Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should the FDA Assess Medical Device Defenses Against Hackers?

Posted by Soulskill on from the or-maybe-somebody-who-knows-things-about-computers dept.

gManZboy writes "The vulnerability of wireless medical devices to hacking has now attracted attention in Washington. Although there has not yet been a high-profile case of such an attack, a proposal has surfaced that the Food and Drug Administration or another federal agency assess the security of medical devices before they're sold. A Department of Veterans Affairs study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices. Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference."

8 of 138 comments (clear)

  1. Should They? by WrongSizeGlass · · Score: 4, Interesting

    Yes, they should. It should be a separate certification that allows doctors and consumers to chose medical devices with confidence.

  2. Re:No by WrongSizeGlass · · Score: 4, Informative

    More money down the shitter. I can't think of anything a hacker would gain from a medical device. What would be the point? Are hackers just evil and nefarious and out to hurt people in the hospital for the lulz? I doubt it.

    Some just do it to see if it can be done, some of them *are* out to extort money and will hurt people in the process.

  3. Re:No by t4ng* · · Score: 5, Insightful

    Really? How about a hacker selling malware to the highest bidder that could be used to assassinate someone with a medical implant, or while they are recovering in the hospital after surgery? That's just two I can think of off the top of my head, I'm sure there are more.

  4. Re:Better idea: by a90Tj2P7 · · Score: 4, Insightful

    There are a ton of other implanted devices, not just pacemakers. A lot of these devices might need to be adjusted to make a patient "not fucking die" - it isn't about system patches, it's about making medical adjustments to things like the dosage/voltage/rate/etc that the device is pumping out. You can't tear someone open every month when you need to adjust their insulin pump.

  5. Re:No by fuzzyfuzzyfungus · · Score: 4, Insightful

    I see two major areas of concern with, arguably, quite different requirements:

    1. Implants/embedded systems with some measure of field-programmability: On the plus side, these are much more likely to be running something fairly esoteric, possibly not even an OS at all, possibly some RTOS or embedded OS. They are also likely(for the moment) to have only short-range connection capabilities, quite possibly over a somewhat obscure protocol. This makes them low risk devices in terms of untargeted worm/phishing/etc. attacks, by virtue of limited connection and oddity of software. On the minus side, being directly connected to the patient, these offer a handy target for personally-directed sabotage, possibly from a surprising distance, depending on the whims of the RF gods(surely, the first person to reinact the classic 'sniper on the roof, suit with bodyguards crossing the parking lot toward the armored limo' scene; but with a rifle-stocked Yagi and lethal exploit code for the suit's pacemaker will be awarded a signed copy of every cyberpunk book of note).

    2. Systems that have much more in common with the PLCs and management console computer systems that we are always complaining about in factory scenarios. That box running WinNT SP2 connected to a monstrously expensive diagnostic science machine, etc. etc. These are much more prosaic, just badly patched and outdated WinSomething boxes that really ought to be air-gapped properly, which makes them much more likely to suffer lots, and lots, and lots of expensive downtime when they eventually cave to the demand for electronic transmission of radiology data to another hospital for a consult and hook the sucker to the internet....

    'Type 1' stuff seems like it would be best off with a "When in doubt, don't" approach: Don't interpret unsigned inputs, use very short range(inductive rather than RF, say) interfaces. It won't be perfect; but it'll at least confine the universe of potential hackers to people who could have just shived you anyway.

    'Type 2' is where the mess really hits. Like industrial stuff, the economics of ripping out expensive capital investments are Deeply Unexciting; but persuading the vendor to deliver a service contract that doesn't read "Fuck you. Buy a Model N+1" is going to be a challenge. Also the (by no means necessarily false) promises of various 'telemedicine' applications are going to be constantly tugging at the people who run that stuff, urging them to connect it up. That isn't go to go well at all...

  6. Re:They Should But Why Not Use Existing Solutions? by mcgrew · · Score: 4, Interesting

    Personally I don't trust the FDA with something like this

    Why not? They're the UL of medical devices. They're the ones who approved my eye implant. They're the ones who approve pacemakers. They're the ones we cyborgs rely on for safe implants.

    I don't even trust the best in the private world with something like this: Microsoft, Apple, Google, IBM

    The difference between the FDA and IBM is that you have no vote whatever over who runs IBM or what they do. The head of the FDA is appointed to the President, who you do have a vote in electing. Our power company is owned and operated by the city, and we've historically had the lowest rates and best uptime in the state. But they had a boondoggle that's going to raise rates, so I don't see the Mayor getting reelected unless the Democrats run someone REALLY bad.

    I have to imagine that our government's security agencies already have a generalized form of protection testing and certification within their own systems, why not reuse that process and actually get some use and protection for citizens out of said government money vacuums?

    That's exactly right -- the security people would be transferred to the FDA.

    --
    Free Martian Whores!
  7. Re:Charged with murder. by Anonymous Coward · · Score: 5, Insightful

    I would rather they try to patch the security holes *before* we start charging people with attempted murder and murder, personally.

  8. Re:Yes by negRo_slim · · Score: 5, Insightful

    Anyone caught intentionally cracking anything should get, at a minimum, 20 years of hard labor. Intentionally trying to harm or kill someone attached to a medical device should be a hanging sentence. Full stop.

    Glad to see you've fallen in love with the DMCA friend! Anything that could lead to crime should be a crime aye? Never mind how close that comes to dangerously impeding our legitimate rights to freedom of speech including research that includes circumvention of various controls.

    --
    On the Oregon Cost born and raised, On the beach is where I spent most of my days