Slashdot Mirror
US Government Task Force Urges Cash Incentives For Ditching Insecure Medical Devices (securityledger.com)
chicksdaddy shares this report from The Security Ledger:
The healthcare sector in the U.S. is in critical condition and in dire need of an overhaul to address widespread and systemic information security weakness that puts patient privacy and even safety at risk, a Congressional Task Force has concluded... On the controversial issue of medical device security, the report suggests that the Federal government and industry might use incentives akin to the "cash for clunkers" car buyback program to encourage healthcare organizations to jettison insecure, legacy medical equipment...
The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.
Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."
The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.
Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."
That isn't fair. What he SAID was "If she wasn't my daughter I'd grab her by the pussy with my little tiny hands". BIGLY difference.
How about we start fining these irresponsible companies when they negligently use known insecure devices and have security breaches?
And then you die, you've saved more money and carbon emissions for the world. My recommendation is to be healthy
Still butt-hurt, eh? Better luck in 8 years!
I'm not gay
.. . . makes even PATCHING existing gear for security holes an extended and tedious process.
Consider, my eldest daughter was working as a ward admin, IT relied on her for backup, because for an entire 445 bed hospital. . . was two junior techs. The password on everything EXCEPT the email and timecard system. . .was "password".
And, of course, that didn't even include the systems you could physically exploit. . . like a "Pyxis" supply dispenser. The tool needed to "hack" it. . . is a flat-head screwdriver. . .
Resource poor? When I have to pay over $300 for a simple doctor appointment, or over $600 for an appointment with a specialist?
No, there are plenty of resources. It's the priorities that are the problem.
The real "Libtards" are the Libertarians!
Is your eldest daughter hot?
Why don't you give it a try for a while? You can always switch back if you decide you don't like it. C'mon, haven't you ever wondered what it would be like to have a cock buried in your ass? Not even a little? I know a lot of guys like you who weren't gay before, but boy o boy they sure are fabulous now!
It's a special vibrating buttplug to stimulate my sphynxster. It uses a location aware app that stimulates my anus whenever certain criteria are met - like when I'm in a gayborhood or near a gay bar. Because it was prescribed by a doctor to relieve my "Dry Rectum" (DR for short) condition, Medicare paid for it. Thanks Obama!
+1 Informative
I hear there's a shortage of good jobs. But then we'd have to train them. And feed and house and cloth them while they train (don't kid yourself, you can't do intensive training like that while working full time to support yourself, that's why college drop out rates are so high, higher if you consider the ones that didn't get in in the first place).
Once again, this is a problem that could be solved but we'll be damned if we're gonna do it because nobody wants to pay for it. He'll, when you suggest they do they call you a thief for raising their taxes.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
no dilz in my ass!
"How much cash do you give us if we upgrade our machines to secure ones?"
"Absolutely none at all."
"How's that a cash incentive then?"
"You get to keep the large amounts of money you're otherwise going to be fined for keeping your customers details on shitty, insecure systems."
most of the money goes to the top. Not your Doctors or the infrastructure to support them. Then there's the little matter of 'deductibles', meaning you pay for 'insurance' then you pay for care until you hit your deductible then you pay 80/20 if you're lucky and 60/40 if you're not.
This is what happens when you let middle men run your healthcare system.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
There's no need to provide cash incentives, all that's needed is to reduce the barriers that over-regulation causes (like the need to completely recertify the entire device to apply a patch)
Once you lower the barriers, then other pressures (audits, etc) can take effect and push for the devices to be updated.
Right now, there is no ability to patch the devices because the vendors don't release patches, because the cost to certify a patch is so high.
The FDA needs to be able to separate out the medical functionality of a device from the software, and setup tests that test the software for changes in the desired functionality (while letting bugfixes, UI fixes, even OS updates and changes go through easily)
US healthcare is more expensive than anywhere in the world. Profits of healthcare companies are higher in the US than anywhere. There are no limits to what they charge.
Now they are saying they can't afford to fix the crap they've been foisting on the public?
Crocodile tears...
I don't read your sig. Why are you reading mine?
The thing is, medical devices have by far the biggest bang-per-buck as far as per-device profit in the medical field. So as much as my gut reaction to the "cert process ... an extended and tedious process" is to suggest reduced regulation, I think the more obvious truth is that instead of "cash for clunkers" we should have "recalls for clunkers" because the whole point of the "extended and tedious process" is that device makers don't want to have to go through the costly process again.
The alternative is the mess we see with Windows PCs, where we've just come to accept the whole notion of patching monthly, running [often ineffective] antivirus software, and accepting we're going to get hacked eventually. It's precisely the argument that it'd be astronomically expensive to make things right the first time is why we accept it: the risk vs cost isn't worth it. When it comes to a PC, a person's life isn't on the line.
Plan B? Since clearly all tort suits, which is going to happen when people DO die--and it's going to happen--from these insecure device, do to businesses is make them roll the problem into the cost of doing business--and as I discussed above, medical device makers are prepared for it--, start holding CEOs, engineers, etc criminal liable for negligent homicide. As much as people bitch about the whole GM ignition switch scandal, it's actually a relatively minor thing* precisely because the Transportation Safety Admin has gotten the industry to accept the notion of "voluntary" recalls to avoid direct government regulation which would be much, much worse all around.
PS - Cash for clunkers is a horrible comparison. ICEs suck for the environment. The "solution" was to simply "trade" worse ICEs for slightly better ICEs. But insecure IoT or otherwise insecure medical devices is because of shitty design, coding, etc. It's not an inherent part of what a medical device is. ICEs can't be "fixed". Medical devices can be. But what's the promise that they will be? In the end, it's more "cash for clunkers for another [possible] clunker because we can't trust medical device makers". That's no solution. Hell, the new device might be even worse. At least "cash for clunkers" actually improved things because of CAFE standards--ignore the whole VW mess which is worth a whole other post.
* Put in perspective, 10-15% of traffic accidents are due to mechanical failure. That we find a specific cause in one instance that could have been corrected is both good (we can fix it) and bad (it should have been noticed and fixed sooner, probably). But, it's near the level of noise given all the other things that can happen in a car. "Potential failure" is the core of what ICE is all about--more of an internal explosion engine. Another example of people who lack perspective are those that take the Bin Ladin Determined to Strike in US briefing.as some idea 9/11 should have been stopped. The best answer is probably to just be more diligent next time and get industry to be involved.
Why should these highly profitable corporations receive public money to do the right thing to protect themselves and the patients? If they won't do it voluntarily, the law should make them.
wow u typed a lot of words har nobody will read but congrats on getting a +5 from mods that don't want to read your bullshit
This isn't rewarding citizens for doing the right thing, it's avoiding the punishing of manufacturers that ignored good security practices and US HIPPA laws. Medical devices aren't shoved onto the market as soon as possible, they're manufactured to a strict standard: There's no excuse for leaving the job half-done. Maybe the government should be punishing itself for not updating and enforcing that strict standard.
Where can I find out which of the local hospitals and surgical suites uses up-to-date secure stuff and which ones don't give a damn?
Because I will vote with my wallet.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
That's surprising - Pyxis machines are frequently used to dispense Schedule II drugs.
Maybe they changed out the stock screws ... one can hope.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
"Here's a good one: let's pick out those contractors who've made absolutely no effort to keep their IT up to date, and reward them with taxpayers' money!"
Another great idea from our friends in Congress. Keep it up, guys.
As opposed to you, whose butt doesn't hurt and wants it again, and again, and again because Donnie uses the good lube paid for by the Amarican public on you. Yeah I'll pick butt-hurt.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
What is the female version of a cuckold? I need to know because calling her Hillary has gotten old.
Well, not with that attitude, you won't!
"So long and thanks for all the fish."
The manufacturers of the insecure medical devices should be held civilly and criminally liable!!
And, of course, that didn't even include the systems you could physically exploit. . . like a "Pyxis" supply dispenser. The tool needed to "hack" it. . . is a flat-head screwdriver. . .
I work in embedded systems security, and we generally don't worry too much about things like the "screwdriver" example (as a matter of public policy, if I were doing security architecture, I would certainly worry about that). We have laws to take care of that. You can also walk into a hospital and poison someone, and there's no computer security mechanism against that. Sure, it'd be great if everything was secure, but hacks that require physical access, are limited to physical access in the damage caused and leave a trace behind are really not worth spending much effort on.
As a developer in the medical device area, the biggest obstacle of creating the devices was the FDA. So the regulations that were attached were daunting. Not only was their an audit annually with respect to every device we created, we had to have detailed design, creation, maintenance and release of each object. This produced quite a bit of paperwork. At the time, the FDA would not accept electronic documents that could have (at the time) be put on a CD for every device. Every change or enhancements also had to be tracked in this manner as well. So less regulations could probably help, but we are talking medical devices.
We also designed into said devices security as well, so as long as they had a competent admin person the devices could be secured. As a matter of fact, it was actually quite difficult to get the admins from different hospitals to setup secure networks in the event they needed to share patient information between hospitals. I ran into a couple that would only allow a temporary connection and only open it on request for a set time period. But I could see the complaint of not having a competent system administrator is their real problem.
I read it all. GP has good points. GASP.. are you wrong on the internet? Go go, log off right now, go hide.
Well, his user name (fluffernutter) does sound like he is in the porn industry.
I like this site and I really liked it when the byline used to be "News for nerds Stuff that matter". Is there an extension or bookmarklet or something that I can use to filter out stories based on keywords? Keywords like Comey, Trump, Government, Clinton, Democrat, Republican, Brexit, and on and on? I sure would like that. I really would.
The soylentnews experiment has been a dismal failure.
Paying people to do what they should do is plain wrong. This is nothing more than aid to big corporations. Passing money from tax payers to CEOs and other officers of large corporations that give big $$$ in pay and bonuses. They CAN afford to fix their mess and they should be forced to do so.
Don't believe that none of that is true because that's exactly how big business works with the government. CORRRRRUPTION!
... program for the NSA.
It little behooves the best of us to comment on the rest of us.
Maybe they changed out the stock screws ... one can hope.
You probably have to go to Harbor Freight and buy a $3.99 security bit set, now.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What does the certification process for equipment have to due to size of the IT staff?
I once spoke to (tried to pull) a smart, bright, knowledgeable, beautiful female programmer, who worked in the software development department of a very large well known manufacturer of hospital equipment. The sort of equipment you hook up to patients and use to monitor their well-being, or interconnect to their bodies in various ways.
She told me she had been admitted to hospital once and been hooked up to such a machine. She had felt very relieved when she saw it was made by a competing manufacturer and not her own employer, as she knew full well how crappy the software in the machines made by her employer was made.
She relaxed in the hospital bed, hoping thee competitors had better software that her own employer.
So, your medical device was a trivial fob? Or are you undermining the notion of how difficult it is to create a well-designed device?
For "each object" do mean "each model" or "each produced unit"? Even if it's the latter, well, it makes the change/enhancement part later rather moot. In any case, it's just duplicate paperwork.
And? I mean, I can see wanting it all on a CD and complaint about all the printing, but and?
Seriously, what's so onerous about any of this? You should already be tracking this stuff. It's actually better for your development to be tracking this stuff. The only bad part is the literal paperwork but it sounds like they've got electronic so that part should be trivial as well.
And this I really doubt. If you think following FDA rules was "the biggest obstacle", it's hard to believe your medical device was competently designed unless it was a very simple fob. But, since you mention "networks", I know it's not.
No, that's a separate complaint. The concern is that medical devices that shouldn't crash, require physical access, etc often fail at all these things and more. That the FDA requires you to document everything doesn't mean much because the FDA isn't out to painstakingly figure out all possible failure modes. That's your job.
I don't want to sound overly harsh, but I really wonder if you understand the issue at hand. I mean, as a developer in the medical device area, I would hope you would. But it really sounds to me that you don't. You think it's enough to presume that there aren't hostile actors and that your security is top notch. I hope I'm wrong.
slashdot doesn't talk about Linux distros, or microprocessors anymore, and politics was nonexistent. I miss that slashdot.
I don't see why medical devices have to connect to a giant network. It should just be connected to a LAN for the building. If you want to sabotage, just come in with a knife, or gun. No computer skills needed.
Therefore, to keep medical device costs down, use code that is mediocre in the right way.
You miss how painstakingly anal the FDA is about things like software. You are correct, they don't "know" what they're approving do the just heap paperwork on the problem. You either stick to an approved "canned" system (that probably won't get upgraded) or implement your own stuff like security. But if you need to do things like security patches you can get the WHOLE DEVICE reviewed just to change the login protocol. Devices take five-ten years to design and bosses don't want to keep paying for intensive reviews because something like OpenSSL changes monthly.
Ditch your insecure shit or face HIPPA fines and fees.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
With the money I (my insurance company) am paying to hospitals and doctors, I can see no reason for the Federal Government to subsidize ANYTHING medical related. However, with the difficulty of certification, red tape and long durations of testing new or upgraded devices, I can understand why hospitals and doctors are resistant to replacing equipment that seems to work perfectly. Once again the Feds create a problem and then go back to taxpayers for more money to fix it.
As far as I'm concerned, the commenter whose posting was broken apart line-by-line knows exactly what he/she is talking about, and their engineering judgment should not be questioned.
In the medical device arena, an obvious two line of code change can easily take 3-4 days to complete the necessary reviews and documentation updates; the testing can take a week or two. Now imagine that a patch was made in the networking subsystem of a real-time operating system to deal with a security hole. Completing the relevant documentation/testing turns into a three to six month process. By the time the patch has gone through the necessary regulatory rigmarole, it's arriving so late in the field that any malware that targets the exploit will have long-ago infected the device. Medical device manufacturers are still scrambling to complete the paperwork/testing required to authorize patching their devices for eternalblue/Wannacry, in spite of the fact that it's truly a top priority for both hospitals and the manufacturers.
Without a question of a doubt, generating paperwork that will withstand FDA audit is at least as big of a challenge as engineering the device itself.
. . . which would be a configuration change, and require yet ANOTHER audit and paper trail. . . Not that it would fix the actual problem, which is a latch that is easily and tracelessly jimmied with a simple screwdriver. . .
In which case you have an easy answer. Make the security update, take out an ad in the paper claiming the FDA has demanded $1,xxx,xxx dollars to approve the security update. Watch the problem get fixed.
This is precisely my point. You can't say I shouldn't question their judgment then imply they have security holes in their code. How about designing the device right first, then submitting the finished device to the FDA?
That's why the went with Windows. Where security (and by extension, patient lives) is #1!
Given the quality of the engineering presented, I agree. But as another poster had suggested, if the issue really is that making trivial changes is such a burden or that you can't group changes and engage in a thorough testing at set times to deal with the documentation and regulation in a predictable fashion, present actual examples to the American people and to Congress. My personal guess is, it's not nearly as bad as you think and a lot less critical engineering is put to similar standards which are considered reasonable.
Feel free to prove me wrong with examples. A big hint that eternalblue doesn't count precisely because it's a shitty engineering practice to rely upon a consumer OS as a core of a medical device.