DHS Steps In As Regulator for Medical Device Security

← Back to Stories (view on slashdot.org)

DHS Steps In As Regulator for Medical Device Security

Posted by timothy on Thursday January 17, 2013 @02:25AM from the handicapper-general dept.

mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."

24 of 123 comments (clear)

Min score:

Reason:

Sort:

DHS covering an awful lot these days ... by gstoddart · 2013-01-17 02:29 · Score: 5, Insightful

It seems the DHS keeps expanding its mandate into ever broader areas.
And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.

--
Lost at C:>. Found at C.
1. Re:DHS covering an awful lot these days ... by logjon · 2013-01-17 02:31 · Score: 2, Interesting
  
  Seen this yet?
  
  --
  The stories and info posted here are artistic works of fiction and falsehood.
  Only fools would take it as fact.
2. Re:DHS covering an awful lot these days ... by Anonymous Coward · 2013-01-17 02:38 · Score: 5, Insightful
  
  It was assigned to the wrong DHS... this should fall under the Department of Health and Human Services (HHS). Someone needs to tell a director that Homeland Security is stealing a project that should be theirs (i.e. taking their power).
3. Re:DHS covering an awful lot these days ... by gstoddart · 2013-01-17 02:53 · Score: 4, Interesting
  
  Maybe we should rename them.... Umbrella Dept? I know, I know, cheap shot.
  At this point, I'm thinking more like the Ministry of Truth. They're getting more and more involved with everything, and in a very disturbing way -- pretty much Orwellian in fact.
  
  --
  Lost at C:>. Found at C.
4. Re:DHS covering an awful lot these days ... by Sarten-X · 2013-01-17 03:08 · Score: 4, Interesting
  
  Personally, I think this is a good thing. Now to just neuter them, and we'll be set.
  My current job (IT admin in the financial sector) involves a fair bit of security work. A natural understanding of security is stunningly absent, even in places where security should be one of the highest concerns. Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security. Someone programming a radiation therapy machine won't think about hardware interlocks, because they're trained in programming software, not hardware safety.
  Network-connected medical devices are becoming prevalent, and I expect they will only get more useful and necessary in time. They present opportunities for doctors, and hospital managers are trained in hospital management, not security.
  I like seeing someone bringing a security-conscious mindset to the public. The DHS certainly wouldn't be my first choice, but they're better than not having anybody. Now if only we could get Bruce Schneier as Secretary...
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
5. Re:DHS covering an awful lot these days ... by timeOday · 2013-01-17 03:47 · Score: 4, Insightful
  
  What does HHS or FDA know about computer security? Nothing. It is a technical niche. Trying to independently stand up a computer security audit group within every niche of government just because they all use computers is crazy.
  As for DHS covering too many things.... DHS isn't really anything in itself. It's just an umbrella created after 911 to try and make connections between what where (and still are for the most part) essentially independent organizations that suffer from too much redundancy and tribalism. (Which is not to say the DHS is necessarily doing a good job of solving these problems).
6. Re:DHS covering an awful lot these days ... by Bam_Thwok · 2013-01-17 03:48 · Score: 3, Informative
  
  What exactly do you think this means? Did you actually read any of the reports? The DHS joined almost all other federal agencies in making it policy not to fuck over the health or environment of low-income populations as part of their operations. E.g. if the coast guard wants to test the effects of a new chemical dispersant for oil spills, this policy directs them to do it somewhere other than a lower-income fishing village in Louisiana. Or if the nuclear regulatory commission wants to build a site to dispose of spent nuclear fuel, they should do it somewhere other than near the aquifer of an Indian reservation.
7. Re:DHS covering an awful lot these days ... by drinkypoo · 2013-01-17 04:35 · Score: 2
  
  What does HHS or FDA know about computer security? Nothing. It is a technical niche.
  What does the DHS know about computer security? Even less.
  You don't have to know these things, you hire them in. Now, the issue of whether our government will do that based on merit or more likely not is a good point to raise, but it's a separate problem from not having the experience in-house already.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
8. Re:DHS covering an awful lot these days ... by nbauman · 2013-01-17 06:24 · Score: 2
  
  One of the big jobs of the FDA is to screen through millions of accident reports to find the few that are actually relevant to safety.
  I've reviewed FDA accident reports. Out of 200 reports on medical lasers, I might find 100 about the hinge on a door to the cabinet being broken, or "malfunctions" of that nature. There might be one report about a serious incident, in which a patient was injured because a cotton swab caught fire or something.
  One of the big jobs of the FDA is to screen through those accident reports for a "signal" of a dangerous product. Somebody with an implantable cardiac pacemaker-defibrillator has a heart attack and dies. Was it a failure of the pacemaker-defibrillator? Or would he have died whatever the pacemaker did? It's pretty hard to figure that out. Suppose two patients with the same model pacemaker-defibrillator have heart attacks and die. Is that a failure of the device? When do the reports reach statistical significance? The FDA staff has a lot of expertise in doing that, and they do it about as well as anybody (although the staff sometimes gets overridden by the political managers).
  DHS does a notoriously bad job of screening through millions of potential threats and figuring out which are the real threats. They're like a smoke alarm that continually gives false alarms until people ignore it. They're a criminal and military agency, not a scientific agency. The FDA has to balance the risks and costs against the benefits. DHS doesn't care about costs. They've turned our airports into a security circus, installing multi-million-dollar high tech machines without even finding out whether they work. They haven't caught enough terrorists so they go about entrapping them.
  In the FDA, you at least have the scientific people fighting the political people, and on some level, there's accountability to a scientific process. In the DHS, it's all politics.
9. Re:DHS covering an awful lot these days ... by Dragonslicer · 2013-01-17 06:40 · Score: 2
  
  they were down here for the NFL playoffs with other agencies to bust people for fraudulent NFL gear, I kid you not.
  That isn't quite as insane as it sounds. My guess is that most of the unlicensed merchandise is imported, and customs falls under DHS. Of course, you're free to feel that they shouldn't be spending the resources on unlicensed merchandise, but if anyone is going to enforce it, it would be DHS.
Nuance by Toe,+The · 2013-01-17 02:30 · Score: 5, Funny

Technology in hospitals? Good.
Internet-connected technology in hospitals? Why?
Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?
The cloud can be cool, but be reasonable. Why not put the operations of the CIA into Salesforce.com while we're at it?
1. Re:Nuance by Anonymous Coward · 2013-01-17 02:48 · Score: 2, Interesting
  
  But as we have seen, even isolated SCADA devices are getting infected. Isolation is not enough. The devices need to be fixed, and new ones created with security in mind.
2. Re:Nuance by Tha_Big_Guy23 · 2013-01-17 03:10 · Score: 4, Interesting
  
  Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?
  As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.
  
  To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.
  
  As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.
  
  --
  If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
3. Re:Nuance by Anonymous Coward · 2013-01-17 03:33 · Score: 2, Funny
  
  Naked in the cloud is a bad idea,
  And there are pictures of me to prove it.
Der Homeland Sekurity by Patent+Lover · 2013-01-17 02:47 · Score: 2

When an entire agency is tasked with finding bogeymen under beds they have to get creative to justify their funding.
Offensive use of network mediacl equipment by Anonymous Coward · 2013-01-17 02:48 · Score: 2, Interesting

Does this mean that DHS has access to source code and 0-day vulnerabilities for network attached medical equipment?
Could this knowledge be user offensively, in a situation where say Kim Jong Un is in hospital for a heart operation, and
DHS remotely pulls the plug on the life support machine?
Can this power be later extended to medical devices implanted in people, like defibrillators, insulin pumps etc.
Sorry to sound like Richard Stallman here for a second, but I would be very apprehensive having a device implanted in my
body that runs proprietary software, whose code development is overseen by a division of a shady foreign military agency.
Here is someone who got stonewalled when asked for the source code for the device she was to be implanted with...
http://www.youtube.com/watch?v=5XDTQLa3NjE
Re:manufacturers need to let os updates and AV sof by mcmonkey · 2013-01-17 03:02 · Score: 5, Insightful

manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.
Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.
When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?
As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.
Is this a joke? by mcmonkey · 2013-01-17 03:07 · Score: 2

Is this from the Australian equivalent of the Onion?
We've dropped exploits before on medical systems like Honeywell and Artridum...
Dropped? Is this serious security research or the latest mix tape?
Re:Mandatory Slashdot Open Source Post by ColdWetDog · 2013-01-17 03:17 · Score: 2

First of all, no one does have a monopoly on EHR systems. There are a couple of large players and a host of smaller ones. I would maintain that you Do. Not. Want. a monoculture here - or anywhere. Security is not 'maintained' by constant 'peer review' (that word doesn't mean what you think it means). Security is a process and open source software is only a small (and not necessary) aspect of that.
There is an open source, Enterprise grade EHR system - VistA from the VA (Veterans Affairs) Department. It basically sucks which is why no one else is using it.
You do want data to be transmitted between systems and there are standards and processes that help with that. Given the complexity of medicine, it's not terribly surprising that the standards don't work quite as well as you would like.
So the magic open source pony isn't going to save the day here.

--
Faster! Faster! Faster would be better!
Re:X-Ray scanners by PolygamousRanchKid+ · 2013-01-17 03:37 · Score: 4, Funny

getting a record with medical equipment
Well, the DHS already has experience with medical examinations. They play with my balls before I can fly on a plane.
Funny, though. They never ask me to cough. And I never know why flying with a hernia is such a big deal.

--
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Re:Mandatory Slashdot Open Source Post by sinij · 2013-01-17 03:53 · Score: 2

OS is a no-go here mostly due to liability concerns and approval process. Medical Devices cost so much not because they are complicated technology (some of them are) but because when they explode, maim someone and give your uncle cancer there is a manufacturer and insurance to go after. You can design OS that is 100 times better than industry standard and it still won't be used because of the above.
This looks like a job for...! by Translation+Error · 2013-01-17 04:13 · Score: 2

To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF).
Looks like this is right up the DHS's alley.

--
When someone says, "Any fool can see ..." they're usually exactly right.
Re:Fucking Nazi SS by camperdave · 2013-01-17 04:30 · Score: 4, Interesting

After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).
DHS didn't step in as some grand plan. They were asked to intervene by Cylance, a security research company, when Philips wouldn't respond about the detected security holes.

Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.
In other words, "if you (the security research company) find a vulnerability, DHS is the proper channel to report it".

--
When our name is on the back of your car, we're behind you all the way!
Re:manufacturers need to let os updates and AV sof by mcmonkey · 2013-01-17 04:32 · Score: 2

Why update the software? Pacemakers and insulin pumps were available long before you could wirelessly update them. If it is such a threat, then don't enable wireless updates. Plain and simple. My God, how did we exist before computers did everything for us!?
This discussion isn't about having computers do anything for us. It's about how we use computers as tools to do things. How did we have conversations before computers? Well, we did, and yet here you are using a network of computers to have a conversation.
As for the ability to update the software in a medical device, it's about trade-offs and compromises. ObCarAnalogy: computers in cars have made maintenance more complicated, so why not take the computers out of cars? Sure, if you also want to remove the improvements in fuel efficiency, traction control, ABS, GPS, mp3-player interfaces, and all the other things those computers are doing.
Ability to wirelessly communicate with an implanted medical device is a risk? Well, so is having to perform surgery to update that devices configuration or to retrieve data. Maybe the risk (a product of the potential effects of a negative event and the likelihood of that event) of wireless communications is greater than the risk of the extra surgery. Maybe not.
My point is, it's not as simple as "all medical information systems should have updates as soon as they are available from the vendor" or "no implanted devices should have wireless communications."
I could be misinterpreting your message because I can read your words, but not the tone of your voice or body language. So rather than posting a message on /. why don't you come over to my office and tell me face to face? Plain and simple, right?