“I AM THE CAVALRY” PROPOSES HIPPOCRATIC OATH FOR CONNECTED MEDICAL DEVICES

“I AM THE CAVALRY” PROPOSES HIPPOCRATIC OATH FOR CONNECTED MEDICAL DEVICES (PDF)

Security Research Movement Identifies Principles to Preserve Patient Safety and Build Trust in the Healthcare System.  

Washington, DC, – January 19th, 2016I Am The Cavalry, a cybersecurity volunteer association focused on public safety concerns, today issues an open letter to leaders of the healthcare stakeholder communities, calling for the adoption of a Hippocratic Oath for Connected Medical Devices. The Oath identifies measures to preserve patient safety and trust in the healthcare system as a response to the increasing reliance placed on connected devices in the healthcare sector.

“Connected technologies provide life-saving therapies that would not be achieved without them. We want to head off unintended consequences by guiding manufacturers to build devices that are resilient against the accidents and adversaries of a connected environment,” said Beau Woods of I Am The Cavalry. “We’ve seen a lot of progress in the last two years, as stakeholders have started to proactively collaborate to advance cyber safety. We applaud those efforts and encourage others to ensure we are safer, sooner, together.”

Complex, software-driven, connected technologies are increasingly being used in every facet of modern healthcare. These technologies can offer considerable benefits to both patients and healthcare practitioners; however, these systems are also inherently likely to be vulnerable to flaws, and their connectivity opens them up to potential manipulation.  This can have catastrophic consequences, not only in terms of patient safety, but also in undermining the trust placed in healthcare systems.

In response to this, I Am The Cavalry has updated the language of the Hippocratic Oath for modern healthcare delivered by connected medical devices.  The original Hippocratic Oath, created in the late Fifth Century BC, is made by physicians as an attestation that they will provide care in the best interest of patients. As connected technologies are increasingly the instruments of delivering this care, it stands to reason that the design, development, production, deployment, use, and maintenance of medical devices should follow the symbolic spirit of the Hippocratic Oath.

Patients, care givers, and other stakeholders have the right to make informed decisions about treatment options.  When patients deny themselves the best care available out of cyber safety fears, no ones’ interests are served.  So to give them greater confidence in the safety of technologies, I Am The Cavalry is proposing that those involved in the chain of care – from device design to treatment – publish an attestation of a commitment to the best possible methods for device development and deployment, ensuring that patients are not put at unnecessary risk.

The Hippocratic Oath for Connected Medical Devices offers five core cybersecurity capabilities:

  1. Cyber Safety by Design: Inform design with security lifecycle, adversarial resilience, and secure supply chain practices.
  2. Third-Party Collaboration: Invite disclosure of potential safety or security issues, reported in good faith.
  3. Evidence Capture: Facilitate evidence capture, preservation, and analysis to learn from safety investigations.
  4. Resilience and Containment: Safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable.
  5. Cyber Safety Updates: Support prompt, agile, and secure updates.

“In 2015 we announced a coordinated vulnerability disclosure policy, inviting researchers to contribute to our patients’ safety,” said Hannes Molsen, Product Security Manager of Dräger, a Germany based medical device manufacturer. “The Hippocratic Oath for Connected Medical Devices perfectly summarizes the challenges manufacturers, healthcare organizations and security researches face during the development, the deployment, and the maintenance of connected devices throughout their entire lifecycle. It is great to have a document at hand that focuses precisely on medical devices, so every single point matters. For our patients’ safety this is a great step to bring the community together, to establish referable norms for cyber safety, to become safer, sooner.”

“Patients, in consultation with their physicians, make the best judgement for their individual case,” said Dr. Marie Moe, security researcher at SINTEF, pacemaker patient, and I Am The Cavalry volunteer. “They should each be asking questions about the capabilities outlined in the Hippocratic Oath for Connected Medical Devices to make sure their decisions are fully informed.”

“As we seek to treat existing pathologies, we should not inadvertently create new ones,” said Dr. Christian Dameff, M.D. “A Hippocratic oath extends physicians’ commitment to patient safety to others in the chain of care delivery.”

The Open Letter and detail of the Hippocratic Oath for Connected Medical Devices are included in full below. The Oath builds on work also conducted to promote greater collaboration in the medical device sector, which includes participating in panel discussions at the upcoming FDA Public Workshop – Moving Forward: Collaborative Approaches to Medical Device Cybersecurity, on January 20-21. The Oath is also aligned to the approach I Am The Cavalry has taken in other cyber safety sectors, such as the automotive sector, where the group proposed a “Five Star Automotive Cyber Safety Program” and has been working with automakers to drive adoption of these and other security practices.

For more information on the Hippocratic Oath for Connected Medical Devices, or any other I Am The Cavalry initiative, please contact press@iamthecavalry.org.

***

About I Am The Cavalry

The I Am The Cavalry movement was formed in response to concerns over the impact of cybersecurity threats on public safety.  Its efforts are focused on cybersecurity issues relating to four main of public safety: medical, automotive, home electronics, and public infrastructure. All members are volunteers, and offer their time and expertise free of charge.

For more information, please visit: https://www.iamthecavalry.org/.

Safer. Sooner. Together.

***

“I AM THE CAVALRY” CALLS FOR COLLABORATION WITH AUTOMOTIVE INDUSTRY TO IMPROVE PUBLIC SAFETY

“I AM THE CAVALRY” CALLS FOR COLLABORATION WITH AUTOMOTIVE INDUSTRY TO IMPROVE PUBLIC SAFETY

Security Research Movement Issues Letter Outlining Five Star Automotive Cyber Safety Program

DEF CON 22, Las Vegas, NV – August 8th – I Am The Cavalry, a cybersecurity volunteer association focused on public safety concerns, today issued a letter to leaders in the automotive industry, calling for the adoption of five key capabilities that create a baseline for safety relating to the computer systems in cars.

The letter, addressed to CEOs in the automotive industry, calls for safety to be built into the adoption and design of computer systems in vehicles.  Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, much of which is still being investigated and understood.  I Am The Cavalry wants to help address this and protect people by collaborating with leaders in the automotive industry.  To start this process, they have identified five key capabilities that represent a foundation for building better cyber safety in cars:

  • Safety by Design – developing automotive computer systems with security in mind.
  • Third-Party Collaboration – publishing a clear vulnerability disclosure response policy that works with security researchers.
  • Evidence Capture – logging information that may assist with an investigation should one be necessary.
  • Security Updates – providing a mechanism for consumers to receive updates to computer systems quickly and easily as issues are found and fixed.
  • Segmentation and Isolation – ensuring that issues in non-critical systems do not impact the performance of critical systems.

“Modern cars are computers on wheels and are increasingly connected and controlled by software. Unlike your home computer, the consequences of compromise are far more severe,” said Joshua Corman, co-founder of I Am The Cavalry. “Dependence on technology in vehicles has grown faster than effective means to secure it. We’re just at the start of understanding the implications for public safety. The combined expertise of the automotive industry and the cyber security research community can rise to meet the challenge. This framework can be the foundation of that collaboration.”

“I think the proposed framework clearly states important principles and intent in a plain, sensible and workable way.” said Tony Sager, Chief Technologist for The Council on Cyber Security. “It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement. “

The letter has also been published as a petition with a request for members of the public to show their support for car safety: https://www.change.org/petitions/automotive-industry-we-request-that-you-unite-with-us-in-a-joint-commitment-to-safety-between-the-automotive-and-cyber-security-industries

In addition, I Am The Cavalry co-founders Joshua Corman and Nicholas J. Percoco will be discussing the letter during the security research convention, DEF CON:

  • Press conference: 4:00pm, Friday, August 8th in the press room
  • Presentation: “The Cavalry Year[0] & a Path Forward for Public Safety” – 10:00am, Saturday, August 9th, Penn & Teller room

The letter is included in full below:

An Open Letter to the Automotive Industry: Collaborating for Safety 

Dear Automotive CEOs,

We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries.

A hallmark of the automotive industry is extraordinary innovation in the face of market needs. 50 years ago, basic automotive safety features were an afterthought. Since then, the auto industry has steadily driven advances in safety features, safety engineering, and supply chain management in ways that software and cyber security disciplines must emulate.

Now the automotive industry faces a new challenge. Modern vehicles are computers on wheels and are increasingly connected and controlled by software and embedded devices. These new technologies enable innovations designed to increase vehicle safety and bring other positive features. Vehicle-to-vehicle communication, driverless cars, automated traffic flow, and remote control functions are just a few of the evolutions under active development.

New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.

When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles.

The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.

Will you join us in this endeavor?

We propose five critical capabilities to lay a foundation for safety, both for collaboration and for increasing consumer confidence. This content was developed jointly with leading cyber security researchers and others working in and around the automotive industry. We crafted these capabilities to be objectively defined, lasting, and to allow for adaptation and innovation within each function.

We urge the automotive industry to adopt, develop, enhance, and attest to these capabilities. Just as they consider other safety features, concerned consumers will be better enabled to make purchasing decisions based on your attestations against these five areas. We will help you navigate this road to build greater protections for your customers and set a new standard for safety.

Five Star Automotive Cyber Safety Program

Further details and explanations can be found at https://www.iamthecavalry.org/auto/5star

1. Safety by Design

VALUE: We take public safety seriously in our design, development, and testing.

PROOF: As such, we have published an attestation of our secure software development lifecycle, summarizing our design, development, and adversarial resilience testing programs for our products and our supply chain.

2. Third-Party Collaboration

VALUE: We recognize that our programs will not find all flaws.

PROOF: As such, we have a published coordinated disclosure policy inviting the assistance of third-party researchers acting in good faith.

3. Evidence Capture

VALUE: We want to learn from failures and enable continuous improvement.

PROOF: As such, our systems provide tamper evident, forensically sound logging and evidence capture to facilitate safety investigations.

4. Security Updates

VALUE: We recognize the need to address newly discovered safety issues.

PROOF: As such, our systems can be securely updated in a prompt and agile manner.

5. Segmentation & Isolation

VALUE: We believe a compromise of non-critical systems (like entertainment) should never adversely affect critical/physical systems (like braking).

PROOF: As such, we have published an attestation of the physical/logical isolation and layered defense measures we have implemented.

We are eager to start working with you within the next 90 days and to begin promoting your current and future capabilities to the public. These attestations establish a foundation and serve to catalyze an ongoing collaboration to better prepare us for the next 50 years and beyond. Given our research and experience to date, we are encouraged to see some early investments toward these capabilities. While capabilities like evidence logging will take time to bring to market, valuable policy and capability attestations can begin now. On this journey, the challenges will be many and they will be significant, but together and through collaboration we can rise to meet them. Let’s start now.

Respectfully,

“I am The Cavalry”, members of the security research community, & concerned citizens

Signatures and instructions for signing can be found at https://www.iamthecavalry.org/auto/5star

Signatures are solely the opinion of the individual.

I am The Cavalry – https://www.iamthecavalry.org – @iamthecavalry – autosafety@iamthecavalry.org

To ensure technologies with the potential to impact public safety and human life are worthy of our trust.

***

About I Am The Cavalry

The I Am The Cavalry movement was formed in response to concerns over the impact of cybersecurity threats on public safety.  Its efforts are focused on cybersecurity issues relating to four main of public safety: medical, automotive, home electronics, and public infrastructure. For more information, please visit: https://www.iamthecavalry.org/

For more information, please contact press@iamthecavalry.org