Forgot your password?
typodupeerror
Government Medicine Security Your Rights Online

Should the FDA Assess Medical Device Defenses Against Hackers? 138

Posted by Soulskill
from the or-maybe-somebody-who-knows-things-about-computers dept.
gManZboy writes "The vulnerability of wireless medical devices to hacking has now attracted attention in Washington. Although there has not yet been a high-profile case of such an attack, a proposal has surfaced that the Food and Drug Administration or another federal agency assess the security of medical devices before they're sold. A Department of Veterans Affairs study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices. Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference."
This discussion has been archived. No new comments can be posted.

Should the FDA Assess Medical Device Defenses Against Hackers?

Comments Filter:
  • Should They? (Score:5, Interesting)

    by WrongSizeGlass (838941) on Tuesday April 24, 2012 @03:49PM (#39786643)
    Yes, they should. It should be a separate certification that allows doctors and consumers to chose medical devices with confidence.
    • Yes, they should. It should be a separate certification that allows doctors and consumers to chose medical devices with confidence.

      Personally I don't trust the FDA with something like this nor do I think it would help to give them funding to expand their expertise in a field like security. I don't even trust the best in the private world with something like this: Microsoft, Apple, Google, IBM, I don't care they all have failed at security at some point. I have to imagine that our government's security agencies already have a generalized form of protection testing and certification within their own systems, why not reuse that process

      • by sl4shd0rk (755837)

        I have to imagine that our government's security agencies already have a generalized form of protection

        No.
        http://www.google.com/search?q=pentagon+hacked [google.com]

      • by mcgrew (92797) * on Tuesday April 24, 2012 @04:37PM (#39787303) Homepage Journal

        Personally I don't trust the FDA with something like this

        Why not? They're the UL of medical devices. They're the ones who approved my eye implant. They're the ones who approve pacemakers. They're the ones we cyborgs rely on for safe implants.

        I don't even trust the best in the private world with something like this: Microsoft, Apple, Google, IBM

        The difference between the FDA and IBM is that you have no vote whatever over who runs IBM or what they do. The head of the FDA is appointed to the President, who you do have a vote in electing. Our power company is owned and operated by the city, and we've historically had the lowest rates and best uptime in the state. But they had a boondoggle that's going to raise rates, so I don't see the Mayor getting reelected unless the Democrats run someone REALLY bad.

        I have to imagine that our government's security agencies already have a generalized form of protection testing and certification within their own systems, why not reuse that process and actually get some use and protection for citizens out of said government money vacuums?

        That's exactly right -- the security people would be transferred to the FDA.

        • Why not? They're the UL of medical devices. They're the ones who approved my eye implant. They're the ones who approve pacemakers. They're the ones we cyborgs rely on for safe implants.

          Same here. And, of course, they also had to approve my hearing aids, the meter I use every day to monitor my blood sugar and the dialysis equipment a friend of mine needed when his kidneys stopped working. People like to complain about how much it costs to get new drugs, devices and proceedures approved by the FDA, but I
          • by dfetter (2035)

            Complaints, at least ones not issued via Ouija board, would probably decrease :P

        • by Zaelath (2588189)

          The FDA would be playing a massive game of catchup in that they have no experience in the security field. They're provably not very competent at the things they DO have expertise in http://health.msn.com/health-topics/articlepage.aspx?cp-documentid=100198246&page=2 [msn.com]

          It's like asking local law enforcement to start issuing engineering approval for car modifications that require blue prints.

      • by thoth (7907)

        I'm not sure security agencies model this problem well: a lot of their certification and/or protection methods come down to high costs (armed guards, lots of physical security, etc.) or long, slow, thorough auditing plus heavy screening of personnel, etc - the stuff the rabid anti-government folks scream about when the spending isn't directed at their favorite projects.

        Meanwhile, private corporations merely treat customers as a cost-analysis problem, weighing their life versus lawsuit payout amounts, and ta

      • by geekoid (135745)

        I think you miss the point of what they want to do.

        They would test the security to a certain bar of expectation. Basically they will set the floor.
        For example, they could hire security experts to break something, or more likely, they will have a set of attacks the item will be tested against.

        Yes, some agency's of certification process for there systems. You know what? those aren't medical systems. And if you treat each system like they are the same, you will fault. That's a lot of the reason IT is a securit

      • You're suggesting that the government security apparatus supervise the design and testing of medical implants? Those people? The folks that have generated more torn tinfoil and broken keyboards than Microsoft, Google and Apple combined?

        Here on Slashdot?

        You sir, get this week's Internet Bravery Award. I hope you live long enough to savor it.

      • by HiThere (15173)

        You've got a point, unfortunately, it isn't a good one.

        I'll agree that there isn't anyone who deserved to be trusted in this way, but it's for damn sure that you can't trust nobody, which is what we've currently got.

        Please note that what was proposed was a rating, not a permission. And this, too, I agree with. The FDA shouldn't have the right to prohibit the sale of things. They have repeatedly abused this against many different kinds of things. I don't even believe that they should be allowed to prohib

    • by fermion (181285)
      It seems to me that this would be of equal or higher benefit to the drug maker. From what I can tell, the FDA regulation really provides more of an affermative defense to the drug makers than real protection to the consumer. If the drug maker jumps through certain hoops, conducts certain tests, then they are basically guaranteed that if their product kills someone, even if the data shows that it kills people, they will have limited liability if the FDA said the drug was safe.

      Of course the problem right

  • Because assassination via pacemaker, like in the book Rain Fall (http://goo.gl/IwVPC), can happen to anyone.
  • If magnets can be used to reset or interfere with a pacemaker, should ownership of magnets be considered a terrorist offense?

    My refrigerator can take more lives on an airplane than your bottle of shampoo.

  • by vlm (69642)

    1) Can't abbreviate VLAN properly
    2) A firewall for wireless devices
    3) attracted attention in Washington = some politically connected consultant is making bank

  • by Rosco P. Coltrane (209368) on Tuesday April 24, 2012 @03:51PM (#39786683)

    Quick, TSA enact law forbidding laptops onboard airplanes, so the evil terrorist don't kill implanted people in flight!

  • Embed the device in concrete and sink to the bottom of the ocean. Virtually hack proof.

    It's also great for annoying servers that won't patch and people who send meeting invites with no description...

  • by l2718 (514756) on Tuesday April 24, 2012 @03:59PM (#39786803)

    Before worrying about security of the software, how about worrying about the correctness and fault-tolerance of the software and hardware?

    Most famous is the Therac-25 [vt.edu] incident, but it's not the only one.

    • by bsDaemon (87307)

      Security flaws are derived from incorrectness and lack of fault tolerance. It's part-in-parcel, and if you don't design security in from the start, it'll just become harder and harder to retrofit into the product later.

  • Stop making the goddamn things wireless!!! WTF are you thinking??!!

    If you have a pacemaker, then you're already 'zipper-chested,' so the addition of a firmware update port would be a non-issue.


    Or hey,here's an even better idea: Make the goddamn things right in the first place, so they don't need software updates! I mean, fuck, we're not talking about a SOHO router here, we're talking about a device people rely on to not fucking die; One would think they would be better engineered.
    • Re:Better idea: (Score:4, Insightful)

      by a90Tj2P7 (1533853) on Tuesday April 24, 2012 @04:10PM (#39786969)
      There are a ton of other implanted devices, not just pacemakers. A lot of these devices might need to be adjusted to make a patient "not fucking die" - it isn't about system patches, it's about making medical adjustments to things like the dosage/voltage/rate/etc that the device is pumping out. You can't tear someone open every month when you need to adjust their insulin pump.
      • Re:Better idea: (Score:4, Informative)

        by IorDMUX (870522) <mark.zimmerman3@gmail . c om> on Tuesday April 24, 2012 @04:35PM (#39787275) Homepage

        You can't tear someone open every month when you need to adjust their insulin pump.

        I understand your point, but... As a user of an insulin pump myself, I'd like to clarify that it is an external device, usually carried on the belt or in a pocket, as it needs to be refilled every few days and adjusted quite often. There are implantable insulin pumps in existence, but these are primarily for research purposes, and are not commercial devices to treat diabetes.

      • A lot of these devices might need to be adjusted to make a patient "not fucking die" - it isn't about system patches, it's about making medical adjustments to things like the dosage/voltage/rate/etc that the device is pumping out.

        OK, so use a physical connection; as I said, if you have a pacemaker then you're already scarred all to hell, what difference will an 1/8" serial plug make?

        Someone below mentioned magnetic communications, which sounds just plain awesome.

    • by sjames (1099)

      Actually, the socket would add a great deal of ongoing risk of infection.

      The thing is, it's not just for firmware updates. More commonly it's to alter the parameters of it's operation or even to adjust on the fly. For example, an implantable insulin pump may respond to the result of a glucose meter reading.

      A better answer is to require a magnetic switch to be activated for the entire time communication occurs.

  • by willy_me (212994) on Tuesday April 24, 2012 @04:09PM (#39786947)

    Whichever federal agency takes charge could offer a large reward for security holes/bugs found in applicable systems. The agency would validate claims, pay an applicable reward to those who reported the issue, then bill the offending company for the reward.

    The idea is to make the reward large enough that it is more profitable for people to report a flaw then to abuse it. Government involvement would be the review of claimed flaws, not to access the security of every device. Private companies would then have a financial incentive to ensure their code is secure.

  • by geekoid (135745)

    absolutely.

  • If a medical device can be made available to heads-of-state, why not task the NSA with proving that it won't be a vector for carrying out a political assassination?
    • by thoth (7907)

      Their charter is for DoD computer systems, not medical devices. Another agency would be better... and of course they can always be asked to check out a medical device that will be provided to a head-of-state. Surely various regulations already cover other medical devices - what agency accredits those?

  • by roman_mir (125474) on Tuesday April 24, 2012 @04:24PM (#39787149) Homepage Journal

    More ridiculous government nonsense.

    There are already a million and one law about unauthorised computer access and there are already a million and one law about causing harm to people, and this situation falls under all of those provisions already.

    This is just another way to raise the costs, increase government apparatus, increase government spending, lower the economic activity and probably this is going to end up costing a number of lives, as products are prevented from entering the market at all or soon enough at lower costs.

  • So some rich assholes can feel safe? Really?

    How about just making "hacker proof" hospitals for assholes.
    • by hellkyng (1920978)

      "Rich asshole"? Seriously, a pacemaker isn't just for the rich asshole. Failing to assess these devices for security controls would be ridiculous negligence. Malicious software has a tendency to spread where it can, it doesn't need a reason to compromise a pacemaker if its able to. I guarantee that if proper security controls aren't implemented in medical devices you will see deaths related to failed or compromised devices. It doesn't even have to be intended malice, if a piece of malware compromises a devi

  • They already have to certify medical devices that are essentially Windows boxes with medical software. Often times, these vendors get quite snippy if you ask about security software on said devices. These boxes will never be updated in all likelihood. During the course of certification, security definitely needs to be considered.
    • Quite. A lot of our "medical devices" are actually software programs running on PCs. Many of them require a specific environment to run.

      I can think of one package that will only run on: Windows XP32-bit (No service pack) and Java 1.4. It simply won't run on anything more recent (no idea why), and the developer of this (very expensive) package has gone bust, and the product is no-longer supported (but the finance department budgeted on a 10 year usable life-span, so it's not getting replaced for 10 years fol

  • If you don't protect a computer (whatever shape that computer comes in), some hacker somewhere will hack it just because they can. The fact that the computer controls a piece of factory equipment, city sewer system, a person's pacemaker or any other thing is irrelevant. Someone will hack it because they can, that's just the way the hacker works.

    Companies have a habit of saying something can't be hacked, would be impractical to hack, or no one would want to hack our /whatever/ for decades. Hackers than have

  • Something definitely needs to be done because I can vouch that very few programmers even consider security, especially embedded software developers. It is worse than average in the medical industry since the idea of putting a medical device on a network is totally new to them. To put it in perspective, many new medical devices being built today use 9600 baud serial ports for communication.

    Alternatively, you could change the law so that if someone hacks a medical device the hacker is not liable - the desig

  • We're already years behind the curve where I work (hospital) because FDA certification costs so much. Yay, because the vendor won't spend another $50K or so, our brand new IV pumps are stuck for eternity with 2.4GHz radios (802.11b/g). Also, because the older model that could manage 4 IV's at a time was so buggy, we're replacing them with the wireless ones that only do 1 IV. Wireless because the drug database updates can be pushed, saving a ton of time putting hands on each device. Now we add a bunch of ext

  • Dick Cheney had an LVAD, or a Left Ventricular Assist Device, implanted in 2010. Hmmmm.

  • If they don't protect medical devices, including implants against 'hackers', then the politicians who run the FDA won't get the bribes they need for reelection from McAffe, Symantec and Kapersky. This is important stuff, people. Now we just need a paid 'security analyst' to go on TV and frighten grandma "Yes, it's technically possible a person could die" during her mid morning 'news'. That's right after the story about the baby with 3 heads, but after the inspiring story of a dog who saved its friend...
  • While a competent security assessment is a very good idea, I highly doubt the FDA is capable of doing it. More likely this would result in another basically worthless "security" certification.

  • ...The FDA pulls their head out of Monsanto's ass first before they ask for any more money to goof with technologies they clearly don't understand.
  • I'm not sure if the FDA should set computer security policies. That seems well outside their wheelhouse. That said, security policy on devices should be too dumb to fail.

    I can see the virtue of a wireless programmable pacemaker. But the security system should be something that can't be tampered with... not because the security is good but because it LITERALLY cannot be tampered with... at all.

    For example, instead of using bluetooth (just an example) or something that is a radio signal, maybe use a different

  • Magnets are used to disable or suspend operation of the device (therapy). The devices can malfunction where an inappropriate shock is repeatedly delivered. There are also times when they need to be disabled. When a magnet is placed on the device there is a rather loud alarm. Magnetic fields can also pose a problem as the lead(s) that transmit the minute electrical impulses from the heart muscle to the ICD can also act as an antenna. They tell you 'don't lean / don't linger' around certain electrical de
  • Although there has not yet been a high-profile case of such an attack

    In other words, a literal "solution in search of a problem." And an excuse to give an already corrupt [wikipedia.org] and counterproductive [eprci.net] government agency more power.

    • by fa2k (881632)

      Although there has not yet been a high-profile case of such an attack

      In other words, a literal "solution in search of a problem."

      Finally someone anticipates a problem before it happens, and they get shot down like this?

      • by J'raxis (248192)

        When it's being used as an excuse to pre-emptively give a government agency more power, yes. Isn't it bad enough that, typically, they wait for a crisis to happen before exploiting it? Now you're all ready to give them more power merely because of theorized or imagined crises?

  • Medical devices don't just include things like implantable equipment (such as implantable defibrillators, pacemakers, pumps, etc.) but analysis equipment, and more recently computer software running on regular PCs (such as electronic patient records, order management systems, digital X-ray system/picture archiving and communications systems), etc.

    Implantable devices have been in the public eye recently because they don't use very secure protocols. Typically, the wireless controller transmits a command prefi

  • 87,000$ Windows 2000 computers with a nice acquisition card in a custom box connected to the internet so all the doctors can look smart video conferencing in a dark room filled with LCD screens.

  • force them to let the hospital IT team to do windows updates / install there AV software / there firewall software.

    Also they can't force the device to go connect to a 3rd party out site sever. If they need some kind of sever to talk to it must be open to being run in house with full admin the sever OS to the IT team so they can install the windows updates / AV software.

    • by hvdh (1447205)

      I'm pretty sure that regulation currently prohibits hospital IT and others to change the medical device software (yes, AV, drivers, OS also belongs to that) to some configuration which has not gone through validation testing.

      • then what about when crapware gets on a unpatched system and starts spamming the network and you can't block the system on the firewall as it needs to talk to outside systems?

        • by hvdh (1447205)

          then what about when crapware gets on a unpatched system and starts spamming the network and you can't block the system on the firewall as it needs to talk to outside systems?

          Hospital IT can put a firewall between the medical device and the hospital network and configure it accordingly. Or detach the system from the network and call service.

          FDA states on this topic pretty clearly (http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm):
          "All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices."

          This pretty much means that the medical device manu

  • Should they get involved assessing medical devices against hackers? Maybe. But first how about getting them involved in assessing medical devices in general? Ok, so medical devices from the FDA's standpoint encompass everything from simple mechanical gizmos all the way up to complex microprocessor based devices. So, specifically in regard to the "computer" type devices, you know the FDA doesn't really "asses" them at all in general. Their requirements are for the manufacturers to "use industry best practice

  • The FDA is a millstone around the neck of freedom. It should not have the power to prohibit anything, only to certify some things as "approved". If everyone at the FDA were unemployed tomorrow it would only be what they deserve.

Facts are stubborn, but statistics are more pliable.

Working...