Slashdot Mirror
Why Aren't There Better Cybersecurity Regulations For Medical Devices? (vice.com)
citadrianne writes with an excerpt from Motherboard about some of the factors behind the long-decried security problems that surround medical hardware, and that will only become more pressing as some long-term treatments become both more portable (in the form of drug pumps, muscle stimulators, etc), more connected to sensors and controllers, and more dependent on software. There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them. A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines "do not establish legally enforceable responsibilities." "In theory you could sell a bunch of medical devices without ever having gone through a security review," the well-known independent medical device security researcher Billy Rios told Motherboard.
I worked at a hospital for 10 years. The databases were not encrypted. The network was flat. They spent virtually no money on security. I don't understand why they can get away with it.
Medical devices have gone under the guise of "security by obscurity" for far too long. They have no standards. They are plugged into the network without any worry at all to what could happen. Insulin pumps are terrible at this.
Even Dick Cheney had to have special consideration taken for his pacemaker, since the technology is so bad.
It isn't just device makers. In general most don't give a shit about security. From banking "apps" to healthcare "apps" - security is generally the last checkbox checked before shipping. It isn't a core tenet of technology for companies, it is feature you may or may not get to.
Until there are actual penalties for ignoring basic information security practices, no one will waste time (aka money) securing things they "don't have to."
I have a software application that was cleared by the FDA under the 510(k) class 2 classification. I actually had to submit cybersecurity documentation. The FDA is now doing it, but all the legacy applications will not have this in place.
regulations eat in to profit- you cant join the race to the bottom and make the cheapiest device!
Having a "cyber security document" does not guarantee that the device will be secure. More FDA checking boxes bullshit.
Sadly any answer probably boils down to the fact that not enough people have been injured and/or died yet. Hang a few bodies around the problem and you can bet the government will start taking security on these devices much more seriously. Hang a few lawsuits on them and the companies might do something about it themselves.
Devices should be secure, or at least securable. As should internal hospital networks.
At the same time the risk from bio-medical network hacking remains theoretical. There's a small but serious risk that harm could spread on a wide scale, but so far no exploits have been made.
The risk of network issues during critical, potentially confusing, seconds-count scenarios is also real. Having some kind of network incompatibility or security interface issue could easily mean the difference between life and death.
Both risks exist. Both can be studied, and a reasonable compromise reached - but to discuss one in the absence of the other is just foolishness.
You're special forces then? That's great! I just love your olympics!
You COMMUNIST. Don't you know that the FDA is unnecessary REGULATION and if we were living in a FREE MARKET then by sheer force of REPUTATION those who KILL MULTIPLE PATIENTS BECAUSE PROFIT CAME FIRST will go out of business? And that the invigorated SPIRIT of AYN RAND and MILTON KEYNES FRIEDMAN will reincarnate those whom the INVISIBLE HAND (pbuh) has COLLATERALISED in its holy MISSION?
But its a star for liability. One can go to the document and see it's shit, or if it's not shit ask why the shipping product doesn't follow their own documents
"Lobbyists"
The medical device manufacturers have a lot of them.
because the incentives are all wrong - as long as CMS drives the cost out then security will lose. if CMS values it, then it will be part of the equation. FDA has a role too, and they have to require security too. it's as simple as that.
nothing to see here - move along
I figure there's two possible reasons for this:
1) The regulators are lazy/incompetent and haven't bothered.
2) The lobbyists for the medical devices industry have asked for it to keep profits higher.
But that there is little or no security in these things should be far more widely reported than it apparently is. Consumer electronics have really bad security; medical devices can't even be said to have security in a lot of cases.
Given what I've heard about the security and frequency of malware on hospital networks, I'm actually surprised there isn't more deaths attributed to the useless security on these things.
Lost at C:>. Found at C.
We don't need regulation. Anybody with an ounce of common sense knows that no company would risk the bad publicity of having one of their devices kill patients because it lacked any kind of security. They would be bankrupt when patients became unwilling to be connected to those unsafe devices. So, as usual, the invisible hand of the market will steer us right ... no government interference needed.
If you work for a typically paper-pushing corporation, the priority on the "CIA triad' (confidentiality, integrity and availability) is usually: C, then A then I. If you work for a utility ("ICS"), it's often A then I then C. And if you work with medical devices, it's definitely I then A and maybe way down the line maybe C, because there's the HIPAA legal hammer to take care of all that. Hardly anyone in this stack understands authentication, but the key with at least the last two is that if someone's trying to use a machine or device and they are standing right next to it, they are assumed to be authorized. Unfortunately, that line of thinking leaks out into web interfaces, telnet and other craziness, and that's why it's all a mess at the moment.
I've worked on and off in the medical devices field for a long time, and have been directly involved with the FDA approval process of several products. One thing I can add to this discussion is that anyone who has been through this process recognizes that "not legally enforceable guidelines" still need to be addressed before one can actually get a product released. Sure, maybe an organization could argue around them, but there are so many ways that the FDA can hold up a release or generally cause an organization grief that it's simply not practical to do so. The bigger issues are 1) that these guidelines are relatively new and have only fairly recently been getting enforced, and 2) the people doing the reviewing don't always have enough security knowledge. For #1 it looks like loss of privacy is now starting to get acknowledged as a form of harm to the patient and so security is starting to get lumped in with other risk analysis, and for #2 consider that "FDA" stands for "Food and Drug Administration" -- "Medical Devices" isn't even in the title and it's certainly not the prime focus of the agency.
Sometimes you just can't tell whether or not something is parody.
Big companies who do medical records (e.g. Microsoft, Google) care about security. The average company doing medical records cares about having a marketing buzzword that makes purchasers and patients feel secure. Hospitals generally don't give enough of a fuck because they don't understand it and it costs money, and it doesn't really cost them anything if they get broken into. It's not like many people will choose a different hospital or doctor.
Regulate everything seems to be the mindset of most of the people in this country, which has served to put America well on the path to being a socialist shithole. It's already nearly impossible to start any kind of business without being swamped with paperwork and regulatory bullshit and things like Obamacare. If there were more regulations for medical device manufacturing, you wouldn't have any new manufacturers and very likely would drive many of the existing ones away or out of business. The price of whatever was left would go through the roof. The market has, can, and will take care of the cybersecurity or any other problems you would care to invent. Companies that put shit products out will go away because nobody will buy them. The ones that put out quality products at decent prices will thrive. It's capitalism 101 - learn it, live it, love it, or get out.
IEC 80001 and FDA guidance are a start start. As a very senior, l3t3 medical device software developer we do extensive security testing.
Have gnu, will travel.
Because that would require regulation, and the GOP will not pass new regulations for fear of looking like 'big government' and giving their tea party opponents fuel to get them replaced in office with more 'conservative' people.
There is no need to get the government involved. Any sane person knows that no business would risk bankruptcy by having the publicity associated with having their devices kill or injure patients after being hacked. If that happened, no doctor or patient would let one of those devices near them. Medical malpractice insurers would not allow hospitals or doctors to even have those machines in their offices. Trial lawyers would launch class action lawsuits that would bankrupt that company in a heartbeat. Medical device manufacturers implement stringent security to avoid all of those risks. The invisible hand is guiding the market, as it always does. No government interference needed.
That's what's happening, right guise?
John McAfee for president! ;)
Medical devices have gone under the guise of "security by obscurity" for far too long. They have no standards. They are plugged into the network without any worry at all to what could happen. Insulin pumps are terrible at this. Even Dick Cheney had to have special consideration taken for his pacemaker, since the technology is so bad. It isn't just device makers. In general most don't give a shit about security. From banking "apps" to healthcare "apps" - security is generally the last checkbox checked before shipping. It isn't a core tenet of technology for companies, it is feature you may or may not get to. Until there are actual penalties for ignoring basic information security practices, no one will waste time (aka money) securing things they "don't have to."
Because if the government actually created security standards and enforced them, that would cost Merican jobs due to all the over-regulation. Best not to think about how creating standards would cost the taxpayer, either. Govment has no business interfering in the private sector.
... not for you - did your seventh-grade government school teacher perhaps try to tell you otherwise? Try to deal with empirical reality, not platitudes.
The entrenched interests that give high-paying jobs to former regulators are delighted that startups can't compete and that the products only have to be safe on paper, not subject to real competitive review (notice that Consumer Reports doesn't compare replacement needs - Consumers' Union does lobbying instead, unlike cars).
Gosh, back when I was doing medical work it was astonishing how a respirator could be shut down with a passing radio. FDA and FCC gave medical a complete pass on RF interference, not because shielding and grounding is hard, but because medical industry paid for the exemption and they could save a few bucks on manufacturing, and fuck the grandma who needs a vent. The relative cost was minimal, but they're special snowflakes and they didn't have to worry about a spunky startup getting a booth at a trade show demonstrating the reckless endangerment by the old corps.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
is your answer.
Damn kids HACKING around on medical DEVICES and won't tell me how to UNINISTALL McAfee ANTIVIRUS from my e-PACEMAKER can GET OFF MY LA..... HHHHNNNGGGG
I am a physician. While I don't implant pacemakers or defibrillators, I do take care of a number of patients who have these devices.
One critical issue here is accessibility of these devices. Suppose someone gets an implantable cardiac defibrillator for a failing heart. If the patient's cardiac status worsens, they device may activate and keep the heart beating. In these circumstances, it's critical that the physicians at the hospital have immediate and unrestricted access to the data on the device. Without this data, the physicians are at a serious disadvantage in trying to keep the patient alive.
To further complicate things, a patient in the midst of a cardiac event may not be able to provide a password. Even if the password is stored somewhere in the medical records, modern electronic record systems are often cumbersome to find such data. For example, if the device was implanted at a different hospital, the records typically have to be printed, faxed and then scanned in order to access the data. Those ridiculous steps translate into delays in care.
The real conundrum is whether a particular security modality is going to save more lives by thwarting hackers that it will cause deaths by delaying medical treatment.
I don't know why, but security has been a problem every time a new class of device gains connectivity.
Robert Morris' internet worm got loose in 1988 - 27 years ago... WTF?
most of the hacking is done by criminals to make and steal money. how would you make money from hacking medical devices?
I worked in security in the health care system for a short time and there was a ton of resistance to any security solutions we tried to implement. Some of it was that the medical staff felt it was impeding their ability to do their jobs, but it mostly seemed like they didn't like change.
Worst. Sig. Ever.
What's the goal of medical device software?
Currently, you have to prove that your target user can actually use your product without making mistakes. Make things too complicated in any way, and you're required to have a specialist on hand to turn the thing on. You don't decide what "too complicated" is, the FDA does.
The current solutions for maximum usability (hard coded passwords, no changing of passwords) are likely the result of existing regulation, not laziness on the part of medical device makers.
Medical device clinical trials already cost millions of dollars and take years to get through. Add bad actors to this, and you're further raising the bar for introduction of new technology.
Medical device makers should focus on medical utility. Requiring via trials (FDA) that the device makers take responsibility for physical security (i.e. passwords for local access) or cybersecurity will kill off any progress toward electronic integration of medical data.
Shit's too easy to spoof.... well, maybe if you eliminate all inputs..
“He’s not deformed, he’s just drunk!”
Anyone remotely familiar with the giant pile of manure known as HIPPA knows that government regulations in IT are not only ineffective but also total waste of time and money.
Someone you trust is one of us.
At it's very best, you have unhackable encryption for e-data. Now I will show you that that data can be hacked.
At some point, some human has to take some action to access the unencrypted form of that data. If that human can do it, then it can be done by another human, some other unauthorized way. That's called hacking.
There is no way around this. The problem with e-records is *you don't have to be physically present to steal them- they can be copied and they can be transported and the original source is none the wiser.
once you have something that fits that description, all your security is out the window.
Read the story above this one or just read the daily headlines of the MSM. Nothing is safe in electronic form- it's less safe relative to its paper counterpart. More convenient, but less safe.
Until you have computation being done on data that is never decrypted, which is possible, you'll have these problems.
i was not in a lab connect, i was in a suit. i didn't know this nurse and she had no idea who i was. she simply removed one cable and plugged in mine.
Shouldn't have mattered if she did. In my wife's office if you plug in an unknown machine to an ethernet port it simply won't work. The MAC address and some other stuff has to be registered to that particular port before it can connect. If I brought my laptop into her office, it would require non-trivial amounts of hacking to get it to connect to anything. While no security is bulletproof, lots of places don't even take basic precautions.
What's more, it'd force those upstanding god-fearing life-saving hospitals to listen to us rapist oppressor misogynerds.
A+++++++ would read again. Mod up.
Not only that, but what kind of woman-hating racist would force hospitals to listen to us evil pro-rape oppressor misogynerds?
Lobbyists
Not everyone writing software should be nor should they need to be a security expert.
I think the proper method here is to not trust devices to be secure, ever. Instead look to a provider of security software and/or hardware to put your devices behind.
A firewall device in front of every connected device would seem to be the best approach.
Just like every computer should have a firewall, every device should too.
My eyes reflect the stars and a smile lights up my face.
Health care in America is designed to extract as much money and hardship as possible from people who are in need and disadvantaged. The United States does not care about your health, and its health care system reflects that position.
I believe you are putting the cart before the horse. Nobody gives a shit about security in medical devices because it's not profitable to do so. If there was money to be had, you can bet your ass you would have FUD commercials running 24/7 and companies offering lifetime protection for just about everything.
People did not care too much about what us techie people said in regards to their digital security. We don't own enough media to be heard. But, WHOLLY BUCKETS OF CASH BATMAN! INFOMERCIAL! has people scared enough to care.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I'd say that security is weak because it would be difficult to profit from hacking medical devices. Regulation is weak because there have been no headline-grabbing incidents to bring the issue to the attention of regulators.
It would take a particular type of psycho to hack medical devices and harm people simply for the sake of harming people. That's probably what it will take before manufacturers improve security or government passes some knee-jerk regulations however.
As an area that I am very close to, I decided to sum up my comments in a single post rather than scatter replies to many of the uninformed, hyperbolic statements already made on this issue.
The FDA is not lazy or incompetent on this topic. I have personally worked with the people there who are driving this topic. There is a guidance document that was put through the draft/final review cycle on a fast track for FDA work (about 15 months between the two phases, which often takes 2-4 years).
http://www.fda.gov/downloads/m...
They also held a workshop on the topic, and have been reaching out and supporting communications on this issue in many venues.
http://www.fda.gov/MedicalDevi...
The FDA rarely is prescriptive on *how* a function should be performed. They regulate far too many types of devices used in all different kinds of situations. Their regulations need to stand for decades, so guidance documents are how they address issues that are more rapidly changing. The FDA is all about risk management, and directs manufacturers to perform risk management, document their results and submit it for review. How strongly the reviewers push back when guidance isn't followed indicates how strongly the FDA is concerned with an issue. I have been contacted more than once by companies who are getting questions on cybersecurity in their FDA submissions. If you are building a higher-risk networked medical device, you will need to follow the guidance document and produce your data or expect your approval to be delayed while you answer their questions (and thus, have to produce the data).
Having worked in the industry for many years, I really don't subscribe to the general theory that medical device companies are money greedy corporate fat cats who care only about profit at the expense of patient care. Everyone I have worked with has family members and friends who end up using these devices. I think the reluctance to embrace security in these devices is much more of a disbelief that anyone would try to actively harm a patient. I tend to use the examples of devices as vulnerable pivots to get at data in the hospital that can be monetized as my means to turn thinking in this domain.
Another challenge is that every hospital is different. Even the hospitals don't have standards that they generally use for the interconnection of devices. I have been encouraging hospital-based groups to work on the prescriptive standards so device manufactures have something to build against that they know will be salable in the end. Add to that the fact that 80% of device companies have 50 employees or less, and there is the challenge of teaching every one what they need to know.
By the way, the EHRs that these devices are being connected to aren't classified as medical devices, and are not regulated by the FDA. Despite the fact that the medical device definition includes software used to "diagnose disease."
Billy Rios is a great guy, and has done great service in this area. But the press tends to take comments in this space out of context. They love to find a line that makes it sound like the sky is falling.
Asinine laws cannot protect you. No rule can protect anything.
Security requires real work. Being SAS70 audited and certified doesn't protect against security issues. It only protects bureaucrats from responsibility.
The reason for the lack of security is obvious - the risk of hacking is present, but not very high. On the other hand, if the medical equipment does not work as designed, the patient may die because of that failure. Currently it's better to have the equipment work for sure and risk a hack than to put too many complicated steps into setting things up securely.
If you can hack a medical device to control it, you could also download the patient data. That's a HIPPA violation. Big fines, and potential criminal liability. The whole chain gets hit, from the deficient manufacturer, to the suppliers, to the hospital, to the doctors. HIPPA is brutal if enforced.
2 weeks ago I was fitted with an Implantable Cardioverter Defibrillator, which talks SSH with a control module. Once the DH handshake is accepted, someone can control my pulse rate, make my heart skip beats or even stop. I stress a little about how easy to hack I am now.
In my last job I worked on the development of a medical diagnostic instrument. While not immediately life-threatening if compromised, lots of patient details could be stored on the system with no encryption. Now, it wasn't normally networked, so to get the information you had to stand in front of it. But here's where it got interesting: you could create an account to give yourself access to the data, and only a password was required - no username. Just one single string of characters. And because that was the case, you couldn't use the same password as anyone else. If you tried, it would actually give you the error message "Password already in use"...
What?
Not to mention that the admin passwords were the same on all instruments...
The downside of not being networked was that the OS was never updated. There were Windows 2000 machines, and XP machines with no service packs at all. Generally computers on these systems were kept far longer than they would be in most other industries. This did give some other instruments a bit of an advantage through obscurity however - I'm sure there are fewer people around able to crack a 486 running a customised QNX kernel setup than able to crack a pre-SP1 XP box...
If you've ever had to work with scientists in the medical community, it quickly becomes clear they typically have the attitude that they don't have time to be bothered with security and it should be someone else should be taking care of it for them.
Many of these scientist write a lot of science software that makes it's way into these medical devices. Again learning decent programming techniques and software security is something they don't want to be bothered with. That sometimes gets passed to an actual software engineer who doesn't understand the medical science so the code only gets touched where absolutely necessary to get it implemented.
This problem isn't going away anytime soon. Not until the medical scientists feel threatened. They are far from it.
Why aren't there better regulations? I'm not sure that the issue of regulation is actually the most relevant one. Security of the medical device is the better question, regulation is just one possible means to that end.
However my larger point is, this is already a heavily regulated field. Furthermore there is an entire discipline (Biomedical Engineering) devoted to supporting these devices. And you could easily expand those categories if you start to include PACS systems, the imaging modalities, hospital EMRs, etc.
What this does is that there is a large "apparatus" that is in daily charge of medical device management. Those people are usually not IT people and instead come from a primarily clinical background and perspective. Getting them up to speed with cybersecurity issues takes time. They often think there is no issue with those medical devices until they connect with an EMR or other more clearly IT administered system. And even then they may not think there is an issue. Stand-alone, air-gapped implementations were and often still are their bulwark against an interconnected world.
That's all changing, but slowly. You can't do it without the full support and involvement of the tech disciplines who own those devices.