DHS Steps In As Regulator for Medical Device Security 123
mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."
DHS covering an awful lot these days ... (Score:5, Insightful)
It seems the DHS keeps expanding its mandate into ever broader areas.
And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.
Re: (Score:2, Interesting)
Re: (Score:3, Informative)
Re: (Score:1)
Re: (Score:1)
Re:DHS covering an awful lot these days ... (Score:5, Insightful)
It was assigned to the wrong DHS... this should fall under the Department of Health and Human Services (HHS [hhs.gov]). Someone needs to tell a director that Homeland Security is stealing a project that should be theirs (i.e. taking their power).
Re:DHS covering an awful lot these days ... (Score:5, Insightful)
As for DHS covering too many things.... DHS isn't really anything in itself. It's just an umbrella created after 911 to try and make connections between what where (and still are for the most part) essentially independent organizations that suffer from too much redundancy and tribalism. (Which is not to say the DHS is necessarily doing a good job of solving these problems).
Re: (Score:2)
Re: (Score:2)
You are sort of feeding the trolls here, because the GPs original premise that FDA or HHS knows nothing about computer security is simply bogus flamebait.
I agree that those two agencies should improve their expertise rather than allowing a bunch of external security freaks stepping in between the Doctors and their tools. The expertise should be in-house, and tailored to the other systems used in hospitals. Handing this task to an outside umbrella agency is like having every mom calling the sheriff to enforc
Re: (Score:2)
Re: (Score:2)
Information Assurance. You aren't wrong, but it's a slightly better term.
Computer security is something you do as a subset of working towards information assurance.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Remember the Therac-25 [wikipedia.org]? No, probably not.
This happened in the late 80s, a radiation thereapy device had some unfortunate software problems and causes 6 accidents, some fatal. the FDA investigated then.
NO reason they can't investigate now. Software is software. Grow some expertise.
Re: (Score:2)
Re: (Score:2)
Al Qaeda is going to kill us all...one by one, with an X-ray machine...by appointment.
Re: (Score:3)
What does HHS or FDA know about computer security? Nothing. It is a technical niche.
What does the DHS know about computer security? Even less.
You don't have to know these things, you hire them in. Now, the issue of whether our government will do that based on merit or more likely not is a good point to raise, but it's a separate problem from not having the experience in-house already.
Re: (Score:2)
What does HHS or FDA know about computer security? Nothing. It is a technical niche.
What does the DHS know about computer security? Even less.
You don't have to know these things, you hire them in. Now, the issue of whether our government will do that based on merit or more likely not is a good point to raise, but it's a separate problem from not having the experience in-house already.
How can you hire, and manage, security experts if you don't know something about security yourself? What's a "security expert"? I know a guy who was a prosecutor for a while, then went looking for jobs as a corporate security consultant. Do you just hire an ex-cop? An ex-FBI agent? An ex-hacker? Do you take it on faith that they know what they're doing?
Years ago, government agencies developed in-house computer expertise, and they did a pretty good job. The VA hospitals developed VISTA, which is a better med
They're regulating software already (Score:2)
Anyone doing that today should understand security. If they can't, then they can get help from NIST and/or NSA, or outsource it and make the device maker pay a specialist for an audit.
Re: (Score:3)
One of the big jobs of the FDA is to screen through millions of accident reports to find the few that are actually relevant to safety.
I've reviewed FDA accident reports. Out of 200 reports on medical lasers, I might find 100 about the hinge on a door to the cabinet being broken, or "malfunctions" of that nature. There might be one report about a serious incident, in which a patient was injured because a cotton swab caught fire or something.
One of the big jobs of the FDA is to screen through those accident r
Re: (Score:2)
DHS does a notoriously bad job of screening through millions of potential threats and figuring out which are the real threats. They're like a smoke alarm that continually gives false alarms until people ignore it.
What does your comment have to do with the conversation at hand?
This isn't a false alarm, there is no need to "balance the risks and costs against the benefits."
The DHS is being handed weaponized computer exploits and ideally they're going to turn around and say "You. Manufacturer. Fix it."
CERT (Computer Emergency Readiness Team) is under DHS, and I don't thing anyone could reasonably argue that reports of computer exploits should go to the FDA or the Dept of Health and Human Services, just because they're
Re: (Score:2)
DHS does a notoriously bad job of screening through millions of potential threats and figuring out which are the real threats. They're like a smoke alarm that continually gives false alarms until people ignore it.
What does your comment have to do with the conversation at hand?
This isn't a false alarm, there is no need to "balance the risks and costs against the benefits."
The DHS is being handed weaponized computer exploits and ideally they're going to turn around and say "You. Manufacturer. Fix it."
The DHS is being handed theoretical attacks which have never been used in the real world. The problem is to figure out whether these are realistic problems, and what the priority is for dealing with them.
It may be possible that somebody could hack into an insulin pump. Nobody has ever done so. It's hard to imagine why somebody would want to. Nobody could make any money doing it. Nobody could accomplish a political goal by doing so. It's not like a bank where somebody could transfer money. So it is a false a
Re: (Score:2)
Re: (Score:2)
Maybe we should rename them.... Umbrella Dept? I know, I know, cheap shot.
Re:DHS covering an awful lot these days ... (Score:5, Interesting)
At this point, I'm thinking more like the Ministry of Truth. They're getting more and more involved with everything, and in a very disturbing way -- pretty much Orwellian in fact.
Re: (Score:2)
I vote we rename them the Bloc from Pendragon: The Quillon Games.
Re: (Score:1)
Re: (Score:2)
I don't know..I always thought "Homeland" was too reminiscent of "Fatherland". So their name is already fairly Orwellian sounding.
And from I've been through at the airport, those stupid blue uniforms are equally as Storm Trooper looking.
Re:DHS covering an awful lot these days ... (Score:5, Interesting)
Personally, I think this is a good thing. Now to just neuter them, and we'll be set.
My current job (IT admin in the financial sector) involves a fair bit of security work. A natural understanding of security is stunningly absent, even in places where security should be one of the highest concerns. Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security. Someone programming a radiation therapy machine [wikipedia.org] won't think about hardware interlocks, because they're trained in programming software, not hardware safety.
Network-connected medical devices are becoming prevalent, and I expect they will only get more useful and necessary in time. They present opportunities for doctors, and hospital managers are trained in hospital management, not security.
I like seeing someone bringing a security-conscious mindset to the public. The DHS certainly wouldn't be my first choice, but they're better than not having anybody. Now if only we could get Bruce Schneier as Secretary...
Re: (Score:2)
Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security.
Actually, they would probably reject it out of hand because it's terrible slow and a maintenance nightmare.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
...a government department that nobody ever heard of pre-9/11...
You're joking, right?
Re: (Score:2)
DHS has actually been one of the major government organizations for computer security for quite a while. US-CERT, for example, is a part of DHS.
Re: (Score:2)
It seems the DHS keeps expanding its mandate into ever broader areas.
And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.
Well, yeah.
That is sort of the point of the thing.
The reason we have a consolidated Department of Defense (created ca. 1947-1949) is because of the absurd and damaging inter-service rivalries that became very visible in World War II.
The United States Department of Homeland Security (DHS) is a cabinet department of the United States federal government, created in response to the September 11 attacks, and with the primary responsibilities of protecting the United States of America and U.S. territories...from.. terrorist attacks, man-made accidents, and natural disasters.
DHS is the equivalent to the Interior ministries of other countries. An interior ministry (sometimes ministry of home affairs) is a government ministry typically responsible for policing, national security, and immigration matters.
United States Department of Homeland Security [wikipedia.org], Interior ministry [wikipedia.org]
Re: (Score:2)
they were down here for the NFL playoffs with other agencies to bust people for fraudulent NFL gear, I kid you not.
Re: (Score:3)
they were down here for the NFL playoffs with other agencies to bust people for fraudulent NFL gear, I kid you not.
That isn't quite as insane as it sounds. My guess is that most of the unlicensed merchandise is imported, and customs falls under DHS. Of course, you're free to feel that they shouldn't be spending the resources on unlicensed merchandise, but if anyone is going to enforce it, it would be DHS.
Re: (Score:1)
Well, they directly fund terrorism with the profits from fraudulent trademarked/copyrighted products.
Fact!
Re: (Score:1)
Like every government agency, once they're formed, their goal is to become as big and expensive as possible to justify their existence.
Re: (Score:2)
I had an x-ray just the other day and some creepy dude in a Blue uniform tried to feel me up.
Nuance (Score:5, Funny)
Technology in hospitals? Good.
Internet-connected technology in hospitals? Why?
Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?
The cloud can be cool, but be reasonable. Why not put the operations of the CIA into Salesforce.com while we're at it?
Re: (Score:2, Interesting)
But as we have seen, even isolated SCADA devices are getting infected. Isolation is not enough. The devices need to be fixed, and new ones created with security in mind.
Re: (Score:2)
Re: (Score:2)
You can convince someone to write the binary code of a program in notepad if it means they get to see Anna Kournikova's titties.
Re: (Score:1)
Naked in the cloud is a bad idea, VPN'ed on the common internet infrastructure has real tangible benefits in infrastructure costs.
Re: (Score:2, Funny)
Naked in the cloud is a bad idea,
And there are pictures of me to prove it.
Re:Nuance (Score:5, Interesting)
Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?
As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.
To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.
As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.
Re: (Score:2)
Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?
As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.
That's interesting. My uncle had a pacemaker in the 70s and I'm pretty sure it didn't have any network capabilities.
To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.
As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.
Re: (Score:2)
To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.
I hope you walked away from that client, or ignored their prohibition.
Re: (Score:2)
Re: (Score:1)
Not that I support having my hospital equipment on the Interwebs, but there are instances, such as remote robotic-assistance surgery, where it's either that or lay your own cable. Any respectable hospital will use a VPN, yada, etc, but it still requires an internet connection.
This issue will only become thornier unless clear-cut best management practices are established with respect to what gets on the Internet and what doesn't. Robo-surgery? Well, ok but it needs to be securing using A, B and C. My IV drip
At last! A purpose! (Score:2)
After all, DHS must have _some_ use. This might turn out to be it.
manufacturers need to let os updates and AV softwa (Score:2)
manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network. also why do they need to phone home as well?
Re:manufacturers need to let os updates and AV sof (Score:5, Insightful)
manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.
Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.
When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?
As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.
Re: (Score:1)
manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.
Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.
When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?
As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.
Why update the software? Pacemakers and insulin pumps were available long before you could wirelessly update them. If it is such a threat, then don't enable wireless updates. Plain and simple. My God, how did we exist before computers did everything for us!?
Re: (Score:3)
Why update the software? Pacemakers and insulin pumps were available long before you could wirelessly update them. If it is such a threat, then don't enable wireless updates. Plain and simple. My God, how did we exist before computers did everything for us!?
This discussion isn't about having computers do anything for us. It's about how we use computers as tools to do things. How did we have conversations before computers? Well, we did, and yet here you are using a network of computers to have a conversation.
As for the ability to update the software in a medical device, it's about trade-offs and compromises. ObCarAnalogy: computers in cars have made maintenance more complicated, so why not take the computers out of cars? Sure, if you also want to remove th
Re: (Score:2)
You misunderstand my post. I am not saying that we shouldn't have these devices, but if the risk from the software, or somebody hacking the software is so great that homeland security has to take it over, then maybe the very benefits and tradeoffs you mention should be looked at again.
As for the car analogy, computers CAN make cars more fuel efficient, but in reality, they have a smaller impact on fuel efficiency than people think and are really used to keep pollution down and to keep from making the tough
Re: (Score:2)
before turning all of this over to Homeland Security, I'd like to know how many pacemakers and insulin pumps have been hacked versus how many are out there? Is this a true threat or just bad movie plot from the ScyFy Channel that has taken hold in DHS?
That's one of the questions that the FDA answers a lot better than the DHS. The FDA has procedures to decide whether something is really a problem, so they can prioritize their efforts on the real threats. You could search the FDA's public device adverse events reporting database to see if any hacked pacemakers or insulin pumps have been reported.
Re: (Score:2)
You misunderstand my post. I am not saying that we shouldn't have these devices, but if the risk from the software, or somebody hacking the software is so great that homeland security has to take it over, then maybe the very benefits and tradeoffs you mention should be looked at again.
We agree there.
Re: (Score:2)
My God, how did we exist before computers did everything for us!?
Stone knives and bear skins, my friend, stone knives and bear skins.
Re: (Score:2)
http://www.medical.siemens.com/webapp/wcs/stores/servlet/ProductDisplay~q_catalogId~e_-101~a_catTree~e_100001,1023065,1015817~a_langId~e_-101~a_productId~e_172960~a_storeId~e_10001.htm [siemens.com]
This thing has:
Re: (Score:2)
Medical software runs a wide gamut, and pace makers are at the very bottom end of the scale. Check this out:
http://www.medical.siemens.com/webapp/wcs/stores/servlet/ProductDisplay~q_catalogId~e_-101~a_catTree~e_100001,1023065,1015817~a_langId~e_-101~a_productId~e_172960~a_storeId~e_10001.htm [siemens.com]
This thing has:
You can bet that on a product of this complexity, there will be updates.
There is no doubt that medical devices use all sort of operating systems and have all sorts of capabilities, but what they are talking about in the article is communications between patient devices like pacemakers, insulin pumps, etc. That is different than the equipment you show, or an MRI, CT scan, etc. Those, are true computer driven systems. The ones DHS are taking over are the kind that are embedded or worn on your body.
Re: (Score:2)
As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.
Critical systems should also not be connected to the internet.
Re: (Score:2)
As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.
Critical systems should also not be connected to the internet.
Or, to be more precise, should not be connected to the internet with unlimited IP address access in either direction. You can obtain (or at least you can if you're dealing with an important-enough Fed agency) nice little boxes that not only encrypt the crap out of your traffic but are set up only to send to specified addresses and only to receive from specified addresses. Aside from deliberate sabotage, this is a safe way to connect to a manufacturer's update-providing hub.
Re: (Score:2)
Protecting all terminals is not a very effective strategy for preventing large data breaches. While undeniably required step, it isn't firth thing you do, and it isn't most important thing you do.
For example: Not storing session data locally would be the first step in securing this mess. Preventing access to
Mandatory Slashdot Open Source Post (Score:2)
Or they could take the money assigned to DHS for medical device security and instead design a universal open-source electronic medical records system where security is maintained constant peer review and no one company has a monopoly on EMR's system.
I know, I know. You can stop laughing now.
Re: (Score:3)
First of all, no one does have a monopoly on EHR systems. There are a couple of large players and a host of smaller ones. I would maintain that you Do. Not. Want. a monoculture here - or anywhere. Security is not 'maintained' by constant 'peer review' (that word doesn't mean what you think it means). Security is a process and open source software is only a small (and not necessary) aspect of that.
There is an open source, Enterprise grade EHR system - VistA from the VA (Veterans Affairs) Department. It
Re: (Score:3)
Der Homeland Sekurity (Score:2)
Offensive use of network mediacl equipment (Score:2, Interesting)
Does this mean that DHS has access to source code and 0-day vulnerabilities for network attached medical equipment?
Could this knowledge be user offensively, in a situation where say Kim Jong Un is in hospital for a heart operation, and
DHS remotely pulls the plug on the life support machine?
Can this power be later extended to medical devices implanted in people, like defibrillators, insulin pumps etc.
Sorry to sound like Richard Stallman here for a second, but I would be very apprehensive having a device impl
Thanks, Homeland (Score:1)
Re: (Score:2)
Thanks go to Homeland for giving them this brilliant idea
Thanks go to omems for not posting the "Spoiler Alert" tag here, you insensitive clod!
Re: (Score:1)
X-Ray scanners (Score:2)
I'll bet this is just the DHS' attempt at getting a record with medical equipment, so they can rubber stamp the x-ray machines the TSA uses, to keep the FDA out of the loop.
Re:X-Ray scanners (Score:5, Funny)
getting a record with medical equipment
Well, the DHS already has experience with medical examinations. They play with my balls before I can fly on a plane.
Funny, though. They never ask me to cough. And I never know why flying with a hernia is such a big deal.
Is this a joke? (Score:3)
Is this from the Australian equivalent of the Onion?
We've dropped exploits before on medical systems like Honeywell and Artridum...
Dropped? Is this serious security research or the latest mix tape?
Re: (Score:2)
Nothing wrong with that. (Score:2)
Yeah, there is nothing wrong with that. DHS, the government agency that believes it is alright to do anything in the name of protecting the population, now has control over the pacemakers and insulin pumps of anybody they suspect might threaten the nation or their own power structure. Nothing will go wrong with that.
Wha? (Score:2)
Cause they regulate their x-ray scanners so well?
Source? I couldn't find anything about it on DHS (Score:2)
All DHS hate aside, this is much needed change. We have FIPS and it made our crypto much stronger. We have other standards and procurement requirements (CC, PCI, etc) that made inroads on making sure vendors at least consider security. It is about time the same applied to medical devices.
Why DHS, NIAP or NIST would be more appropriate agency to handle this.
This looks like a job for...! (Score:3)
Looks like this is right up the DHS's alley.
link to story? (Score:2)
Is there a link to a story somewhere? The links in the story don't talk about DHS at all.
So? (Score:2)
The first issue that should be addressed is does anyone believe that 100% total bulletproof security is even possible today? Come on, do you think it is possible to have large, interlocking systems of computers communicating over a network with 100% security?
I think anyone reasonable will say "Heck no you can't!" There might be a few dreamers that think it is possible, but the amount of effort that would be required is beyond any reasonable standard. So sure, it might be possible to force all medical dev
Re: (Score:2)
So you're volunteering? When your innocence is post-humously established, your great sacrifice for the public good will be forever in the public memory! Or...at least for a week or two.
So it begins (Score:2)
Cheney (Score:2)
That and the whole cool Kali-ma um, 'medical procedure'.
We all know the real reason DHS stepped in (Score:2)
They watched that episode of Homeland where the Vice President was killed remotely through his pace maker.
No need to worry (Score:2)
Re: (Score:1)
Re:Fucking Nazi SS (Score:5, Interesting)
After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).
DHS didn't step in as some grand plan. They were asked to intervene by Cylance, a security research company, when Philips wouldn't respond about the detected security holes.
Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.
In other words, "if you (the security research company) find a vulnerability, DHS is the proper channel to report it".
Re: (Score:2)
DHS didn't step in as some grand plan. They were asked to intervene by Cylance, a security research company, when Philips wouldn't respond about the detected security holes.
Seriously, how many people could a terrorist kill if they took control of Philips systems?
Just because there is a theoretical security flaw that might be exploitable under some totally contrived test scenario is NOT a valid reason to involve an agency like DHS.
If the FDA didn't take it seriously, why should we hand the task to a bunch of airport friskers and coastguards men? (Apologies to Coasties everywhere).
And why do a couple of self appointed "securities researches" get to sic DHS on anybody?
Re: (Score:2)
Still, being able to root a hospital can have serious implications that could indeed lead to deaths.
Re: (Score:2)
The 9/11 most terrifying words...
I'm from the government and I'm here to help.
I am from the government and I am here to help.