Slashdot Mirror
US Government Task Force Urges Cash Incentives For Ditching Insecure Medical Devices (securityledger.com)
chicksdaddy shares this report from The Security Ledger:
The healthcare sector in the U.S. is in critical condition and in dire need of an overhaul to address widespread and systemic information security weakness that puts patient privacy and even safety at risk, a Congressional Task Force has concluded... On the controversial issue of medical device security, the report suggests that the Federal government and industry might use incentives akin to the "cash for clunkers" car buyback program to encourage healthcare organizations to jettison insecure, legacy medical equipment...
The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.
Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."
The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.
Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."
How about we start fining these irresponsible companies when they negligently use known insecure devices and have security breaches?
.. . . makes even PATCHING existing gear for security holes an extended and tedious process.
Consider, my eldest daughter was working as a ward admin, IT relied on her for backup, because for an entire 445 bed hospital. . . was two junior techs. The password on everything EXCEPT the email and timecard system. . .was "password".
And, of course, that didn't even include the systems you could physically exploit. . . like a "Pyxis" supply dispenser. The tool needed to "hack" it. . . is a flat-head screwdriver. . .
Resource poor? When I have to pay over $300 for a simple doctor appointment, or over $600 for an appointment with a specialist?
No, there are plenty of resources. It's the priorities that are the problem.
The real "Libtards" are the Libertarians!
I hear there's a shortage of good jobs. But then we'd have to train them. And feed and house and cloth them while they train (don't kid yourself, you can't do intensive training like that while working full time to support yourself, that's why college drop out rates are so high, higher if you consider the ones that didn't get in in the first place).
Once again, this is a problem that could be solved but we'll be damned if we're gonna do it because nobody wants to pay for it. He'll, when you suggest they do they call you a thief for raising their taxes.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
most of the money goes to the top. Not your Doctors or the infrastructure to support them. Then there's the little matter of 'deductibles', meaning you pay for 'insurance' then you pay for care until you hit your deductible then you pay 80/20 if you're lucky and 60/40 if you're not.
This is what happens when you let middle men run your healthcare system.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
US healthcare is more expensive than anywhere in the world. Profits of healthcare companies are higher in the US than anywhere. There are no limits to what they charge.
Now they are saying they can't afford to fix the crap they've been foisting on the public?
Crocodile tears...
I don't read your sig. Why are you reading mine?
Why should these highly profitable corporations receive public money to do the right thing to protect themselves and the patients? If they won't do it voluntarily, the law should make them.
Where can I find out which of the local hospitals and surgical suites uses up-to-date secure stuff and which ones don't give a damn?
Because I will vote with my wallet.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
That's surprising - Pyxis machines are frequently used to dispense Schedule II drugs.
Maybe they changed out the stock screws ... one can hope.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Well, not with that attitude, you won't!
"So long and thanks for all the fish."
As a developer in the medical device area, the biggest obstacle of creating the devices was the FDA. So the regulations that were attached were daunting. Not only was their an audit annually with respect to every device we created, we had to have detailed design, creation, maintenance and release of each object. This produced quite a bit of paperwork. At the time, the FDA would not accept electronic documents that could have (at the time) be put on a CD for every device. Every change or enhancements also had to be tracked in this manner as well. So less regulations could probably help, but we are talking medical devices.
We also designed into said devices security as well, so as long as they had a competent admin person the devices could be secured. As a matter of fact, it was actually quite difficult to get the admins from different hospitals to setup secure networks in the event they needed to share patient information between hospitals. I ran into a couple that would only allow a temporary connection and only open it on request for a set time period. But I could see the complaint of not having a competent system administrator is their real problem.
I read it all. GP has good points. GASP.. are you wrong on the internet? Go go, log off right now, go hide.
Currently they are in the event that the device causes the harm and the flaw was proven to cause said harm. If it is "user" error, then it is not the responsibility of the maker, but the hospital. Most medical devices I was involved with creating utilized standard security practices and if setup properly they would be a reliable secure device, but only as secure as the network in which it is placed.
I like this site and I really liked it when the byline used to be "News for nerds Stuff that matter". Is there an extension or bookmarklet or something that I can use to filter out stories based on keywords? Keywords like Comey, Trump, Government, Clinton, Democrat, Republican, Brexit, and on and on? I sure would like that. I really would.
The soylentnews experiment has been a dismal failure.
... program for the NSA.
It little behooves the best of us to comment on the rest of us.
Maybe they changed out the stock screws ... one can hope.
You probably have to go to Harbor Freight and buy a $3.99 security bit set, now.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What does the certification process for equipment have to due to size of the IT staff?
I once spoke to (tried to pull) a smart, bright, knowledgeable, beautiful female programmer, who worked in the software development department of a very large well known manufacturer of hospital equipment. The sort of equipment you hook up to patients and use to monitor their well-being, or interconnect to their bodies in various ways.
She told me she had been admitted to hospital once and been hooked up to such a machine. She had felt very relieved when she saw it was made by a competing manufacturer and not her own employer, as she knew full well how crappy the software in the machines made by her employer was made.
She relaxed in the hospital bed, hoping thee competitors had better software that her own employer.
Ditch your insecure shit or face HIPPA fines and fees.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
With the money I (my insurance company) am paying to hospitals and doctors, I can see no reason for the Federal Government to subsidize ANYTHING medical related. However, with the difficulty of certification, red tape and long durations of testing new or upgraded devices, I can understand why hospitals and doctors are resistant to replacing equipment that seems to work perfectly. Once again the Feds create a problem and then go back to taxpayers for more money to fix it.
As far as I'm concerned, the commenter whose posting was broken apart line-by-line knows exactly what he/she is talking about, and their engineering judgment should not be questioned.
In the medical device arena, an obvious two line of code change can easily take 3-4 days to complete the necessary reviews and documentation updates; the testing can take a week or two. Now imagine that a patch was made in the networking subsystem of a real-time operating system to deal with a security hole. Completing the relevant documentation/testing turns into a three to six month process. By the time the patch has gone through the necessary regulatory rigmarole, it's arriving so late in the field that any malware that targets the exploit will have long-ago infected the device. Medical device manufacturers are still scrambling to complete the paperwork/testing required to authorize patching their devices for eternalblue/Wannacry, in spite of the fact that it's truly a top priority for both hospitals and the manufacturers.
Without a question of a doubt, generating paperwork that will withstand FDA audit is at least as big of a challenge as engineering the device itself.
. . . which would be a configuration change, and require yet ANOTHER audit and paper trail. . . Not that it would fix the actual problem, which is a latch that is easily and tracelessly jimmied with a simple screwdriver. . .