Should the FDA Assess Medical Device Defenses Against Hackers?

gManZboy writes "The vulnerability of wireless medical devices to hacking has now attracted attention in Washington. Although there has not yet been a high-profile case of such an attack, a proposal has surfaced that the Food and Drug Administration or another federal agency assess the security of medical devices before they're sold. A Department of Veterans Affairs study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices. Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference."

Re:No

[t4ng*]

Really? How about a hacker selling malware to the highest bidder that could be used to assassinate someone with a medical implant, or while they are recovering in the hospital after surgery? That's just two I can think of off the top of my head, I'm sure there are more.

Re:Better idea:

[a90Tj2P7]

There are a ton of other implanted devices, not just pacemakers. A lot of these devices might need to be adjusted to make a patient "not fucking die" - it isn't about system patches, it's about making medical adjustments to things like the dosage/voltage/rate/etc that the device is pumping out. You can't tear someone open every month when you need to adjust their insulin pump.

Re:No

[TheGreatOrangePeel]

More money down the shitter. I can't think of anything a hacker would gain from a medical device.

Things like record keeping blood bank software is regarded as a medical device by the FDA. Such software can contain sensitive information like you Social Security Number or drivers license number. In Sort, a hacker can gain plenty from breaking into a medical device.

Speaking as someone who has worked in the software side of the medical industry I just want to say that this is long overdue and the FDA has their work cut out for them. The systems I worked on are laughable in their "security" as they typically rely on how secure the local intranet is. Software vendors rarely put in any kind of serious authentication methods.

Re:No

[fuzzyfuzzyfungus]

I see two major areas of concern with, arguably, quite different requirements:

1. Implants/embedded systems with some measure of field-programmability: On the plus side, these are much more likely to be running something fairly esoteric, possibly not even an OS at all, possibly some RTOS or embedded OS. They are also likely(for the moment) to have only short-range connection capabilities, quite possibly over a somewhat obscure protocol. This makes them low risk devices in terms of untargeted worm/phishing/etc. attacks, by virtue of limited connection and oddity of software. On the minus side, being directly connected to the patient, these offer a handy target for personally-directed sabotage, possibly from a surprising distance, depending on the whims of the RF gods(surely, the first person to reinact the classic 'sniper on the roof, suit with bodyguards crossing the parking lot toward the armored limo' scene; but with a rifle-stocked Yagi and lethal exploit code for the suit's pacemaker will be awarded a signed copy of every cyberpunk book of note).

2. Systems that have much more in common with the PLCs and management console computer systems that we are always complaining about in factory scenarios. That box running WinNT SP2 connected to a monstrously expensive diagnostic science machine, etc. etc. These are much more prosaic, just badly patched and outdated WinSomething boxes that really ought to be air-gapped properly, which makes them much more likely to suffer lots, and lots, and lots of expensive downtime when they eventually cave to the demand for electronic transmission of radiology data to another hospital for a consult and hook the sucker to the internet....

'Type 1' stuff seems like it would be best off with a "When in doubt, don't" approach: Don't interpret unsigned inputs, use very short range(inductive rather than RF, say) interfaces. It won't be perfect; but it'll at least confine the universe of potential hackers to people who could have just shived you anyway.

'Type 2' is where the mess really hits. Like industrial stuff, the economics of ripping out expensive capital investments are Deeply Unexciting; but persuading the vendor to deliver a service contract that doesn't read "Fuck you. Buy a Model N+1" is going to be a challenge. Also the (by no means necessarily false) promises of various 'telemedicine' applications are going to be constantly tugging at the people who run that stuff, urging them to connect it up. That isn't go to go well at all...

Re:Charged with murder.

[Anonymous Coward]

I would rather they try to patch the security holes *before* we start charging people with attempted murder and murder, personally.

Re:Yes

[negRo_slim]

Anyone caught intentionally cracking anything should get, at a minimum, 20 years of hard labor. Intentionally trying to harm or kill someone attached to a medical device should be a hanging sentence. Full stop.

Glad to see you've fallen in love with the DMCA [chillingeffects.org] friend! Anything that could lead to crime should be a crime aye? Never mind how close that comes to dangerously impeding our legitimate rights to freedom of speech including research that includes circumvention of various controls.