Should the FDA Assess Medical Device Defenses Against Hackers?

gManZboy writes "The vulnerability of wireless medical devices to hacking has now attracted attention in Washington. Although there has not yet been a high-profile case of such an attack, a proposal has surfaced that the Food and Drug Administration or another federal agency assess the security of medical devices before they're sold. A Department of Veterans Affairs study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices. Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference."

Should They?

[WrongSizeGlass]

Yes, they should. It should be a separate certification that allows doctors and consumers to chose medical devices with confidence.

Re:No

[WrongSizeGlass]

More money down the shitter. I can't think of anything a hacker would gain from a medical device. What would be the point? Are hackers just evil and nefarious and out to hurt people in the hospital for the lulz? I doubt it.

Some just do it to see if it can be done, some of them *are* out to extort money and will hurt people in the process.

OMG terruhrism!!!

[Rosco+P.+Coltrane]

Quick, TSA enact law forbidding laptops onboard airplanes, so the evil terrorist don't kill implanted people in flight!

Certify the software works first

[l2718]

Before worrying about security of the software, how about worrying about the correctness and fault-tolerance of the software and hardware?

Most famous is the Therac-25 incident, but it's not the only one.

Re:Certify the software works first

[bsDaemon]

Security flaws are derived from incorrectness and lack of fault tolerance. It's part-in-parcel, and if you don't design security in from the start, it'll just become harder and harder to retrofit into the product later.

Re:No

[t4ng*]

Really? How about a hacker selling malware to the highest bidder that could be used to assassinate someone with a medical implant, or while they are recovering in the hospital after surgery? That's just two I can think of off the top of my head, I'm sure there are more.

Re:Yes

[sexconker]

Yes, but devices as important as medical hardware should be ROM only operation with the ability to be flashed for updates only by vetted, qualified licensed personnel.

The problem with that is every time you want to update the device you have to physically get to it.
Taking updates wirelessly makes things much easier and safer.

As far as (EEP)ROM-only, that's good for the code, but many devices log data (and dump it out wirelessly).
You have to protect against attacks that try to make the device do bad things as well as attacks designed to get or overwrite that data.

One possible solution..

[willy_me]

Whichever federal agency takes charge could offer a large reward for security holes/bugs found in applicable systems. The agency would validate claims, pay an applicable reward to those who reported the issue, then bill the offending company for the reward.

The idea is to make the reward large enough that it is more profitable for people to report a flaw then to abuse it. Government involvement would be the review of claimed flaws, not to access the security of every device. Private companies would then have a financial incentive to ensure their code is secure.

Re:Better idea:

[a90Tj2P7]

There are a ton of other implanted devices, not just pacemakers. A lot of these devices might need to be adjusted to make a patient "not fucking die" - it isn't about system patches, it's about making medical adjustments to things like the dosage/voltage/rate/etc that the device is pumping out. You can't tear someone open every month when you need to adjust their insulin pump.

Re:No

[TheGreatOrangePeel]

More money down the shitter. I can't think of anything a hacker would gain from a medical device.

Things like record keeping blood bank software is regarded as a medical device by the FDA. Such software can contain sensitive information like you Social Security Number or drivers license number. In Sort, a hacker can gain plenty from breaking into a medical device.

Speaking as someone who has worked in the software side of the medical industry I just want to say that this is long overdue and the FDA has their work cut out for them. The systems I worked on are laughable in their "security" as they typically rely on how secure the local intranet is. Software vendors rarely put in any kind of serious authentication methods.

Re:No

[fuzzyfuzzyfungus]

I see two major areas of concern with, arguably, quite different requirements:

1. Implants/embedded systems with some measure of field-programmability: On the plus side, these are much more likely to be running something fairly esoteric, possibly not even an OS at all, possibly some RTOS or embedded OS. They are also likely(for the moment) to have only short-range connection capabilities, quite possibly over a somewhat obscure protocol. This makes them low risk devices in terms of untargeted worm/phishing/etc. attacks, by virtue of limited connection and oddity of software. On the minus side, being directly connected to the patient, these offer a handy target for personally-directed sabotage, possibly from a surprising distance, depending on the whims of the RF gods(surely, the first person to reinact the classic 'sniper on the roof, suit with bodyguards crossing the parking lot toward the armored limo' scene; but with a rifle-stocked Yagi and lethal exploit code for the suit's pacemaker will be awarded a signed copy of every cyberpunk book of note).

2. Systems that have much more in common with the PLCs and management console computer systems that we are always complaining about in factory scenarios. That box running WinNT SP2 connected to a monstrously expensive diagnostic science machine, etc. etc. These are much more prosaic, just badly patched and outdated WinSomething boxes that really ought to be air-gapped properly, which makes them much more likely to suffer lots, and lots, and lots of expensive downtime when they eventually cave to the demand for electronic transmission of radiology data to another hospital for a consult and hook the sucker to the internet....

'Type 1' stuff seems like it would be best off with a "When in doubt, don't" approach: Don't interpret unsigned inputs, use very short range(inductive rather than RF, say) interfaces. It won't be perfect; but it'll at least confine the universe of potential hackers to people who could have just shived you anyway.

'Type 2' is where the mess really hits. Like industrial stuff, the economics of ripping out expensive capital investments are Deeply Unexciting; but persuading the vendor to deliver a service contract that doesn't read "Fuck you. Buy a Model N+1" is going to be a challenge. Also the (by no means necessarily false) promises of various 'telemedicine' applications are going to be constantly tugging at the people who run that stuff, urging them to connect it up. That isn't go to go well at all...

Re:Yes

[a90Tj2P7]

Yes, safer, in the sense that you don't have to go in for surgery every time the settings on your implant need to be adjusted.

Ridiculous.

[roman_mir]

More ridiculous government nonsense.

There are already a million and one law about unauthorised computer access and there are already a million and one law about causing harm to people, and this situation falls under all of those provisions already.

This is just another way to raise the costs, increase government apparatus, increase government spending, lower the economic activity and probably this is going to end up costing a number of lives, as products are prevented from entering the market at all or soon enough at lower costs.

Re:Better idea:

[IorDMUX]

You can't tear someone open every month when you need to adjust their insulin pump.

I understand your point, but... As a user of an insulin pump myself, I'd like to clarify that it is an external device, usually carried on the belt or in a pocket, as it needs to be refilled every few days and adjusted quite often. There are implantable insulin pumps in existence, but these are primarily for research purposes, and are not commercial devices to treat diabetes.

Re:They Should But Why Not Use Existing Solutions?

[mcgrew]

Personally I don't trust the FDA with something like this

Why not? They're the UL of medical devices. They're the ones who approved my eye implant. They're the ones who approve pacemakers. They're the ones we cyborgs rely on for safe implants.

I don't even trust the best in the private world with something like this: Microsoft, Apple, Google, IBM

The difference between the FDA and IBM is that you have no vote whatever over who runs IBM or what they do. The head of the FDA is appointed to the President, who you do have a vote in electing. Our power company is owned and operated by the city, and we've historically had the lowest rates and best uptime in the state. But they had a boondoggle that's going to raise rates, so I don't see the Mayor getting reelected unless the Democrats run someone REALLY bad.

I have to imagine that our government's security agencies already have a generalized form of protection testing and certification within their own systems, why not reuse that process and actually get some use and protection for citizens out of said government money vacuums?

That's exactly right -- the security people would be transferred to the FDA.

Re:Charged with murder.

I would rather they try to patch the security holes *before* we start charging people with attempted murder and murder, personally.

Re:Yes

[negRo_slim]

Anyone caught intentionally cracking anything should get, at a minimum, 20 years of hard labor. Intentionally trying to harm or kill someone attached to a medical device should be a hanging sentence. Full stop.

Glad to see you've fallen in love with the DMCA friend! Anything that could lead to crime should be a crime aye? Never mind how close that comes to dangerously impeding our legitimate rights to freedom of speech including research that includes circumvention of various controls.

Re:No

[IorDMUX]

Are hackers just evil and nefarious and out to hurt people in the hospital for the lulz? I doubt it.

Well, two issues, here. First, you seem to be assuming "hacker" roughly equates to "guy who messes with computer-stuff for the heck of it". There most certainly are hackers/crackers (depending on your preferred use of the term) who harm people and systems, sometimes for money, sometimes for fame, sometimes for fun.

Aside from that, a hacked medical device makes for a really easy way to kill someone from a moderate distance and leave very little trace of whodunit. And I'm not even going to begin to consider all the reasons a person may have for wanting to kill, or even simply extort via credible death threats.

It's not limited to hospitals, either. I have Type I Diabetes (the autoimmune strikes-randomly and needs-insulin-to-survive type) and so I always wear an insulin pump jacked into my abdomen. In the pump, there is an insulin cartridge which contains a large reservoir of insulin -- injecting 1/20th of the reservoir could kill me if I'm not treated quite quickly. Injecting the whole thing is a death sentence if I'm not already in a hospital bed and hooked up to an IV. The kicker is that the device has RF access, and is likely hackable. I have turned off the RF from day one (partially due to the battery drain, partially due to my worries of a possible hack or mis-delivery) and sacrificed some of the pump's features, but most pump users will not do this.

It's a glaring vulnerability in a life-or-death system.

Re:No

[IcyHando'Death]

It's unlikely that a would-be assassin will learning the art of medical implant hacking in assassin school on the off chance that he'll one day have a target who just happens to have such an implant. As with today's black-hats, who focus on Windows over Linux (well, until the recent Mac headlines), their efforts will concentrate where they get the most leverage -- on cars. Even people who don't drive almost surely step into a car fairly regularly. The high-tech hacker-assassin may eschew the "old bomb under the chassis" bit, but why not a drive-by reprogramming of the ABS computer to disable the brakes when the car hits highway speed?

Great TED talk on this topic here

Re:No

[lightknight]

There are much easier, and explainable, ways to kill someone. What assassin leaves a paper trail?

This whole thing stinks of a bunch of people selling a service no one needs. Symantec, McAfee, and friends used to make good money pushing out anti-virus software; then worms where the big problem, so they adapted; then mal-ware was the new problem, so they adapted; MS got bitched at left and right about the security issues with their platform, then they released Microsoft Security Essentials; Windows XP is being phased out, Windows Vista is as well, and Windows 7 is slowly taking over, with many of the old exploits being patched. These companies, if they are going to survive, need a new schtick. Seeing the writing on the wall, they converted themselves to 'security consultants,' and began lobbying Congress for contracts to fight 'zee evil Hackers, unt!'

You've noticed the sudden influx of articles focused on finding some 31337 h@xors. They can't find any, but the money is too good to give up. Sooner or later, they're going to need to invent some, if they want to stay on that gravy train.

Re:They Should But Why Not Use Existing Solutions?

[techno-vampire]

Why not? They're the UL of medical devices. They're the ones who approved my eye implant. They're the ones who approve pacemakers. They're the ones we cyborgs rely on for safe implants.

Same here. And, of course, they also had to approve my hearing aids, the meter I use every day to monitor my blood sugar and the dialysis equipment a friend of mine needed when his kidneys stopped working. People like to complain about how much it costs to get new drugs, devices and proceedures approved by the FDA, but I bet they'd complain even more if the FDA suddenly went away.

Re:Charged with murder.

[ColdWetDog]

I can see this happening mandatory medical devices with mandatory health care. When you don't pay your taxes or pirate a movie or something the secret code to break the hidden cyanide capsule is transmitted.

Or the government can get rid of crazies like you simply by tightening up the straps on your tinfoil hat until your eyes bug out.

Re:Charged with murder.

[iPaul]

That's a little like saying it's up to the victim to secure their safety. If that same person walked into a patient's room and started fiddling with their heart pump or dialysis machine, I could see charging them with attempted murder. We don't say 'gee, we'd better not charge him because the hospital didn't put a lockable steel cage over the panel to the dialysis machine to keep people out.' Just because the network is the means of intrusion, as opposed to going into the room, doesn't give someone a pass if there are security holes in the software. You're still f**king with someone's life. That being said, it is *is* incumbent upon the hospital to ensure your safety, especially when you cannot react (i.e. unconscious). It is up to the device manufacturer to make a safe product. In both those instances I think you should be able to take the manufacturer or hospital to court. From that standpoint, fear of losing their shorts in a law-suit and subsequent bad press, I think that they may pay more attention to security.