Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Steps In As Regulator for Medical Device Security

Posted by timothy on from the handicapper-general dept.

mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."

11 of 123 comments (clear)

  1. DHS covering an awful lot these days ... by gstoddart · · Score: 5, Insightful

    It seems the DHS keeps expanding its mandate into ever broader areas.

    And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.

    --
    Lost at C:>. Found at C.
    1. Re:DHS covering an awful lot these days ... by Anonymous Coward · · Score: 5, Insightful

      It was assigned to the wrong DHS... this should fall under the Department of Health and Human Services (HHS). Someone needs to tell a director that Homeland Security is stealing a project that should be theirs (i.e. taking their power).

    2. Re:DHS covering an awful lot these days ... by gstoddart · · Score: 4, Interesting

      Maybe we should rename them.... Umbrella Dept? I know, I know, cheap shot.

      At this point, I'm thinking more like the Ministry of Truth. They're getting more and more involved with everything, and in a very disturbing way -- pretty much Orwellian in fact.

      --
      Lost at C:>. Found at C.
    3. Re:DHS covering an awful lot these days ... by Sarten-X · · Score: 4, Interesting

      Personally, I think this is a good thing. Now to just neuter them, and we'll be set.

      My current job (IT admin in the financial sector) involves a fair bit of security work. A natural understanding of security is stunningly absent, even in places where security should be one of the highest concerns. Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security. Someone programming a radiation therapy machine won't think about hardware interlocks, because they're trained in programming software, not hardware safety.

      Network-connected medical devices are becoming prevalent, and I expect they will only get more useful and necessary in time. They present opportunities for doctors, and hospital managers are trained in hospital management, not security.

      I like seeing someone bringing a security-conscious mindset to the public. The DHS certainly wouldn't be my first choice, but they're better than not having anybody. Now if only we could get Bruce Schneier as Secretary...

      --
      You do not have a moral or legal right to do absolutely anything you want.
    4. Re:DHS covering an awful lot these days ... by timeOday · · Score: 4, Insightful
      What does HHS or FDA know about computer security? Nothing. It is a technical niche. Trying to independently stand up a computer security audit group within every niche of government just because they all use computers is crazy.

      As for DHS covering too many things.... DHS isn't really anything in itself. It's just an umbrella created after 911 to try and make connections between what where (and still are for the most part) essentially independent organizations that suffer from too much redundancy and tribalism. (Which is not to say the DHS is necessarily doing a good job of solving these problems).

    5. Re:DHS covering an awful lot these days ... by Bam_Thwok · · Score: 3, Informative

      What exactly do you think this means? Did you actually read any of the reports? The DHS joined almost all other federal agencies in making it policy not to fuck over the health or environment of low-income populations as part of their operations. E.g. if the coast guard wants to test the effects of a new chemical dispersant for oil spills, this policy directs them to do it somewhere other than a lower-income fishing village in Louisiana. Or if the nuclear regulatory commission wants to build a site to dispose of spent nuclear fuel, they should do it somewhere other than near the aquifer of an Indian reservation.

  2. Nuance by Toe,+The · · Score: 5, Funny

    Technology in hospitals? Good.

    Internet-connected technology in hospitals? Why?

    Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?

    The cloud can be cool, but be reasonable. Why not put the operations of the CIA into Salesforce.com while we're at it?

    1. Re:Nuance by Tha_Big_Guy23 · · Score: 4, Interesting

      Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?

      As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.

      To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.

      As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.

      --
      If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
  3. Re:manufacturers need to let os updates and AV sof by mcmonkey · · Score: 5, Insightful

    manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.

    Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.

    When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?

    As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

  4. Re:X-Ray scanners by PolygamousRanchKid+ · · Score: 4, Funny

    getting a record with medical equipment

    Well, the DHS already has experience with medical examinations. They play with my balls before I can fly on a plane.

    Funny, though. They never ask me to cough. And I never know why flying with a hernia is such a big deal.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  5. Re:Fucking Nazi SS by camperdave · · Score: 4, Interesting

    After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).

    DHS didn't step in as some grand plan. They were asked to intervene by Cylance, a security research company, when Philips wouldn't respond about the detected security holes.

    Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.

    In other words, "if you (the security research company) find a vulnerability, DHS is the proper channel to report it".

    --
    When our name is on the back of your car, we're behind you all the way!