Slashdot Mirror
Why Aren't There Better Cybersecurity Regulations For Medical Devices? (vice.com)
citadrianne writes with an excerpt from Motherboard about some of the factors behind the long-decried security problems that surround medical hardware, and that will only become more pressing as some long-term treatments become both more portable (in the form of drug pumps, muscle stimulators, etc), more connected to sensors and controllers, and more dependent on software. There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them. A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines "do not establish legally enforceable responsibilities." "In theory you could sell a bunch of medical devices without ever having gone through a security review," the well-known independent medical device security researcher Billy Rios told Motherboard.
Medical devices have gone under the guise of "security by obscurity" for far too long. They have no standards. They are plugged into the network without any worry at all to what could happen. Insulin pumps are terrible at this.
Even Dick Cheney had to have special consideration taken for his pacemaker, since the technology is so bad.
It isn't just device makers. In general most don't give a shit about security. From banking "apps" to healthcare "apps" - security is generally the last checkbox checked before shipping. It isn't a core tenet of technology for companies, it is feature you may or may not get to.
Until there are actual penalties for ignoring basic information security practices, no one will waste time (aka money) securing things they "don't have to."
I have a software application that was cleared by the FDA under the 510(k) class 2 classification. I actually had to submit cybersecurity documentation. The FDA is now doing it, but all the legacy applications will not have this in place.
Having a "cyber security document" does not guarantee that the device will be secure. More FDA checking boxes bullshit.
If that's an ethernet network it might still be more secure than encrypted wireless... You'd at least have to physically be in the hospital at some point to exploit it.
In any case, it's kinda hard to imagine explaining how someone died because the doctor forgot their password.
Sadly any answer probably boils down to the fact that not enough people have been injured and/or died yet. Hang a few bodies around the problem and you can bet the government will start taking security on these devices much more seriously. Hang a few lawsuits on them and the companies might do something about it themselves.
Devices should be secure, or at least securable. As should internal hospital networks.
At the same time the risk from bio-medical network hacking remains theoretical. There's a small but serious risk that harm could spread on a wide scale, but so far no exploits have been made.
The risk of network issues during critical, potentially confusing, seconds-count scenarios is also real. Having some kind of network incompatibility or security interface issue could easily mean the difference between life and death.
Both risks exist. Both can be studied, and a reasonable compromise reached - but to discuss one in the absence of the other is just foolishness.
You're special forces then? That's great! I just love your olympics!
because the incentives are all wrong - as long as CMS drives the cost out then security will lose. if CMS values it, then it will be part of the equation. FDA has a role too, and they have to require security too. it's as simple as that.
nothing to see here - move along
I figure there's two possible reasons for this:
1) The regulators are lazy/incompetent and haven't bothered.
2) The lobbyists for the medical devices industry have asked for it to keep profits higher.
But that there is little or no security in these things should be far more widely reported than it apparently is. Consumer electronics have really bad security; medical devices can't even be said to have security in a lot of cases.
Given what I've heard about the security and frequency of malware on hospital networks, I'm actually surprised there isn't more deaths attributed to the useless security on these things.
Lost at C:>. Found at C.
If you work for a typically paper-pushing corporation, the priority on the "CIA triad' (confidentiality, integrity and availability) is usually: C, then A then I. If you work for a utility ("ICS"), it's often A then I then C. And if you work with medical devices, it's definitely I then A and maybe way down the line maybe C, because there's the HIPAA legal hammer to take care of all that. Hardly anyone in this stack understands authentication, but the key with at least the last two is that if someone's trying to use a machine or device and they are standing right next to it, they are assumed to be authorized. Unfortunately, that line of thinking leaks out into web interfaces, telnet and other craziness, and that's why it's all a mess at the moment.
I've worked on and off in the medical devices field for a long time, and have been directly involved with the FDA approval process of several products. One thing I can add to this discussion is that anyone who has been through this process recognizes that "not legally enforceable guidelines" still need to be addressed before one can actually get a product released. Sure, maybe an organization could argue around them, but there are so many ways that the FDA can hold up a release or generally cause an organization grief that it's simply not practical to do so. The bigger issues are 1) that these guidelines are relatively new and have only fairly recently been getting enforced, and 2) the people doing the reviewing don't always have enough security knowledge. For #1 it looks like loss of privacy is now starting to get acknowledged as a form of harm to the patient and so security is starting to get lumped in with other risk analysis, and for #2 consider that "FDA" stands for "Food and Drug Administration" -- "Medical Devices" isn't even in the title and it's certainly not the prime focus of the agency.
Sometimes you just can't tell whether or not something is parody.
After a HIPAA violation, then they will pay for it.
They are regulations in place, there just isn't enforcement until after an incident happened.
The Flat open network, just as long as it is closed off to the rest of the world, is good enough. But when you start bringing in outside connections from vendors and other areas, and or using the same network for the public Wi-Fi then you may be getting in trouble.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Big companies who do medical records (e.g. Microsoft, Google) care about security. The average company doing medical records cares about having a marketing buzzword that makes purchasers and patients feel secure. Hospitals generally don't give enough of a fuck because they don't understand it and it costs money, and it doesn't really cost them anything if they get broken into. It's not like many people will choose a different hospital or doctor.
Have gnu, will travel.
John McAfee for president! ;)
... not for you - did your seventh-grade government school teacher perhaps try to tell you otherwise? Try to deal with empirical reality, not platitudes.
The entrenched interests that give high-paying jobs to former regulators are delighted that startups can't compete and that the products only have to be safe on paper, not subject to real competitive review (notice that Consumer Reports doesn't compare replacement needs - Consumers' Union does lobbying instead, unlike cars).
Gosh, back when I was doing medical work it was astonishing how a respirator could be shut down with a passing radio. FDA and FCC gave medical a complete pass on RF interference, not because shielding and grounding is hard, but because medical industry paid for the exemption and they could save a few bucks on manufacturing, and fuck the grandma who needs a vent. The relative cost was minimal, but they're special snowflakes and they didn't have to worry about a spunky startup getting a booth at a trade show demonstrating the reckless endangerment by the old corps.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I am a physician. While I don't implant pacemakers or defibrillators, I do take care of a number of patients who have these devices.
One critical issue here is accessibility of these devices. Suppose someone gets an implantable cardiac defibrillator for a failing heart. If the patient's cardiac status worsens, they device may activate and keep the heart beating. In these circumstances, it's critical that the physicians at the hospital have immediate and unrestricted access to the data on the device. Without this data, the physicians are at a serious disadvantage in trying to keep the patient alive.
To further complicate things, a patient in the midst of a cardiac event may not be able to provide a password. Even if the password is stored somewhere in the medical records, modern electronic record systems are often cumbersome to find such data. For example, if the device was implanted at a different hospital, the records typically have to be printed, faxed and then scanned in order to access the data. Those ridiculous steps translate into delays in care.
The real conundrum is whether a particular security modality is going to save more lives by thwarting hackers that it will cause deaths by delaying medical treatment.
I don't know why, but security has been a problem every time a new class of device gains connectivity.
Robert Morris' internet worm got loose in 1988 - 27 years ago... WTF?
What this article is talking about is the vulnerability of BMDI devices, devices that stream data to the EMR or receive data from it. These would include bedside monitors, the pumps used to give infusions, anesthesia carts, etc. It's very important that the data be accurate and not be monkeyed with, obviously,
But if a hospital IT department, which is under resourced because of the declining reimbursement structure in healthcare (every year being asked to treat phenomenally more and more people on less and less funding, and keep facilities up to date, and keep equipment modern and safe, and keep up with all the regulatory changes), decides to make all the device keys "1234", that's not really the architecture's fault.
There are best safe practices in place, which are of course to verify the pump's settings before you turn it on, or make sure the vitals in the record match what you're seeing on the monitor, etc. But there are security vulnerabilities due to human tendencies, that even encryption won't solve.
Some of those vulnerabilities that would require physical access to exploit would be just as protected by the existing hospital security measures as current vulnerabilities (unplugging, pin-pricks, blocking lines, et cetera). Doesn't mean that they're not real, or that in some cases it wouldn't be frighteningly easy to do Very Bad Things, but we probably shouldn't treat the networked versions any more or less gingerly than the physical ones.
You're special forces then? That's great! I just love your olympics!
most of the hacking is done by criminals to make and steal money. how would you make money from hacking medical devices?
I worked in security in the health care system for a short time and there was a ton of resistance to any security solutions we tried to implement. Some of it was that the medical staff felt it was impeding their ability to do their jobs, but it mostly seemed like they didn't like change.
Worst. Sig. Ever.
Most of these devices are either wireless or moving to wireless. Some of them must remain physically connected because an outage could result in patient harm, but more or less everything is moving to wireless for a variety of reasons.
-There are numerous reasons why in a certain area, cabling can't be on the floor or hanging, and the device must be able to move around.
-Some devices travel all over the campus and may be used in an area where wired networking isn't available or practical
-Most PCs being used on mobile devices are low profile devices now and (usb, etc) connections are limited
-Cabling is seen as a hassle and risk in terms of patients who are a fall risk, and adds complexity (however minor) to cleaning the devices for infection control purposes
-Wired infrastructure is harder and more expensive to scale when the purposes of physical space change, and it takes time to effect those changes
-In some places it is much more expensive and troublesome to have ports added or moved, such as in the operating theater
etc etc.
Wireless is objectively better if proper standards are developed and followed, but as is the case in all of human history, the tech comes before the knowledge of how to use it wisely.
What's the goal of medical device software?
Currently, you have to prove that your target user can actually use your product without making mistakes. Make things too complicated in any way, and you're required to have a specialist on hand to turn the thing on. You don't decide what "too complicated" is, the FDA does.
The current solutions for maximum usability (hard coded passwords, no changing of passwords) are likely the result of existing regulation, not laziness on the part of medical device makers.
Medical device clinical trials already cost millions of dollars and take years to get through. Add bad actors to this, and you're further raising the bar for introduction of new technology.
Medical device makers should focus on medical utility. Requiring via trials (FDA) that the device makers take responsibility for physical security (i.e. passwords for local access) or cybersecurity will kill off any progress toward electronic integration of medical data.
Shit's too easy to spoof.... well, maybe if you eliminate all inputs..
“He’s not deformed, he’s just drunk!”
this reminds me of a story
years ago i was working at a very large, very prestigious hospital in boston. at the time they had no guest wifi. i needed a network connection so i set my laptop on a the nurses workstation and handed her one end of a long network cable and asked her to unplug the printer and plug in my wire. which she promptly did.
i was not in a lab connect, i was in a suit. i didn't know this nurse and she had no idea who i was. she simply removed one cable and plugged in mine.
needless to say, i was stunned.
that should have said "lab coat" not "lab connect"....sorry
Anyone remotely familiar with the giant pile of manure known as HIPPA knows that government regulations in IT are not only ineffective but also total waste of time and money.
Someone you trust is one of us.
At it's very best, you have unhackable encryption for e-data. Now I will show you that that data can be hacked.
At some point, some human has to take some action to access the unencrypted form of that data. If that human can do it, then it can be done by another human, some other unauthorized way. That's called hacking.
There is no way around this. The problem with e-records is *you don't have to be physically present to steal them- they can be copied and they can be transported and the original source is none the wiser.
once you have something that fits that description, all your security is out the window.
Read the story above this one or just read the daily headlines of the MSM. Nothing is safe in electronic form- it's less safe relative to its paper counterpart. More convenient, but less safe.
Until you have computation being done on data that is never decrypted, which is possible, you'll have these problems.
I guess when a vendor delivers their latest device with XP installed and then proceeds to tell you that you CANNOT install the latest updates, the invisible hand is still guiding the market. Had this situation happen within the last 6 months. The doctor had to have this particular instrument, yet the vendor REFUSED to deliver it with a modern supported OS and prevented us from taking steps to secure the out of date XP OS. Until there are regulations forbidding vendors from selling unsecured configuration, the situation will not improve.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
i was not in a lab connect, i was in a suit. i didn't know this nurse and she had no idea who i was. she simply removed one cable and plugged in mine.
Shouldn't have mattered if she did. In my wife's office if you plug in an unknown machine to an ethernet port it simply won't work. The MAC address and some other stuff has to be registered to that particular port before it can connect. If I brought my laptop into her office, it would require non-trivial amounts of hacking to get it to connect to anything. While no security is bulletproof, lots of places don't even take basic precautions.
Lobbyists
Not everyone writing software should be nor should they need to be a security expert.
I think the proper method here is to not trust devices to be secure, ever. Instead look to a provider of security software and/or hardware to put your devices behind.
A firewall device in front of every connected device would seem to be the best approach.
Just like every computer should have a firewall, every device should too.
My eyes reflect the stars and a smile lights up my face.
I believe you are putting the cart before the horse. Nobody gives a shit about security in medical devices because it's not profitable to do so. If there was money to be had, you can bet your ass you would have FUD commercials running 24/7 and companies offering lifetime protection for just about everything.
People did not care too much about what us techie people said in regards to their digital security. We don't own enough media to be heard. But, WHOLLY BUCKETS OF CASH BATMAN! INFOMERCIAL! has people scared enough to care.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I'd say that security is weak because it would be difficult to profit from hacking medical devices. Regulation is weak because there have been no headline-grabbing incidents to bring the issue to the attention of regulators.
It would take a particular type of psycho to hack medical devices and harm people simply for the sake of harming people. That's probably what it will take before manufacturers improve security or government passes some knee-jerk regulations however.
After a HIPAA violation, then they will pay for it. They are regulations in place, there just isn't enforcement until after an incident happened.
The Flat open network, just as long as it is closed off to the rest of the world, is good enough.
Maybe. Maybe not. HIPAA is not a prescriptive standard. The operators of that network would have to have documented that they effectively assessed the risk of such a design, and then took "reasonable" measures to mitigate any significant risk. If they failed to do even that much (and that is still very common) they will be found to be in "willful neglect" and subject to even higher penalties.
As an area that I am very close to, I decided to sum up my comments in a single post rather than scatter replies to many of the uninformed, hyperbolic statements already made on this issue.
The FDA is not lazy or incompetent on this topic. I have personally worked with the people there who are driving this topic. There is a guidance document that was put through the draft/final review cycle on a fast track for FDA work (about 15 months between the two phases, which often takes 2-4 years).
http://www.fda.gov/downloads/m...
They also held a workshop on the topic, and have been reaching out and supporting communications on this issue in many venues.
http://www.fda.gov/MedicalDevi...
The FDA rarely is prescriptive on *how* a function should be performed. They regulate far too many types of devices used in all different kinds of situations. Their regulations need to stand for decades, so guidance documents are how they address issues that are more rapidly changing. The FDA is all about risk management, and directs manufacturers to perform risk management, document their results and submit it for review. How strongly the reviewers push back when guidance isn't followed indicates how strongly the FDA is concerned with an issue. I have been contacted more than once by companies who are getting questions on cybersecurity in their FDA submissions. If you are building a higher-risk networked medical device, you will need to follow the guidance document and produce your data or expect your approval to be delayed while you answer their questions (and thus, have to produce the data).
Having worked in the industry for many years, I really don't subscribe to the general theory that medical device companies are money greedy corporate fat cats who care only about profit at the expense of patient care. Everyone I have worked with has family members and friends who end up using these devices. I think the reluctance to embrace security in these devices is much more of a disbelief that anyone would try to actively harm a patient. I tend to use the examples of devices as vulnerable pivots to get at data in the hospital that can be monetized as my means to turn thinking in this domain.
Another challenge is that every hospital is different. Even the hospitals don't have standards that they generally use for the interconnection of devices. I have been encouraging hospital-based groups to work on the prescriptive standards so device manufactures have something to build against that they know will be salable in the end. Add to that the fact that 80% of device companies have 50 employees or less, and there is the challenge of teaching every one what they need to know.
By the way, the EHRs that these devices are being connected to aren't classified as medical devices, and are not regulated by the FDA. Despite the fact that the medical device definition includes software used to "diagnose disease."
Billy Rios is a great guy, and has done great service in this area. But the press tends to take comments in this space out of context. They love to find a line that makes it sound like the sky is falling.
Regulations. Security, quality, reliability, good engineering.... All cost something.
Don't step on the baby.
This subject has come up a few times lately, but I haven't found any reliable sources of information on the subject other than directly from the government. Do you have any links to resources by any chance?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The reason for the lack of security is obvious - the risk of hacking is present, but not very high. On the other hand, if the medical equipment does not work as designed, the patient may die because of that failure. Currently it's better to have the equipment work for sure and risk a hack than to put too many complicated steps into setting things up securely.
Wireless is a nightmare in many hospitals. Lead in the walls near the MRI and radiotheraphy machines for example.
In my last job I worked on the development of a medical diagnostic instrument. While not immediately life-threatening if compromised, lots of patient details could be stored on the system with no encryption. Now, it wasn't normally networked, so to get the information you had to stand in front of it. But here's where it got interesting: you could create an account to give yourself access to the data, and only a password was required - no username. Just one single string of characters. And because that was the case, you couldn't use the same password as anyone else. If you tried, it would actually give you the error message "Password already in use"...
What?
Not to mention that the admin passwords were the same on all instruments...
The downside of not being networked was that the OS was never updated. There were Windows 2000 machines, and XP machines with no service packs at all. Generally computers on these systems were kept far longer than they would be in most other industries. This did give some other instruments a bit of an advantage through obscurity however - I'm sure there are fewer people around able to crack a 486 running a customised QNX kernel setup than able to crack a pre-SP1 XP box...
What this article is talking about is the vulnerability of BMDI devices, devices that stream data to the EMR or receive data from it.
But if a hospital IT department, which is under resourced because of the declining reimbursement structure in healthcare...
Well, it probably wouldn't be an issue with Hospital IT, but Clinical Engineering. Clinical Engineering deal with the items that touch patients and send data to the EMR, and the may or may not even use the network provided by Hospital IT. Not that the issues with funding aren't still there if not even more so. IME, it is rarely them that make device keys or passwords "1234" but rather the vendors or users. Often such "features" as backdoors and hardcoded admin passwords aren't even listed in the documentation, and unless you get to that one guy in tier 3 support, even the vendor agents you are dealing with might not know about them.
Also, why is a cybertech cybernews cybersite like Slashspot using the unnecessary cyberword "cyber" in its cyberheadline?