Of possible interest -- There was a homeland episode [1], where they used a hack on a pacemaker to assassinate someone. This caused lots of discussion around medical device security [2] [3] [4] [5].
There was also an episode of Sherlock [1] which used a hack against a pacemaker to assassinate someone. It's an interesting theory, but the way this article reads, it's almost as if the medical equipment are incidentally harmed.
It reminds me somewhat of the Stuxnet virus, as it's a kind of hacking intended to cause physical harm. There's a term for it, but the term escapes me currently.
The Forbes article is a little more informative than the SciAm one (normally I'm a fan of Scientific American, but the writer of this article just did not seem to know the right questions to ask to give an indication of just what's going on here; also, that title, jeez...), but I am still having trouble here. Do pacemakers and internal insulin pumps run old versions of Windows without security updates, or are we talking about more customary systems within the hospital (computerized equipment is so incredibly vague a descriptor)?[1] If it's the former, than that just seems like such a bad idea. Even a stripped down Linux system with GNU tools seems incredibly bad. I know that generally security through obscurity is looked down upon, but gah, you don't want common viruses looking for new botnet nodes on the least common denominator systems to have any chance of running on your pacemaker. It's much better to at least engineer the system so that these devices have to be specifically targeted, rather than being susceptible to being caught up in the most common attacks. But surely this isn't what's going on right? Surely I'm just reading that quote in an overly paranoid way, right? Right?
[1] "In hospitals around the country there has been a dangerous rise of malware infections in computerized equipment. Many of these systems are running very old versions of Windows that are susceptible to viruses from years ago. Some manufacturers will not allow their equipment to be modified, even with security updates, partially due to regulatory restrictions." http://www.forbes.com/sites/singularity/2012/12/06/yes-you-c...
It will be interesting to see how well vendors are at integrating security best-practices into their engineering. Medical devices have already started to popup on Shodan, such as baby heart rate monitors and glucose meters. And I wonder whether the FDA will offer guidance on proofing hardware that's already deployed. It's often not just a problem of protecting new medical devices as they're being developed, but how to protect old stuff that's now going to be exposed to the Internet/ network.
i would say true, majority of hospital environments are unaware of what the devices are running.
disclosure I am a Solution Architect for a PACS Vendor for 15 years, knows the ins and out of hospital equipment and networks/systems at many of the largest hospitals in USA and some international.
malware infections in hospitals has risen and definitely more targeted to harvest patient data or take down the system. never heard of a device like they mentioned getting hacked like an insulin pump in the "field"
the better systems are already locked down and are treated with limited access, following HIPAA, ISO, FDA compliances.
IT/networking monitor the equipment as any other equipment.
then again many old modalities (ct/xray scanners) are running old versions of windows NT or 2000 or XP that have never been patched with MS updates nor have they ever had any AV installed.
and sometimes you need to import data from small facilities, these have potential to be malware infected. this data is usually imported directly into the system, so if precautions arent already setup on that system then you just infected your system
Not exactly new, the FDA is just getting around* to releasing draft guidance [0] and is/has been ramping up their consideration of device security in the PMA/401k approval processes already. What really lit the fire under medical companies asses was the 2011 Blackhat presentation [1] of the hacked insulin pump. Depressingly and unsurprisingly the risk to reputation has been the biggest driver of security so far. The blowback also lead to congress commissioning a GAO report released almost a year ago [2] that concluded that the FDA really should do something and is actually more meaningful on evaluating software than the recent draft guidance. There was already some FDA guidance on security of devices containing COTS from 2005 [3], but wasn't just about COTS, and even the author of that guidance would tell you the biggest mistake in it was mentioning COTS in the title.
* This guidance is overdue and vague as usual. The FDA is generally well intentioned but politics will slow them down even after it's a forgone conclusion that they're going to do something.
7 comments
[ 3.3 ms ] story [ 25.1 ms ] thread[1] http://www.huffingtonpost.com/michael-hogan/homeland-recap-s...
[2] http://www.forbes.com/sites/singularity/2012/12/06/yes-you-c...
[3] http://www.cnbc.com/id/100306578
[4] http://www.linkedin.com/groups/Homeland-Pacemaker-Hack-22063...
[5] http://blog.ioactive.com/2013/02/broken-hearts-how-plausible...
It reminds me somewhat of the Stuxnet virus, as it's a kind of hacking intended to cause physical harm. There's a term for it, but the term escapes me currently.
[1] http://welovetvmore.com/reviews/elementary-season-1-episode-...
[1] "In hospitals around the country there has been a dangerous rise of malware infections in computerized equipment. Many of these systems are running very old versions of Windows that are susceptible to viruses from years ago. Some manufacturers will not allow their equipment to be modified, even with security updates, partially due to regulatory restrictions." http://www.forbes.com/sites/singularity/2012/12/06/yes-you-c...
malware infections in hospitals has risen and definitely more targeted to harvest patient data or take down the system. never heard of a device like they mentioned getting hacked like an insulin pump in the "field"
the better systems are already locked down and are treated with limited access, following HIPAA, ISO, FDA compliances. IT/networking monitor the equipment as any other equipment.
then again many old modalities (ct/xray scanners) are running old versions of windows NT or 2000 or XP that have never been patched with MS updates nor have they ever had any AV installed.
and sometimes you need to import data from small facilities, these have potential to be malware infected. this data is usually imported directly into the system, so if precautions arent already setup on that system then you just infected your system
[0] http://www.fda.gov/downloads/MedicalDevices/DeviceRegulation... [1] http://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.htm... [2] http://www.gao.gov/products/GAO-12-816 [3] http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidanc...
* This guidance is overdue and vague as usual. The FDA is generally well intentioned but politics will slow them down even after it's a forgone conclusion that they're going to do something.