and compliance concerns and therefore different agendas.

• Hospital IT management  - do the medical devices create new entry points for viruses and malware in the enterprise network?
• Medical device vendor and patient care staff – can we assure availability and integrity of the monitoring data?
• Hospital management – can we comply with HIPAA and reduce the risk of data leakage?

System configuration

The embedded system configuration is based on an Intel processor running Windows XP Embedded.  The devices are not members of a Microsoft Active Directory domain and do not have Internet connectivity.

The threat analysis process

A data collection phase employed face to face interviews with software and hardware developers and directly examined the medical device software and hardware. We identified potential attackers, entry points, threats, vulnerabilities and security countermeasures (those already implemented and those that might be implemented).  Following data collection, we performed a threat analysis using the PTA (Practical Threat Analysis) methodology summarized in Appendix A and described at length on the PTA Technologies web site.

Threat model entities

Our threat model uses four base classes; mapping assets to vulnerabilities, threats that exploit vulnerabilities and countermeasures that mitigate vulnerabilities.

For example:

The key assets were medical device availability, the hospital enterprise network and patient confidentiality. We received input from hospital IT management regarding annual rates of occurrence of virus and malware attacks (rare) and phishing attacks on hospital employees (the usual email-borne pharmacy scams etc…).

II.           Top unmitigated threats

After building the threat model with the four base classes and their relationships, we estimated the probability of threat occurrence, percent damage to assets and risk mitigation effectiveness.   Trusted insider information leakage event frequency was estimated as twice/year in the threat model, while virus, denial of service and malware attacks frequency were estimated to be rare (less than once every 3 years).  Hospital IT were primarily concerned with the health of their enterprise network (as opposed to the availability of the medical devices) – described in threat T017.

The 5 most severe unmitigated threats in our model (shown below), are derived using the PTA calculative method (http://www.ptatechnologies.com/?action=4pta), which takes into account estimated asset value, threat probability and  percent damage due to a threat event.

The TXXX identifiers in the left hand column refer to the entities in our model.

Removing electronic Protected Health Information (ePHI) from the medical device

Unauthorized disclosure of ePHI (T002) was nominally the most severe threat at the start of the analysis due to compliance (HIPAA) / patient privacy concerns.

Protected health information (PHI) is any information in the medical data set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

Following the threat analysis, it was decided to remove all personally identifying information and use an alphanumeric designator, displayed on the medical device screen and at a central management station. Nurses can respond quickly to alarms of changes in patient signs (heart/respiratory rate) reported by a particular bedside unit without being exposed to personally identifiable information.

After removing ePHI, the risk assessment changed and the threat of the medical device infecting the hospital enterprise network (T017) then became our primary concern.

III.          Recommended countermeasure plan

Using the PTA quantitative threat model, we then calculated a prioritized plan of security countermeasures as shown in the following table. The below table is sorted according to recommended priority of implementation in terms of risk mitigation effectiveness. After implementing the below countermeasures, the calculative model estimates a residual risk of less than 3% to system assets.

Security countermeasures plan

The TXXX and CXXX numeric identifiers refer to threat and countermeasure entities in our threat model.

Patch management

The question of patch / update management always arises in the course of a threat analysis of medical devices;  the results are perhaps counterintuitive for typical IT managers:

• IT policy of running automated Windows Update on Windows PCs in the office is not necessarily a relevant countermeasure for embedded medical devices.

• Although FDA 510(K) recertification of the medical device may not be necessary when applying security patches – running Windows Update is practically impossible in an embedded device that does not have Internet access. The medical device vendor would typically apply patches to the embedded image as part of ongoing device field maintenance.

We note that an ICO medical device  is a specialized (not COTS) embedded device that does not have Internet or removable device connectivity. The device does not run MS Office, does not run IE and is not connected to the Internet and therefore has a much smaller threat surface than a typical Windows PC installed on the hospital network.

For these reasons, we focused our efforts on security countermeasures that would reduce the most severe threats – ePHI leakage, software defects and USB access to the medical device itself.

IV.         Propagation of viruses/malware in the enterprise network

One of the key security concerns when operating networked, Windows-based embedded medical devices is whether new entry points for viruses and malware are created in the enterprise network.

We sub-divided this concern into 3 separate threat scenarios:

1. Can the medical devices be infected from the enterprise network?
2. Can the medical devices be infected via USB devices?
3. Can infected medical devices propagate malicious software back into the enterprise network?

Can the medical devices be infected from the enterprise network?

The short answer is no.

The medical device analyzed in the study uses Windows XP Embedded and a proprietary TCP/IP messaging protocol in order to communicate with a central management station.

The operating system itself is hardened, does not run Windows shell, does not run IE and shuts down all unneeded services such as SMB and RPC. In addition, it runs a Windows Firewall instance that blocks all ports except the TCP/IP listener ports.

Although a dedicated attacker with the right skill set might be able to sniff traffic, reverse engineer the protocol and fuzz, there is always the question of whether or not the value of the asset justifies the cost of the attack.  In this particular medical device, considering the hardware configuration and use of a proprietary messaging protocol; we felt that the medical device was not particularly vulnerable to such attacks.

1. 2. Can the medical devices be infected via USB devices?

The short answer is yes – potentially by anyone who inserts an infected USB removable storage device.

We have addressed this vulnerability in countermeasure C048 – “Implement an IO-board hardware toggle for enabling/disabling USB ports”. We also strongly recommended migration to Linux – with no USB auto-run functions (see next section).

1. 3. Can USB-infected medical devices propagate malicious software back into the enterprise network?

The short answer is yes.

Although the proprietary request/response communications protocol used by the units cannot be used to transport files to other Windows PCS, a worm such as Conficker can exploit vulnerabilities in Windows services, disable the Windows firewall and propagate from the source computer to the hospital network on an arbitrary port between 1024 and 10000.

V.           Future: segregation of bio-med and IT domains

While hospital IT systems typically use Microsoft Windows; for an embedded medical device, we highly recommend using Linux due to its ease of maintenance and resistance to USB exploits and worms such as Conficker that exploit Windows software.  A suggested minimal configuration should consist of an up-to-date Linux kernel, QT, touch-screen, network support and a main loop to run the medical device application.  A more detailed discussion of the proposed Linux implementation is beyond the scope of this article. See the excellent article “The Top 10 mistakes embedded Linux developers make for some guidelines“.

VI.         Summary

A threat analysis of a networked medical device was performed and a mitigation plan of countermeasures was produced, including recommended priority of implementation.  As a result of the analysis, it was decided to modify the medical device design and not to store ePHI. This is obviously the most effective countermeasure possible for HIPAA compliance and protecting patient privacy. In addition, a decision was taken to migrate the medical device OS platform to embedded Linux to eliminate typical Microsoft Windows network and removable device vulnerabilities.

On security and compliance

It’s impossible to ignore the fact that compliance (like it or not) is a driver for companies to invest in improving their software and data security past running a firewalls and anti-virus. While compliance drives companies into taking action, do compliance activities actually result in implementing and sustaining strong data security  management and technology countermeasures?  We will see that the answer is generally no.

There is plethora of compliance regulations. There is regulation for  Privacy(HIPAA/HHS), for Children: (Children’s Online Privacy Protection Act (COPPA) for Credit Card holders: (FCRA), for merchants (PCI DSS), for Public entities (Sarbanes-Oxley), for Insurance (State laws) , for Securities trading (SEC), for Telecom (New York State Public Service Commission rulings) and many many more.

Looking at the wide variety of regulations and standards we can see that compliance really comes in only 3 flavors:

1. Governance regulation such as HIPAA and SOX.  Government compliance regulation is focussed on customer protection and requires a top down risk analysis process.
2. Industry compliance regulation such as PCI DSS that focuses on protecting the card association supply chain, doesn’t require risk analysis and mandates a fixed control set (if you think that best-practice security control sets are a good idea, then stop and consider the abysmal failure of the Maginot line in WWII and the Bar Lev line in the Yom Kippur war in 1973).
3. Vendor-neutral standards such as ISO 27001 that focuses on data and system protection, doesn’t require risk analysis nor consider asset values although it does provide what is arguable the most comprehensive set of controls.

Well-meaning as the regulators may be, there are two fundamental flaws in the security-by-compliance model:

1. You can comply without being secure and use compliance as a fig-leaf for lack of data security
2. You can invest in software and data security without being compliant

…We don’t invest in data loss prevention technology because it’s a criminal offense when one of our employee breaches critical filings. We feel the legal deterrent is sufficient.
IT Manager – Securities and Exchange Commission in a Middle East country

Privacy regulation trends in the US and Europe

Government-regulated privacy-protection of information is a natural response rooted in the field of telecommunications, since countries either own the telecom business outright or tightly regulate their industry. This has largely led to a view of electronic privacy as an issue of citizen rights versus state legislation and monopoly.

In the information age, privacy has two dimensions – intrusion and data breach:

• Protection against intrusion by unwanted information or criminals; similar to the constitutional protection to be secure in one’s home.
• Protection against data breach by controlling information flows about an individual’s or a business’s activities; for example preventing identify theft or protecting a company’s trade secrets.

Regulation has moved in two major directions–centralized general protection and decentralized ad-hoc protection. The EEC (European Economic Community ) has pursued the former, and passed comprehensive data protection laws with coordination on information collection and data flows. The United States, in contrast, has dealt with issues on a case-by-case basis (health-care, credit cards, corporate governance etc…) resulting in a variety of ad hoc federal and state legislation.

A synthesis of the European and the American approaches is to formulate a set of broad rules for vertical industry. This was the direction taken by the New York Public Service Commission on the issue of telecommunications privacy. However, U.S. privacy legislation remains considerably less strict than European law in the regulation of private databases. Two Representatives in the House Select Committee on Homeland Security are calling for a Privacy Czar. The Privacy Czar would be responsible for privacy policies throughout the federal government as well as ensuring private technology does not erode public privacy.

“Right now, there’s no one at home at the White House when it comes to privacy. There’s no political official in the White House who has privacy in their title or as part of their job description. Congress should take the lead here because this administration has not,” says Peter Swire, an Ohio State University law professor and former chief privacy officer in the Clinton administration in an interview with Wired back in 2006 – and in the Obama administration has anything changed?
(http://www.wired.com/news/privacy/0,1848,63542,00.html )

Horizontal applications

Sarbanes Oxley: enforcing corporate governance

The Sarbanes-Oxley Act (SOX) has had a major impact on US corporate governance SOX was a response to the accounting scandals and senior management excesses at some public companies in recent years. It requires compliance with a comprehensive reform of accounting procedures for public corporations to promote and improve the quality and transparency of financial reporting by both internal and external independent auditors. SOX regulation is enforced by the Public Company Accounting Oversight Board (“the Board”).

SOX Section 404 – “Management Assessment Of Internal Controls ” is indirectly relevant to data breach. It requires an “internal control” report in the annual report which states management responsibility and assesses effectiveness of internal controls. Companies are also required to disclose whether they have adopted a code of ethics for senior financial officers and the contents of that code.

SOX Section 409 – “Real Time Disclosure” implies that a significant data breach event be disclosed on “a rapid and current basis”. SOX also increases the penalties for mail and wire fraud increased from 5 to 10 years and creates a crime for tampering with a record or otherwise impeding any official proceeding.

HSS/HIPAA: enforcing patient privacy

Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gave Congress 3 years to pass health privacy legislation. In May 2003 – the HHS (Dept of Health and Human services implemented federal protections for the privacy of individual health information under the Privacy Rule, pursuant to HIPAA. Because of limitations of HIPPA, the rule is far from seamless and will require a lot more work in the US Congress by both parties to ensure privacy of personal health information.

My conclusion on all of this is:

• SOX has been a strong driver for sales of  IT  products and services, but it’s totally unclear that the billions spent by corporate America on compliance has actually done much to improve customer protection.

Vertical Industries

Securities: Did we leave the cat guarding the cream?

Annette L. Nazareth, market regulation director at the U.S. Securities and Exchange Commission, outlined proposals at a securities industry conference in New York on May 21 calling for stock exchanges, as the Associated Press put it, “to abide by most of the requirements they set for companies they list.”
(http://www.sec.gov./news/speech/spch052104aln.htm )

Wow.

Insurance Industry: Federal versus free market

October 2003, witnesses before the Senate Commerce committee testified regarding insurance industry regulations. The committee analyzed the current US system, which relies on state law, and examined proposals for improving industry regulation. One of the central issues was whether or not the federal government should play a larger role in insurance industry regulation. Also discussed was the need to provide protection for consumers without forcing unnecessary regulations on insurance companies. Some senators expressed concerns about high insurance rates.

Conclusion

If you’re a vendor of IT products and services, it has become increasingly difficult to sell security with rising complexity of attacks and countermeasures and decision makers who find it difficult to understand what works and what doesn’t.

What will happen to the B2C security industry is hard to say. Perhaps the Intel McAfee acquisition is a sign of things to come where security becomes a  B2B  industry  like safety manufacturers for the aerospace and automotive industries.

Until security becomes built-into the cloud, my best suggestion for a business is don’t leave your ethics at home and don’t wait for the government to tell you what you learned from your parents at age 5 – put your toys away and don’t steal from the other kids.

“We’re bailing out Wall Street, we’ll be bailing out Detroit soon, we’re bailing out the agricultural sector with high subsidies at a time of record crop prices,” Mr. Barrett said. “Where is the public outrage that the U.S. education system is failing our kids?”

This is a particularly cogent point for someone like me who lives in Israel. The Israeli Ministry of Education has been installing massive quantities of PCs in classrooms from kindergarden to 12th grade high school.  The lip-service to PC and Microsoft Windows usage in the classroom has reached new levels of absurdity when I heard from my niece, who is a  first grade teacher, that they teach computer literacy and how to use Microsoft Paint.  It is no accident that achievements of Israeli High School students in international math tests have fallen from the top 10 to the bottom 50 in less than 20 years.

Schools should take a lesson from best practice risk management of large software engineering projects:  increasing the number of programmers in the middle of a failing project is a very bad idea.  Less is more in programming and less PCs are more in the classroom.

Give the classroom back to the teachers.   Invest all that money in better salaries.   Our kids live and breathe Internet and computers – its part of their life and just as there is no reason to teach children how to use a phone, there is no reason for a first grade class to learn how to use Paint.

Biswamohan Pani, 33, was indicted for allegedly stealing trade secrets from Intel’s Hudson, Mass. facility and downloading confidential documents from Intel offices in California.

According to the indictment, Pani gave notice to leave Intel and told his superiors he was using up about a week of vacation while looking for a job at a hedge fund.

In reality, according to the indictment, he had taken a job at Intel rival AMD and, while using up vacation time at Intel, was downloading documents marked by Intel as confidential. Without going into the entire discussion of Intel’s management of intellectual property, there are some interesting  questions:

Why was an employee, who had announced he was leaving, and was running down vacation at home – even allowed to have access to Intel file servers?

How did Intel discover that confidential documents were being downloaded? Does Intel use data loss prevention technology? were they tipped off by another employee? or did the investigation start once Intel discovered that the employee was going to work for a competitor and then they started checking download logs?

Full article on the Sacremento Business Journal