Tag Archive for: cybersecurity

Until fairly recently, you might not have considered vehicles to be major cybersecurity targets. But with the rise in connected and autonomous cars, hackers and other cyber criminals can break into the systems that run these vehicles and wreak havoc.

“With all of the connectivity available comes cyber risk,” says Faye Francy, executive director of the Automotive Information Sharing and Analysis Center (Auto-ISAC), an industry-driven community to share and analyze intelligence about emerging cybersecurity risks to vehicles.

Technology has a long tradition of racing ahead of oversight, and the automotive industry is still catching up to the speed of change. Updates to the ISO 26262 functional safety standard were recently made in December 2018 and touch on cybersecurity, but expect to see more emphasis on this topic in the future. That’ll be especially true as automotive connectivity and complexity escalates, and the development of autonomous vehicles (addressed by another safety standard, ISO/PAS 21448, or Safety Of The Intended Functionality (SOTIF), which has incidentally sparked its own upcoming conference in Germany) progresses.

As an additional resource, Auto-ISAC aims to enhance vehicle cybersecurity capabilities across the global automotive industry, including light- and heavy-duty vehicle original equipment manufacturers (OEMs), suppliers and the commercial vehicle sector.

“The Auto-ISAC is the go-to organization that facilitates cybersecurity resiliency for the global automotive industry,” Francy says. Automakers worldwide joined together in 2015 to form the nonprofit community to address growing vehicle cybersecurity risks.

A Shared Responsibility

The focus of Auto-ISAC is to foster collaboration for mitigating the risks of cyber attacks and to create a safe, efficient, secure and resilient global connected vehicle ecosystem,” Francy says. Members use a secure intelligence-sharing portal to anonymously share information that helps them more effectively respond to cyber threats, vulnerabilities and incidents.

The 49 members includes all major automakers across North America, Europe, and Asia, as well as suppliers to the heavy-duty trucking and commercial vehicle sector. In 2017, the Auto-ISAC established a Strategic Partnership Program to enable ongoing coordination with key stakeholders including partners, government regulatory agencies and law enforcement.

One of the key accomplishments of the Auto-ISAC is its Best Practices initiative, which focuses on developing guidelines organizations can use to advance their vehicle cybersecurity programs, Francy says. The members conceive, write and develop Best Practice guides that are in various stages of review.

The guides cover organizational and technical aspects of vehicle cybersecurity including incident response, collaboration and engagement with third parties, governance, risk management, security by design, threat detection and protection, and training and awareness.

“These guides are released to the community to help the automotive industry stakeholders mature,” Francy says. Currently there are three guides available to the public on the Auto-ISAC Web site: Incident Response, Third Party Collaboration, and Engagement and Governance.

Evolving Recommendations

The digital age has introduced connected, advanced automotive capabilities for consumers, such as driver assist, navigation and hands-free calling. But this also introduces the possibility of risk such as hacker attacks.

“We have moved from a more physical analog attack surface to a digital, networked environment,” Francy says. “This provides different opportunities for the bad actors, due to the increase in innovative technologies and the interconnectedness” of the ecosystem.

Fortunately, the industry has taken a number of actions to identify and thwart cyber threats, including implementing security features in every stage of the design and manufacturing process, collaborating with public and private research groups to share solutions, and participating in multiple cyber forums on emerging issues. There is, of course, much more work to be done.

Automotive companies can learn from the Auto-ISAC leadership as it builds and leads a community of best practices, Francy says. The organization conducts an annual tabletop exercise, quarterly workshops and monthly analyst calls with members. It also leads virtual, monthly community calls and runs an annual Vehicle Cybersecurity Summit.

Auto-ISAC partnership programs “are developed to cultivate relationships beyond our membership, with the common goal to enhance vehicle cybersecurity and develop a vibrant and robust information-sharing community,” Francy says.

Learn how a Fortune 100 semiconductor company is meeting the challenges of functional safety standards for its automotive-related technology with Jama Connect by downloading our paper.

Author Bob Violino is a freelance writer who covers a variety of technology and business topics. Follow him on Twitter.

With the rising amount of connected devices in circulation, the number of potential targets for hackers and other cyber criminals to exploit continues to rise. Among the most common targets for attack: medical devices.

A survey released in October of 148 healthcare IT and security executives, conducted by Klas Research and the College of Healthcare Information Management Executives (CHIME), showed that an astonishing 18% of provider organizations had medical devices impacted by malware or ransomware in the last 18 months.

Medical devices were defined in the report as “biomedical devices used by healthcare-delivery organizations in the pursuit of patient care.”

The report also stated that only 39% of the respondents were “very confident or confident that their current strategy protects patient safety and prevents disruptions in care.”

Although organizations are making gains in developing and maturing their overall security programs, the report says, progress has been slow. This is particularly true when it comes to securing medical devices, the study shows. Unsurprisingly, respondents cited patient safety as their top concern with unsecured medical devices.

“Unsecured and poorly secured medical devices put patients at risk of harm if those devices are hacked,” said Russell Branzell, president and CEO of CHIME, in a press release about the report. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”

Adam Gale, president of Klas, also weighed in on the findings: “Safeguarding medical devices requires a joint effort by provider organizations and device manufacturers. Many providers have the basic building blocks for a general security program in place and are making progress.”

A large majority of the survey respondents (96%) identified manufacturer-related factors as a root cause of medical device security issues. The majority of respondents also reported struggles related to out-of-date operating systems or the inability to patch devices, which have been found to be major security risks. The study also discovered that, on average, one third of medical device manufacturers have said their devices cannot be patched.

“Medical device security is a three-way relationship between provider organizations, the manufacturers, and the regulators,” said Dan Czech, director of market analysis-cybersecurity at Klas, in the announcement about the findings.

Provider organizations can follow industry-accepted best practices such as network segmentation, Czech said. “Manufacturers can include security in the design of all products going forward and can consistently patch currently offered medical devices,” he said. “Regulators can provide incentives and disincentives for manufacturers and organizations to secure their devices and can offer the needed guidance to direct the healthcare industry.”

The threats against medical devices have become such a concern that two U.S. federal agencies recently announced a new initiative to address vulnerabilities. In October 2018, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.

“As innovation in medical devices advances and more of them are connected to hospital networks or to other devices, making sure the devices are adequately protected against intrusions is paramount to protecting patients,” said Scott Gottlieb, FDA commissioner, in the memorandum announcement.

The partnership between the two agencies will enable them to share information about the constantly evolving threats against medical devices and help organizations in the healthcare industry proactively respond when vulnerabilities are identified.

This isn’t the first time the two agencies have collaborated on medical device security. In recent years they have been focused on the coordination of vulnerability disclosures. The partnership allows device manufacturers to receive technical information from cybersecurity researchers regarding identified vulnerabilities in their products so they can respond to potential threats in a timely way.

Author Bob Violino is a freelance writer who covers a variety of technology and business topics.

Any cybersecurity expert will tell you that it’s not a matter of if you will be hacked, but when. Healthcare organizations across the country are quickly learning the truth about that axiom.

According to the most recent IBM X-Force Cyber Security Intelligence Index, healthcare tops the list of most cyber-attacked industries. And, according to Rapid7’s threat report for the first quarter of 2018, healthcare beats out industries such as finance, retail, and construction as the top targeted by hackers.

As we work through the second quarter of this year, already multiple hospitals have been affected by the ransomware SamSam. Then there’s the Orangeworm attack group that’s targeting different facets of the healthcare industry worldwide.

According to HealthITSecurity.com, hackers are increasingly targeting the healthcare industry because of its distributed IT infrastructure (which utilizes a combination of legacy systems and medical devices), constantly available systems, and the amount of sensitive data so many organizations hold.

The average cost of a cyber attack is $5 million, according to the Ponemon Institute, and can be much higher for larger organizations. Erie County Medical Center in Buffalo, NY reported the total costs associated with just one ransomware attack last year added up to more than $10 million.

Healthcare Security Risks

While healthcare IT professionals have been focusing on protecting things like servers and networks, many are learning quickly that certain types of medical devices can also provide hackers a backdoor into systems.

Additionally, despite FDA guidance, hospitals are still struggling with protecting these vulnerable targets. And points of exposure might not always be fully apparent.

As Symantec notes about the Orangeworm threat, for instance, some of the tactics being used by the perpetrators to gain access to software used to equipment like X-Ray and MRI machines are fairly dated. The reason the efforts can still be effective is because of older operating systems.

So, theoretically, even if a medical device is boasting state-of-the-art security, if it’s placed in an environment utilizing legacy software and dated operating systems, such as Windows XP, that can introduce risk.

While this may be disheartening to device manufacturers prioritizing security, they should still do what is necessary to protect their products against an attack, and assume the provider will follow safety protocols accordingly.

However, this could be considered a silo approach to cybersecurity, and the threats to medical devices really call for a strong eye on security throughout design, development and deployment.

Healthcare Information and Management Systems Society (HIMSS) is one example of an organization that wants to tear down those silos, calling for a holistic approach to cybersecurity. In its Cybersecurity Position Statement, HIMSS defines that approach:

“HIMSS calls on the healthcare community at-large to work together, and with cyber experts from other sectors, to achieve a future state in which all are prepared to defend against increasingly sophisticated and numerous cyber-attacks… Through cooperation and focused efforts, we can overcome policy, cultural and financial roadblocks, and other barriers that inhibit the development of cyber solutions that work.”

Building Cybersecurity into Product Development

Cybersecurity collaboration must be built into project frameworks that extend throughout the product’s lifecycle.

And speaking of framework, you should take some time to get familiar with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, or as it is thankfully referred to more commonly — “the Framework.”

The Framework is part guide and part reference manual for outside resources that can provide more detail on strengthening security. One of the advantages the Framework offers is that it gets everyone speaking the same language, which is essential if the HIMSS holistic approach takes off.

And it’s not just nice to have everyone on the same page. If you plan on doing business with the government, you’re going to have to show you follow the Framework. Healthcare industry CIOs are very familiar with it, and they are beginning to require vendors to adhere to it. You can expect more will follow.

If this all seems overwhelming and you’re not sure where to begin incorporating it into your product plans, here’s the good news. The NIST Framework was a joint effort between government and industry. One of the industry players was Intel. Soon after the first Framework was delivered, Intel launched a pilot project to test the Framework’s use. They documented the entire project and published a document serving as a use case.

Adding Value Through Education

Medical device manufacturers that take a holistic approach to cybersecurity into their projects will have an advantage to companies that do not. While many hospitals are doing a better job, physician practices still need a lot of help.

According to a survey conducted by the AMA and Accenture, 83% of 1,300 physician practices surveyed already have experienced a cyber attack. While more than half of the physicians surveyed said they were very or extremely concerned about attacks, nowhere in the survey did they directly mention medical devices.

This omission could indicate a lack of understanding on the part of the survey creators, or perhaps it shows that doctors are unaware of the fact that devices — when connected through wireless networks and aging legacy systems — could be the source of a breach.

In any case, you can bet the threats to medical devices are only going to grow more sophisticated and numerous as time passes. Those medical device companies who fail to act will gradually become larger targets for criminals. The faster security is prioritized throughout development of medical devices, and everyone in the industry gets on the same page about security, the better chance we’ll have at staving off the threats of tomorrow.

Author Traci Browne is a freelance writer focusing on technology and products.