Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Aren't There Better Cybersecurity Regulations For Medical Devices? (vice.com)

Posted by timothy on from the easier-to-say-than-do dept.

citadrianne writes with an excerpt from Motherboard about some of the factors behind the long-decried security problems that surround medical hardware, and that will only become more pressing as some long-term treatments become both more portable (in the form of drug pumps, muscle stimulators, etc), more connected to sensors and controllers, and more dependent on software. There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them. A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines "do not establish legally enforceable responsibilities." "In theory you could sell a bunch of medical devices without ever having gone through a security review," the well-known independent medical device security researcher Billy Rios told Motherboard.

6 of 99 comments (clear)

  1. CIA triad...in a different order by xxxJonBoyxxx · · Score: 3, Insightful

    If you work for a typically paper-pushing corporation, the priority on the "CIA triad' (confidentiality, integrity and availability) is usually: C, then A then I. If you work for a utility ("ICS"), it's often A then I then C. And if you work with medical devices, it's definitely I then A and maybe way down the line maybe C, because there's the HIPAA legal hammer to take care of all that. Hardly anyone in this stack understands authentication, but the key with at least the last two is that if someone's trying to use a machine or device and they are standing right next to it, they are assumed to be authorized. Unfortunately, that line of thinking leaks out into web interfaces, telnet and other craziness, and that's why it's all a mess at the moment.

  2. Be careful what you ask for by Anonymous Coward · · Score: 5, Interesting

    I am a physician. While I don't implant pacemakers or defibrillators, I do take care of a number of patients who have these devices.

    One critical issue here is accessibility of these devices. Suppose someone gets an implantable cardiac defibrillator for a failing heart. If the patient's cardiac status worsens, they device may activate and keep the heart beating. In these circumstances, it's critical that the physicians at the hospital have immediate and unrestricted access to the data on the device. Without this data, the physicians are at a serious disadvantage in trying to keep the patient alive.

    To further complicate things, a patient in the midst of a cardiac event may not be able to provide a password. Even if the password is stored somewhere in the medical records, modern electronic record systems are often cumbersome to find such data. For example, if the device was implanted at a different hospital, the records typically have to be printed, faxed and then scanned in order to access the data. Those ridiculous steps translate into delays in care.

    The real conundrum is whether a particular security modality is going to save more lives by thwarting hackers that it will cause deaths by delaying medical treatment.

  3. Re:There is no security in health care. by tripleevenfall · · Score: 3, Interesting

    What this article is talking about is the vulnerability of BMDI devices, devices that stream data to the EMR or receive data from it. These would include bedside monitors, the pumps used to give infusions, anesthesia carts, etc. It's very important that the data be accurate and not be monkeyed with, obviously,

    But if a hospital IT department, which is under resourced because of the declining reimbursement structure in healthcare (every year being asked to treat phenomenally more and more people on less and less funding, and keep facilities up to date, and keep equipment modern and safe, and keep up with all the regulatory changes), decides to make all the device keys "1234", that's not really the architecture's fault.

    There are best safe practices in place, which are of course to verify the pump's settings before you turn it on, or make sure the vitals in the record match what you're seeing on the monitor, etc. But there are security vulnerabilities due to human tendencies, that even encryption won't solve.

  4. Re:There is no security in health care. by tripleevenfall · · Score: 2

    Most of these devices are either wireless or moving to wireless. Some of them must remain physically connected because an outage could result in patient harm, but more or less everything is moving to wireless for a variety of reasons.

    -There are numerous reasons why in a certain area, cabling can't be on the floor or hanging, and the device must be able to move around.
    -Some devices travel all over the campus and may be used in an area where wired networking isn't available or practical
    -Most PCs being used on mobile devices are low profile devices now and (usb, etc) connections are limited
    -Cabling is seen as a hassle and risk in terms of patients who are a fall risk, and adds complexity (however minor) to cleaning the devices for infection control purposes
    -Wired infrastructure is harder and more expensive to scale when the purposes of physical space change, and it takes time to effect those changes
    -In some places it is much more expensive and troublesome to have ports added or moved, such as in the operating theater

    etc etc.

    Wireless is objectively better if proper standards are developed and followed, but as is the case in all of human history, the tech comes before the knowledge of how to use it wisely.

  5. Re:how do you make money from the hacks? by AeroMed45N · · Score: 2

    Pivots.

    http://www.securityweek.com/me...

  6. It's complicated by AeroMed45N · · Score: 2

    As an area that I am very close to, I decided to sum up my comments in a single post rather than scatter replies to many of the uninformed, hyperbolic statements already made on this issue.

    The FDA is not lazy or incompetent on this topic. I have personally worked with the people there who are driving this topic. There is a guidance document that was put through the draft/final review cycle on a fast track for FDA work (about 15 months between the two phases, which often takes 2-4 years).
    http://www.fda.gov/downloads/m...
    They also held a workshop on the topic, and have been reaching out and supporting communications on this issue in many venues.
    http://www.fda.gov/MedicalDevi...

    The FDA rarely is prescriptive on *how* a function should be performed. They regulate far too many types of devices used in all different kinds of situations. Their regulations need to stand for decades, so guidance documents are how they address issues that are more rapidly changing. The FDA is all about risk management, and directs manufacturers to perform risk management, document their results and submit it for review. How strongly the reviewers push back when guidance isn't followed indicates how strongly the FDA is concerned with an issue. I have been contacted more than once by companies who are getting questions on cybersecurity in their FDA submissions. If you are building a higher-risk networked medical device, you will need to follow the guidance document and produce your data or expect your approval to be delayed while you answer their questions (and thus, have to produce the data).

    Having worked in the industry for many years, I really don't subscribe to the general theory that medical device companies are money greedy corporate fat cats who care only about profit at the expense of patient care. Everyone I have worked with has family members and friends who end up using these devices. I think the reluctance to embrace security in these devices is much more of a disbelief that anyone would try to actively harm a patient. I tend to use the examples of devices as vulnerable pivots to get at data in the hospital that can be monetized as my means to turn thinking in this domain.

    Another challenge is that every hospital is different. Even the hospitals don't have standards that they generally use for the interconnection of devices. I have been encouraging hospital-based groups to work on the prescriptive standards so device manufactures have something to build against that they know will be salable in the end. Add to that the fact that 80% of device companies have 50 employees or less, and there is the challenge of teaching every one what they need to know.

    By the way, the EHRs that these devices are being connected to aren't classified as medical devices, and are not regulated by the FDA. Despite the fact that the medical device definition includes software used to "diagnose disease."

    Billy Rios is a great guy, and has done great service in this area. But the press tends to take comments in this space out of context. They love to find a line that makes it sound like the sky is falling.