US Government Task Force Urges Cash Incentives For Ditching Insecure Medical Devices

chicksdaddy shares this report from The Security Ledger: The healthcare sector in the U.S. is in critical condition and in dire need of an overhaul to address widespread and systemic information security weakness that puts patient privacy and even safety at risk, a Congressional Task Force has concluded... On the controversial issue of medical device security, the report suggests that the Federal government and industry might use incentives akin to the "cash for clunkers" car buyback program to encourage healthcare organizations to jettison insecure, legacy medical equipment...

The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.
Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."

Of course, the lengthy and expensive cert process

[Salgak1]

.. . . makes even PATCHING existing gear for security holes an extended and tedious process.

Consider, my eldest daughter was working as a ward admin, IT relied on her for backup, because for an entire 445 bed hospital. . . was two junior techs. The password on everything EXCEPT the email and timecard system. . .was "password".

And, of course, that didn't even include the systems you could physically exploit. . . like a "Pyxis" supply dispenser. The tool needed to "hack" it. . . is a flat-head screwdriver. . .

Poor healthcare companies

[mspohr]

US healthcare is more expensive than anywhere in the world. Profits of healthcare companies are higher in the US than anywhere. There are no limits to what they charge.
Now they are saying they can't afford to fix the crap they've been foisting on the public?
Crocodile tears...

Dare they be patients in their own hospitals?

[tychoS]

I once spoke to (tried to pull) a smart, bright, knowledgeable, beautiful female programmer, who worked in the software development department of a very large well known manufacturer of hospital equipment. The sort of equipment you hook up to patients and use to monitor their well-being, or interconnect to their bodies in various ways.

She told me she had been admitted to hospital once and been hooked up to such a machine. She had felt very relieved when she saw it was made by a competing manufacturer and not her own employer, as she knew full well how crappy the software in the machines made by her employer was made.

She relaxed in the hospital bed, hoping thee competitors had better software that her own employer.

Re:Buyback?

[dargaud]

And in addition, nothing so far shows that the new devices are anymore secure than the old ones: they still run on Windows, versions of which don't receive any updates for various reasons, passwords are kept the same forever and everywhere, all ports are open so that various equipment can communicate 'easily', etc...

Re:We could just hire more people

[PixelPusher1532]

don't kid yourself, you can't do intensive training like that while working full time to support yourself

Good thing I did not read your post before I did exactly that.