Cybersecurity ofMedical System
1. Introduction
Increasingconnectivity of medical devices to computer networks and the convergence oftechnologies has exposed vulnerable devices and software applications toincidents. The need to protect patient data from cyber-attack is now wellunderstood. However, the potential impact on clinical care and patient safetyis raising concerns for healthcare organizations, regulators and medical devicemanufacturers alike. Control of a medical device could also be compromised.
The FDA hasissued several sets of guidance, demonstrating that medical devicecybersecurity is a significant issue. Both the post-market management ofcybersecurity in medical devices and the interoperable medical devices containspecific guidance on cybersecurity. The FDA recommends manufacturers use theNIST (National Institute of Standards and Technology) Framework for ImprovingCritical Infrastructure Cybersecurity, which builds on earlier guidance forIndustrial Control Systems. Both the pre-market guidance (October 2014) and the post-marketguidance (December 2016), recommend manufacturers utilize the NIST Frameworkfor Improving Critical Infrastructure Cybersecurity. This has core functions toguide an organization’s cybersecurity activities: Identify, Protect, Detect,Respond and Recover. The new NIST Cybersecurity Framework (CSF) (draft revision1.1) places greater emphasis on managing supply chain risk.
EU regulation lags behind the US FDArecommendations. However, the Medical Devices Regulations (MDR) to be publishedin 2017 significantly enlarges the scope of applicable devices, and will definemore stringent post-market surveillance, as will the draft Regulation on in vitrodiagnostic medical devices. The draft plans have provisions for vigilance,market surveillance and reporting in respect of serious incidents andimplementing safety corrective actions. Member states will be required toanalyse and risk assess incidents, the adequacy of corrective actions, and anyfurther corrective action that may be required. Member states will also monitorthe manufacturer’s incident investigation. General safety and performancerequirements prohibit the compromise of patient safety and include theapplication safety principles; taking account of state of the art andidentifying known or foreseeable hazards and risks from intended andforeseeable misuse. Any remaining risks are to be reduced as far as possible bytaking adequate protection measures.
Industrial Control Systems guidance is recommended.There are many similarities, which include the requirement to protect embeddedcomputers used to monitor and control physical systems. Control system securitygoals focus on control system availability, equipment protection, operations(even in a degraded mode) and time‑critical system response. The measures usedto implement safeguards are equally applicable and are focused towards anoperational technology environment (in this case medical devices and healthnetworks) as opposed to traditional IT Information Assurance. IEC 62443-3-3security controls are combined with others in IEC/TR 80001-2-8 for the riskmanagement of IT networks, which incorporate medical devices. The potentialsecurity impacts of security measures are outlined to distinguish controlsystems, in that their application should not cause the loss of essential servicesand functions, including emergency procedures.
2. iMatrix Refactoring
2.1 Software System Refactoring
2.1.1 Design Goals
1) Deploymentsites: Aliyun, Amazon or Private Cloud
2) SystemRedundancy, no single point of failure
3) Loadbalance and distributed and scalable, no failure due to congestion
4) Firewall,block all services that are not required to open, monitor and defense DDOS
5) Vulnerabilitiesscan and system/patch update regularly
6) Secureand authenticated data transfer
7) Operationlogs, server & app & device
8) BLE relatedsecurity;
9) Networkmonitoring;
10) PC Application?
11) Encryption on local data
12) Support online firmware update;
13) Information Sharing and AnalysisOrganizations (ISAOs)
14) Data backup system, and security of backupdata;
2.1.2 System Design
Diagram 1: Secure and Authenticated Data Flow
Notes:
1) Firewall
2) Vulnerabilities scanning
3) System/operation logs
4) System patch and update regularly
5) Data backup mechanism
6) BLE security
Diagram 2: Aliyun Deployment
Notes:
1) 云监控
2) 云盾
Diagram 2: Amazon/Private Cloud Deployment
Task list For Server:
1) Support OAuth;
2) Apache + Tomcat with HTTPS one-way and two-way configuration
3) Nginx load blance configuration
4) Redis caching support;
5) DTLS server;
6) MySQL read/write splitting;
For App /PC client:
1) Support HTTPS(Two-Way)
2) Support OAuth;
3) Encryption on local data;
For medical devices:
1) Network protocol refactor and rework;
2) Support online firmware update;
2.2 Organisation Cyber Security
CyberEssentials:
1) Secure your Internet connection
2) Secure your devices and software
3) Control access to your data and services
4) Protect from viruses and other malware
5) Keep your devices and software up to date
2.3 Quality System
The NIST cybersecurity frameworkis a risk-based approach to managing cybersecurity risk, and is composed ofthree parts: the Framework Core, the Framework Implementation Tiers, and theFramework Profiles. Each Framework component reinforces the connection betweenbusiness drivers and cybersecurity activities. These components are explainedbelow:
1) The Framework Core consists of fiveconcurrent and continuous Functions—Identify, Protect, Detect, Respond,Recover.
2) Framework Implementation Tiers (“Tiers”)provide context on how an organization views cybersecurity risk and theprocesses in place to manage that risk.
3) A Framework Profile (“Profile”) representsthe outcomes based on business needs that an organization has selected from theFramework Categories and Subcategories.
Thefollowing steps illustrate how an organization could use the Framework tocreate a new cybersecurity program or improve an existing program. These stepsshould be repeated as necessary to continuously improve cybersecurity.
Step1: Prioritize and Scope. The organization identifies its business/missionobjectives and high-level organizational priorities. With this information, theorganization makes strategic decisions regarding cybersecurity implementationsand determines the scope of systems and assets that support the selectedbusiness line or process. The Framework can be adapted to support the differentbusiness lines or processes within an organization, which may have differentbusiness needs and associated risk tolerance.
Step2: Orient. Once the scope of the cybersecurity program has been determined forthe business line or process, the organization identifies related systems andassets, regulatory requirements, and overall risk approach. The organizationthen identifies threats to, and vulnerabilities of, those systems and assets.
Step3: Create a Current Profile. The organization develops a Current Profile byindicating which Category and Subcategory outcomes from the Framework Core arecurrently being achieved.
Step4: Conduct a Risk Assessment. This assessment could be guided by theorganization’s overall risk management process or previous risk assessmentactivities. The organization analyzes the operational environment in order todiscern the likelihood of a cybersecurity event and the impact that the eventcould have on the organization. It is important that organizations seek toincorporate emerging risks and threat and vulnerability data to facilitate arobust understanding of the likelihood and impact of cybersecurity events.
Step5: Create a Target Profile. The organization creates a Target Profile thatfocuses on the assessment of the Framework Categories and Subcategoriesdescribing the organization’s desired cybersecurity outcomes. Organizationsalso may develop their own additional Categories and Subcategories to accountfor unique organizational risks. The organization may also consider influencesand requirements of external stakeholders such as sector entities, customers,and business partners when creating a Target Profile.
Step6: Determine, Analyze, and Prioritize Gaps. The organization compares theCurrent Profile and the Target Profile to determine gaps. Next it creates aprioritized action plan to address those gaps that draws upon mission drivers,a cost/benefit analysis, and understanding of risk to achieve the outcomes inthe Target Profile. The organization then determines resources necessary toaddress the gaps. Using Profiles in this manner enables the organization tomake informed decisions about cybersecurity activities, supports riskmanagement, and enables the organization to perform cost-effective, targetedimprovements.
Step7: Implement Action Plan. The organization determines which actions to take inregards to the gaps, if any, identified in the previous step. It then monitorsits current cybersecurity practices against the Target Profile. For furtherguidance, the Framework identifies example Informative References regarding theCategories and Subcategories, but organizations should determine whichstandards, guidelines, and practices, including those that are sector specific,work best for their needs.
Rolesand responsibilities:
1) QualityManager: Define and update risk Management policy, monitor and control theconduct of risk management;
2) ProjectManager: lead risk management process; coordinate with external Participation;
3) Operation& Maintenance Engineer
4) Developers& test engineers:
White_Paper___Cybersecurity_of_medical_devices
Moreto do…
2.4 Cybersecurity for Healthcare Delivery Organizations(HDO) (Informative)
2.4.1 Introduction
In December 2005 BrianFitzgerald (FDA) convened a meeting with expert representatives from medicaldevice manufacturers, healthcare providers (clinical engineering) and otherrelevant parties to discuss the problem (i.e., how to deal with increasingnumber of systems with new vulnerabilities) . US and international experts(including medical device manufacturers, government & regulatoryauthorities, clinical and information technology specialists from thehealthcare provider community) met regularly over the next 4 years to develop apractical, high level guideline that could be adopted by healthcare deliveryorganizations and that would be scalable to any size organization In the summerof 2010, the final draft of ISO/IEC 80001-1 was formally approved by ISO/IECand the final document was released in October 2010. ISO/IEC 80001-1 standardfocuses on how to manage risks associated with
1) safety … preventing physical injury ordamage to people, property or the environment;
2) effectiveness … insuring the intendedresult is produced;
3) data & system security … insuring thatinformation “assets” (i.e., data & systems) are reasonably protected fromcompromises to confidentiality, integrity and availability Defines roles &responsibilities Defines key activities
2.4.2 Roles and responsibilities:
1) Responsible Organization
Healthcare deliveryorganization (e.g., provider)
Owner of the risk managementprocess for medical IT network … a process spanning
a) Planning
b) Design
c) Installation
d) Deviceconnection
e) Configuration
f) User/operation
g) Maintenance
h) Devicedecommissioning
2) Responsible Organization’sTop Management
Establish policies for
a) Riskmanagement process
b) Determiningacceptable risk (considering relevant standards & regulations)
c) Balancing3 key properties with mission of organization Ensure provision of adequateresources
d) Assignmentof adequate personnel including assignment of a medical IT network risk manager(maybe staff or contractor)
e) Enforcementof responsibility agreements Review results of risk management activities toensure continuing suitability & effectiveness of RM process
3)Medical IT network risk manager (a clinical systems engineer) responsible for
Design,maintenance & performance of risk management process
Reportingrisk management process to Top Management
Managingcommunication between internal & external participants in risk management
Medicaldevice mfg
ITsuppliers of equipment, software, services
Clinicalusers
Technicaldepartments responsible for medical device support
4) Medical device manufacturers
Provide responsible organizations with documents which give
intended use of medical device and its connection to IT network
instructions necessary for the safe & effective use of medicalequipment
required characteristics, technical specification &configuration of IT networks on which medical device is to be incorporated
intended information flow between medical device, network
Provide responsible organizations with information frommanufacturer’s risk management file that
is necessary for that responsible organization to perform riskmanagement process
describes any residual risk that needs to be managed by responsibleorganization
2.4.3 Major Activities defined in 80001
Establish Risk Management Policy
Establish/maintain a Risk Management File
Define assets
Document medical IT networks
Establish Responsibility Agreements
Establish a Risk Management Plan for each network
Conduct Risk Management
NHSdata and cybersecurity guidance and example polies, and CareCERT informationsharing portal:
https://digital.nhs.uk/cyber-security
3. Implementation
3.1 第一阶段完成情况
基于信息安全强化进行的技术重构工作初步完成第一期的改进,包括以下工作:
1)Web访问采用HTTPS安全协议;资源的动静分离;
2)App通讯采用双向证书验证和加密传输协议;
3)设备与服务器通讯采用DTLS-PSK双向验证和加密传输协议;
通过以上改进实现全部网络通讯采用加密通道且对客户端进行身份验证。第一、二点没有技术风险;第三点我已测试了一段时间,目前已知的限制是网络传输性能较之前差很多,还需要与软件组一起评审确定。我建议该版本在年后开始作为一个独立版本在内部进行一段时间的测试验证和修复改进,确认可行后再更新到正式环境。
下一步,还需要进行第二期的技术重构改进,包括:
1)分布式部署支持完善;
2)OAuth鉴权支持;
3)缓存改进和数据库优化(读写分离、分表或分区)
4)日志和问题追踪机制加强
5)运维上的保障:人员、技术和机制都需要加强;
3.2 项目代码和配置
3.2.1 Tomcat
1)增加DTLS server的支持
代码路径:https://192.168.1.201/svn/E.研发中心/11.Autumn-B/SRC/iMatrix_Server_DTLS
Californium包含了DTLS的实现,在原代码基础上增加了Navigate功能,用于多服务器负载均衡。
DTLS Cert生成指令:
keytool -genkeypair -alias client -keyalgEC -dname 'C=CA,L=Ottawa,O=Eclipse IoT,OU=Californium,CN=cf-client' -validity365 -keypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
openssl jks -in keyStore.jks -nodes-nocerts -out key.pem
openssl pkcs12 -in keyStore.p12 -nodes-nocerts -out key.pem
keytool -exportcert -alias root -keystoretrustStore.jks -file root.pem -rfc
keytool -genkeypair -alias server -keyalgEC -dname 'C=CA,L=Ottawa,O=Eclipse IoT,OU=Californium,CN=cf-server' -validity365 -keypass endPass -keystore keyStore.jks -storepass endPass
keytool -genkeypair -alias client -keyalgEC -dname 'C=CA,L=Ottawa,O=Eclipse IoT,OU=Californium,CN=cf-client' -validity365 -keypass endPass -keystore keyStore.jks -storepass endPass
keytool -alias server -importcert -keystorekeyStore.jks -storepass endPass -trustcacerts -file server_cert.pem
keytool -alias client -importcert -keystorekeyStore.jks -storepass endPass -trustcacerts -file client_cert.pem
keytool -alias serverroot -importcert-keystore trustStore.jks -storepass rootPass -trustcacerts -fileroot_server_cert.pem
keytool -alias clientroot -importcert-keystore trustStore.jks -storepass rootPass -trustcacerts -fileroot_client_cert.pem
keytool --list -v -keystore./trustStore.jks
# password: endPass
openssl pkcs12 -export -in server_cert.pem-inkey server_privkey.pem -name server -out keyStore1.p12
keytool -importkeystore -deststorepassendPass -destkeystore keyStore.jks -srckeystore keyStore1.p12 -srcstoretypePKCS12
openssl pkcs12 -export -in client_cert.pem-inkey client_privkey.pem -name client -out keyStore2.p12
keytool -importkeystore -deststorepassendPass -destkeystore keyStore.jks -srckeystore keyStore2.p12 -srcstoretypePKCS12
keytool --list -v -keystore ./keyStore.jks
2)BasePath修改
3)WEBROOT/admin/config下配置修改。对应于Nginx的静态资源支持。
3.2.2 Nginx
配置文件:/etc/nginx/conf.d目录下的tomcat-basic.conf和tomcat-twoway.conf
1)tomcat-basic.conf端口443,用于Web服务,实现TLS单向验证,文件内容如下:
.proxy_cache_path /tmp/NGINX_cache/keys_zone=backcache:10m;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream tomcat {
#Use IP Hash for session persistence
ip_hash;
#List of Tomcat application servers #多服务器负载
server 10.6.1.25:8080;
#server 10.6.1.26:8080;
}
server {
listen 80; # HTTP端口,会导向到HTTPS 443端口
server_name local3.resvent.com;
#Redirect all HTTP requests to HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2; # SSL 443端口,这是默认端口
server_name resvent.com;
# 证书,只验证服务器证书。从Let’s Encrypt申请的证书,有效期三个月。
ssl_certificate/etc/letsencrypt/live/local2.resvent.com/fullchain.pem; # ma
naged by Certbot
ssl_certificate_key/etc/letsencrypt/live/local2.resvent.com/privkey.pem; #
managed by Certbot
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
# 静态资源通过Nginx访问
# /var/www/html下创建resvent目录,包含以下内容(chartImg和pic是原Tomcat的两个资源,其它是从WEBROOT下移过来):
# 404.jsp chartImg favicon.ico pic plugins static uploadFiles userinfo
location ~ \.(gif|jpg|jpeg|png|bmp|swf|css|js|woff|ttf|pdf)$ {
root /var/www/html;
}
#Load balance requests for /tomcat-app/ across Tomcat application servers
location /resvent/ {
proxy_pass http://tomcat;
proxy_cache backcache;
}
#Return a temporary redirect to the /tomcat-app/ directory
#when user requests '/'
location = / {
return 302 /resvent/;
}
#WebSocket configuration
location /wstunnel/ {
proxy_pass https://tomcat;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
2)tomcat- twoway.conf端口444,用于服务APP的接口,实现TLS双向验证,文件内容如下:
proxy_cache_path /tmp/NGINX_cache_twoway/keys_zone=backcache_twoway:10m;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream tomcat_twoway {
#Use IP Hash for session persistence
ip_hash;
#List of Tomcat application servers #多服务器负载
server 10.6.1.25:8080;
#server 10.6.1.26:8080;
}
server {
listen 81; # HTTP端口,会导向到HTTPS 444端口
server_name local3.resvent.com;
#Redirect all HTTP requests to HTTPS
location / {
return 301 https://$server_name:444$request_uri;
}
}
server {
listen 444 ssl http2; # SSL 444端口
server_name resvent.com;
# 证书,包括服务器和客户端证书
ssl_certificate /etc/nginx/ssl/resvent.com.pem;
ssl_certificate_key /etc/nginx/ssl/resvent.com.key;
ssl_client_certificate /etc/nginx/ssl/self-cert.pem;
ssl_verify_client on;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
# 静态资源通过Nginx访问
location ~ \.(gif|jpg|jpeg|png|bmp|swf|css|js|woff|ttf|pdf)$ {
root /var/www/html;
}
#Load balance requests for /tomcat-app/ across Tomcat application servers
location /resvent/ {
proxy_pass http://tomcat_twoway;
proxy_cache backcache_twoway;
}
#Return a temporary redirect to the /tomcat-app/ directory
#when user requests '/'
location = / {
return 302 /resvent/;
}
#WebSocket configuration
location /wstunnel/ {
proxy_pass https://tomcat_twoway;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
3)自签名Cert生成,用于nginx 444端口和client的证书
openssl genrsa -des3 -out/home/rock/cert/private-key.pem 2048
openssl req -new -x509 -key/home/rock/cert/private-key.pem -out /home/rock/cert/self-cert.pem -days 10950
openssl genrsa -out/home/rock/cert/resvent.com.key 2048
openssl req -new -sha256 -key/home/rock/cert/resvent.com.key -out /home/rock/cert/resvent.com.csr
openssl x509 -req -in/home/rock/cert/resvent.com.csr -out /home/rock/cert/resvent.com.pem -signkey/home/rock/cert/resvent.com.key -CA /home/rock/cert/self-cert.pem -CAkey /home/rock/cert/private-key.pem-CAcreateserial -days 3650
openssl genrsa -out/home/rock/cert/client.key 2048
openssl req -new -sha256 -key/home/rock/cert/client.key -out /home/rock/cert/client.csr
openssl x509 -req -in/home/rock/cert/client.csr -out /home/rock/cert/client.pem -signkey/home/rock/cert/client.key -CA /home/rock/cert/self-cert.pem -CAkey/home/rock/cert/private-key.pem -CAcreateserial -days 3650
resventclient
openssl pkcs12 -export -in client.pem-inkey client.key -name client -out keyStore1.p12
openssl pkcs12 -export -in resvent.com.pem-inkey resvent.com.key -name server -out server.p12
openssl x509 -in self-cert.pem -outform der-out server.cer
openssl x509 -in resvent.com.pem -outformder -out server.cer
openssl x509 -in client.pem -outform der-out client.cer
4)可信任ROOT CA的证书申请,用于WEB访问;通过Let’sEncrypt申请:
https://certbot.eff.org/#ubuntutzesty-nginx
3.2.3 App
1)Android App
https://192.168.1.201/svn/E.研发中心/11.Autumn-B/SRC/iMatrix_Android_TWOWAYSSL
BKS文件使用portecle软件生成,从server.p12导入证书。(密码都是resvent)
2)iOS App
https://192.168.1.201/svn/E.研发中心/11.Autumn-B/SRC/iMatrix_iOS_TWOWAYSSL
升级了AFNetworking,Info.plist增加了项目。
3.2.4 呼吸机
代码目录:NetTest –DTLSPSK。采用DTLS-PSK的加密方式,较为轻量级。可以支持其它模式(NetTest -DTLSECC),但运行缓慢。
1)在“Manage Run-Time Environment”中导入mbedTLS:
在源代码基础上做了修改。
配置文件:Projects\Keil\RTE\Security\mbedTLS_config.h
新增Source\Core\Rtos\Mmu\heap_iram1.c,用于mbedTLS库需要用到的动态内存。分配了10KB。
2)TLS新增代码主要在:Source\Business\IOT\。Main中增加了TLSThread。
3)COAP和MQTT目录暂时不用。NetTest – MQTT目录是支持MQTT的代码,基于TCP。
4)NetServ中的流程做了调整。增加了HANDSHAKE步骤,用于DTLS与服务器进行加密通道。
5)新增Source\Business\Data\ringbuffer.*,用于网络数据的接收缓存。
已知问题是数据同步效率相较于未加密方式低很多。
3.3 参考
1) Nginx + Tomcat 实现动静分离:
http://blog.csdn.net/alli0968/article/details/47950481
https://www.nginx.com/resources/deployment-guides/load-balance-apache-tomcat/#about-nginx
https://www.cnblogs.com/UnGeek/p/6049004.html
2) Nginx udp/tcp负载均衡
http://blog.csdn.net/john_f_lau/article/details/50961914
http://blog.csdn.net/jzbis/article/details/53118216
3) DTLS介绍
http://blog.csdn.net/pengkunlun_hit/article/details/52177227
4) Let’s Encrypt免费SSL证书
https://letsencrypt.org/getting-started/
https://my.oschina.net/chaon/blog/717902
5) 自签名证书生成与单双向验证
http://blog.csdn.net/gx_1983/article/details/47866537
6)HTTPS单向和双向认证原理
http://blog.csdn.net/duanbokan/article/details/50847612