DHS Steps In As Regulator for Medical Device Security 123
mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."
Re:DHS covering an awful lot these days ... (Score:2, Interesting)
Re:Nuance (Score:2, Interesting)
But as we have seen, even isolated SCADA devices are getting infected. Isolation is not enough. The devices need to be fixed, and new ones created with security in mind.
Offensive use of network mediacl equipment (Score:2, Interesting)
Does this mean that DHS has access to source code and 0-day vulnerabilities for network attached medical equipment?
Could this knowledge be user offensively, in a situation where say Kim Jong Un is in hospital for a heart operation, and
DHS remotely pulls the plug on the life support machine?
Can this power be later extended to medical devices implanted in people, like defibrillators, insulin pumps etc.
Sorry to sound like Richard Stallman here for a second, but I would be very apprehensive having a device implanted in my
body that runs proprietary software, whose code development is overseen by a division of a shady foreign military agency.
Here is someone who got stonewalled when asked for the source code for the device she was to be implanted with...
http://www.youtube.com/watch?v=5XDTQLa3NjE
Re:DHS covering an awful lot these days ... (Score:5, Interesting)
At this point, I'm thinking more like the Ministry of Truth. They're getting more and more involved with everything, and in a very disturbing way -- pretty much Orwellian in fact.
Re:DHS covering an awful lot these days ... (Score:5, Interesting)
Personally, I think this is a good thing. Now to just neuter them, and we'll be set.
My current job (IT admin in the financial sector) involves a fair bit of security work. A natural understanding of security is stunningly absent, even in places where security should be one of the highest concerns. Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security. Someone programming a radiation therapy machine [wikipedia.org] won't think about hardware interlocks, because they're trained in programming software, not hardware safety.
Network-connected medical devices are becoming prevalent, and I expect they will only get more useful and necessary in time. They present opportunities for doctors, and hospital managers are trained in hospital management, not security.
I like seeing someone bringing a security-conscious mindset to the public. The DHS certainly wouldn't be my first choice, but they're better than not having anybody. Now if only we could get Bruce Schneier as Secretary...
Re:Nuance (Score:5, Interesting)
Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?
As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.
To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.
As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.
Re:Fucking Nazi SS (Score:5, Interesting)
After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).
DHS didn't step in as some grand plan. They were asked to intervene by Cylance, a security research company, when Philips wouldn't respond about the detected security holes.
Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.
In other words, "if you (the security research company) find a vulnerability, DHS is the proper channel to report it".