Should the FDA Assess Medical Device Defenses Against Hackers? 138
gManZboy writes "The vulnerability of wireless medical devices to hacking has now attracted attention in Washington. Although there has not yet been a high-profile case of such an attack, a proposal has surfaced that the Food and Drug Administration or another federal agency assess the security of medical devices before they're sold. A Department of Veterans Affairs study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices. Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference."
Re:No (Score:5, Informative)
More money down the shitter. I can't think of anything a hacker would gain from a medical device. What would be the point? Are hackers just evil and nefarious and out to hurt people in the hospital for the lulz? I doubt it.
Some just do it to see if it can be done, some of them *are* out to extort money and will hurt people in the process.
Re:Charged with murder. (Score:5, Insightful)
I would rather they try to patch the security holes *before* we start charging people with attempted murder and murder, personally.
Re: (Score:2)
I would rather they try to patch the security holes *before* we start charging people with attempted murder and murder, personally.
You can never really be certain that every security hole has been patched though, after all programming is the art of adding bugs to software.
Re: (Score:3)
That's a little like saying it's up to the victim to secure their safety. If that same person walked into a patient's room and started fiddling with their heart pump or dialysis machine, I could see charging them with attempted murder. We don't say 'gee, we'd better not charge him because the hospital didn't put a lockable steel cage over the panel to the dialysis machine to keep people out.' Just because the network is the means of intrusion, as opposed to going into the room, doesn't give someone a pas
Re: (Score:3)
I can see this happening mandatory medical devices with mandatory health care. When you don't pay your taxes or pirate a movie or something the secret code to break the hidden cyanide capsule is transmitted.
Or the government can get rid of crazies like you simply by tightening up the straps on your tinfoil hat until your eyes bug out.
Re:No (Score:5, Insightful)
Re: (Score:3)
It's unlikely that a would-be assassin will learning the art of medical implant hacking in assassin school on the off chance that he'll one day have a target who just happens to have such an implant. As with today's black-hats, who focus on Windows over Linux (well, until the recent Mac headlines), their efforts will concentrate where they get the most leverage -- on cars. Even people who don't drive almost surely step into a car fairly regularly. The high-tech hacker-assassin may eschew the "old bomb un
Re: (Score:2)
The would-be assassin doesn't learn how to hack medical implants. The assassin goes onto an underground forum and looks for vulns that match a specific target device that the assassin's mark is using.
Re: (Score:2)
Seriously, look if I go onto Google and try that right now..
Hold on, there's someone at the door, brb.
Re: (Score:2)
Define "enough". Of course if you set off an EMP, most electronics will be fried. Is it practical to apply enough EMI to a device to cause a failure? Keep in mind that FDA and FCC tests are pretty stringent and there are a ton of certifications you need in order to sell an implant.
Re: (Score:1)
It's unlikely that a would-be assassin will learning the art of medical implant hacking in assassin school on the off chance that he'll one day have a target who just happens to have such an implant.
many implants are expensive, and I suspect there is a strong correlation, at least in some countries, between "has more money/power than average" and "more likely to have implants". Therefore, you are learning an attack against a group that self-selects to be a more tempting target, for either extortion or assassination.
Re: (Score:3)
There are much easier, and explainable, ways to kill someone. What assassin leaves a paper trail?
This whole thing stinks of a bunch of people selling a service no one needs. Symantec, McAfee, and friends used to make good money pushing out anti-virus software; then worms where the big problem, so they adapted; then mal-ware was the new problem, so they adapted; MS got bitched at left and right about the security issues with their platform, then they released Microsoft Security Essentials; Windows XP is bei
Re: (Score:3, Insightful)
Things like record keeping blood bank software is regarded as a medical device by the FDA. Such software can contain sensitive information like you Social Security Number or drivers license number. In Sort, a hacker can gain plenty from breaking into a medical device.
Speaking as someone who has worked in the software side of the medical industry I just want to say that this is long overdue and the FDA has their
Re:No (Score:5, Insightful)
1. Implants/embedded systems with some measure of field-programmability: On the plus side, these are much more likely to be running something fairly esoteric, possibly not even an OS at all, possibly some RTOS or embedded OS. They are also likely(for the moment) to have only short-range connection capabilities, quite possibly over a somewhat obscure protocol. This makes them low risk devices in terms of untargeted worm/phishing/etc. attacks, by virtue of limited connection and oddity of software. On the minus side, being directly connected to the patient, these offer a handy target for personally-directed sabotage, possibly from a surprising distance, depending on the whims of the RF gods(surely, the first person to reinact the classic 'sniper on the roof, suit with bodyguards crossing the parking lot toward the armored limo' scene; but with a rifle-stocked Yagi and lethal exploit code for the suit's pacemaker will be awarded a signed copy of every cyberpunk book of note).
2. Systems that have much more in common with the PLCs and management console computer systems that we are always complaining about in factory scenarios. That box running WinNT SP2 connected to a monstrously expensive diagnostic science machine, etc. etc. These are much more prosaic, just badly patched and outdated WinSomething boxes that really ought to be air-gapped properly, which makes them much more likely to suffer lots, and lots, and lots of expensive downtime when they eventually cave to the demand for electronic transmission of radiology data to another hospital for a consult and hook the sucker to the internet....
'Type 1' stuff seems like it would be best off with a "When in doubt, don't" approach: Don't interpret unsigned inputs, use very short range(inductive rather than RF, say) interfaces. It won't be perfect; but it'll at least confine the universe of potential hackers to people who could have just shived you anyway.
'Type 2' is where the mess really hits. Like industrial stuff, the economics of ripping out expensive capital investments are Deeply Unexciting; but persuading the vendor to deliver a service contract that doesn't read "Fuck you. Buy a Model N+1" is going to be a challenge. Also the (by no means necessarily false) promises of various 'telemedicine' applications are going to be constantly tugging at the people who run that stuff, urging them to connect it up. That isn't go to go well at all...
Re: (Score:2)
"Sorry, your daughter
Re: (Score:2)
If, say, a device needs some sort of adjustment from time to time, it wouldn't be terribly taxing to have normally-open reed switch that physically disconnnects the external programming interface unless 'activated' by shoving a magnetic key into the programming slot. It doesn't stop a truly malicious actor, subtly planting malware to strike during planned program/sync per
Re: (Score:2)
The guys with inflatable penis implants are going to be very nervous, very soon... UpDownUpDownUpDownUpDown
Up and down aren't a problem for a penis, nor are left or right, but how is the poor fella supposed to manage B and A? [wikipedia.org]
Re: (Score:2)
You haven't been on the internet long I see.
Re: (Score:2)
How likely do you rate it that a random malware author will put special safeguards into his spam botnet worm to ensure it does not interfere with the operation of a medical device should it happen to infect one? Right now, this cross-infection is unlikely due to incompatibility - in the future, the platform running on a specialized medical device could be susceptible to the same viruses as a desktop computer.
Re: (Score:3)
Are hackers just evil and nefarious and out to hurt people in the hospital for the lulz? I doubt it.
Well, two issues, here. First, you seem to be assuming "hacker" roughly equates to "guy who messes with computer-stuff for the heck of it". There most certainly are hackers/crackers (depending on your preferred use of the term) who harm people and systems, sometimes for money, sometimes for fame, sometimes for fun.
Aside from that, a hacked medical device makes for a really easy way to kill someone from a moderate distance and leave very little trace of whodunit. And I'm not even going to begin to cons
Should They? (Score:5, Interesting)
They Should But Why Not Use Existing Solutions? (Score:2)
Yes, they should. It should be a separate certification that allows doctors and consumers to chose medical devices with confidence.
Personally I don't trust the FDA with something like this nor do I think it would help to give them funding to expand their expertise in a field like security. I don't even trust the best in the private world with something like this: Microsoft, Apple, Google, IBM, I don't care they all have failed at security at some point. I have to imagine that our government's security agencies already have a generalized form of protection testing and certification within their own systems, why not reuse that process
Re: (Score:2)
I have to imagine that our government's security agencies already have a generalized form of protection
No.
http://www.google.com/search?q=pentagon+hacked [google.com]
Re:They Should But Why Not Use Existing Solutions? (Score:5, Interesting)
Personally I don't trust the FDA with something like this
Why not? They're the UL of medical devices. They're the ones who approved my eye implant. They're the ones who approve pacemakers. They're the ones we cyborgs rely on for safe implants.
I don't even trust the best in the private world with something like this: Microsoft, Apple, Google, IBM
The difference between the FDA and IBM is that you have no vote whatever over who runs IBM or what they do. The head of the FDA is appointed to the President, who you do have a vote in electing. Our power company is owned and operated by the city, and we've historically had the lowest rates and best uptime in the state. But they had a boondoggle that's going to raise rates, so I don't see the Mayor getting reelected unless the Democrats run someone REALLY bad.
I have to imagine that our government's security agencies already have a generalized form of protection testing and certification within their own systems, why not reuse that process and actually get some use and protection for citizens out of said government money vacuums?
That's exactly right -- the security people would be transferred to the FDA.
Re: (Score:3)
Same here. And, of course, they also had to approve my hearing aids, the meter I use every day to monitor my blood sugar and the dialysis equipment a friend of mine needed when his kidneys stopped working. People like to complain about how much it costs to get new drugs, devices and proceedures approved by the FDA, but I
Re: (Score:2)
Complaints, at least ones not issued via Ouija board, would probably decrease :P
Re: (Score:1)
The FDA would be playing a massive game of catchup in that they have no experience in the security field. They're provably not very competent at the things they DO have expertise in http://health.msn.com/health-topics/articlepage.aspx?cp-documentid=100198246&page=2 [msn.com]
It's like asking local law enforcement to start issuing engineering approval for car modifications that require blue prints.
Re: (Score:2)
...I can't sue the FDA
It's America; of course you can!
:P
Re: (Score:2)
I'm not sure security agencies model this problem well: a lot of their certification and/or protection methods come down to high costs (armed guards, lots of physical security, etc.) or long, slow, thorough auditing plus heavy screening of personnel, etc - the stuff the rabid anti-government folks scream about when the spending isn't directed at their favorite projects.
Meanwhile, private corporations merely treat customers as a cost-analysis problem, weighing their life versus lawsuit payout amounts, and ta
Re: (Score:2)
I think you miss the point of what they want to do.
They would test the security to a certain bar of expectation. Basically they will set the floor.
For example, they could hire security experts to break something, or more likely, they will have a set of attacks the item will be tested against.
Yes, some agency's of certification process for there systems. You know what? those aren't medical systems. And if you treat each system like they are the same, you will fault. That's a lot of the reason IT is a securit
Re: (Score:2)
You're suggesting that the government security apparatus supervise the design and testing of medical implants? Those people? The folks that have generated more torn tinfoil and broken keyboards than Microsoft, Google and Apple combined?
Here on Slashdot?
You sir, get this week's Internet Bravery Award. I hope you live long enough to savor it.
Re: (Score:2)
You've got a point, unfortunately, it isn't a good one.
I'll agree that there isn't anyone who deserved to be trusted in this way, but it's for damn sure that you can't trust nobody, which is what we've currently got.
Please note that what was proposed was a rating, not a permission. And this, too, I agree with. The FDA shouldn't have the right to prohibit the sale of things. They have repeatedly abused this against many different kinds of things. I don't even believe that they should be allowed to prohib
Re: (Score:2)
Of course the problem right
Rain Fall (Score:1)
magnets: terrorist devices? (Score:2)
If magnets can be used to reset or interfere with a pacemaker, should ownership of magnets be considered a terrorist offense?
My refrigerator can take more lives on an airplane than your bottle of shampoo.
Re: (Score:1)
yeah, huge luggage fees
LOL (Score:2)
1) Can't abbreviate VLAN properly
2) A firewall for wireless devices
3) attracted attention in Washington = some politically connected consultant is making bank
Re: (Score:2)
2) What's your definition of a firewall then? This is a device that monitors the incoming and outgoing traffic of network(-able) hosts and can block/deny malicious traffic.
What is a wireless firewall? a sphere of tinfoil and a WRT54G with one antenna inside and one outside?
OMG terruhrism!!! (Score:3)
Quick, TSA enact law forbidding laptops onboard airplanes, so the evil terrorist don't kill implanted people in flight!
Re: (Score:2)
Re: (Score:3)
Yes, but devices as important as medical hardware should be ROM only operation with the ability to be flashed for updates only by vetted, qualified licensed personnel.
The problem with that is every time you want to update the device you have to physically get to it.
Taking updates wirelessly makes things much easier and safer.
As far as (EEP)ROM-only, that's good for the code, but many devices log data (and dump it out wirelessly).
You have to protect against attacks that try to make the device do bad things as well as attacks designed to get or overwrite that data.
Re: (Score:2)
Re: (Score:2)
All surgery carries risk, so easier AND safer.
Re:Yes (Score:5, Insightful)
Anyone caught intentionally cracking anything should get, at a minimum, 20 years of hard labor. Intentionally trying to harm or kill someone attached to a medical device should be a hanging sentence. Full stop.
Glad to see you've fallen in love with the DMCA [chillingeffects.org] friend! Anything that could lead to crime should be a crime aye? Never mind how close that comes to dangerously impeding our legitimate rights to freedom of speech including research that includes circumvention of various controls.
Like most of life's problems easily solved (Score:2)
Embed the device in concrete and sink to the bottom of the ocean. Virtually hack proof.
It's also great for annoying servers that won't patch and people who send meeting invites with no description...
Certify the software works first (Score:3)
Before worrying about security of the software, how about worrying about the correctness and fault-tolerance of the software and hardware?
Most famous is the Therac-25 [vt.edu] incident, but it's not the only one.
Re: (Score:3)
Security flaws are derived from incorrectness and lack of fault tolerance. It's part-in-parcel, and if you don't design security in from the start, it'll just become harder and harder to retrofit into the product later.
Better idea: (Score:1)
If you have a pacemaker, then you're already 'zipper-chested,' so the addition of a firmware update port would be a non-issue.
Or hey,here's an even better idea: Make the goddamn things right in the first place, so they don't need software updates! I mean, fuck, we're not talking about a SOHO router here, we're talking about a device people rely on to not fucking die; One would think they would be better engineered.
Re:Better idea: (Score:4, Insightful)
Re:Better idea: (Score:4, Informative)
You can't tear someone open every month when you need to adjust their insulin pump.
I understand your point, but... As a user of an insulin pump myself, I'd like to clarify that it is an external device, usually carried on the belt or in a pocket, as it needs to be refilled every few days and adjusted quite often. There are implantable insulin pumps in existence, but these are primarily for research purposes, and are not commercial devices to treat diabetes.
Re: (Score:2)
A lot of these devices might need to be adjusted to make a patient "not fucking die" - it isn't about system patches, it's about making medical adjustments to things like the dosage/voltage/rate/etc that the device is pumping out.
OK, so use a physical connection; as I said, if you have a pacemaker then you're already scarred all to hell, what difference will an 1/8" serial plug make?
Someone below mentioned magnetic communications, which sounds just plain awesome.
Re: (Score:2)
Why not install a 1/8 serial plug? It would become a focus for all sorts of horrible fungal and bacterial infections.
Not to mention that somebody would try to plug their iPhone into it.
Re: (Score:2)
Actually, the socket would add a great deal of ongoing risk of infection.
The thing is, it's not just for firmware updates. More commonly it's to alter the parameters of it's operation or even to adjust on the fly. For example, an implantable insulin pump may respond to the result of a glucose meter reading.
A better answer is to require a magnetic switch to be activated for the entire time communication occurs.
One possible solution.. (Score:3)
Whichever federal agency takes charge could offer a large reward for security holes/bugs found in applicable systems. The agency would validate claims, pay an applicable reward to those who reported the issue, then bill the offending company for the reward.
The idea is to make the reward large enough that it is more profitable for people to report a flaw then to abuse it. Government involvement would be the review of claimed flaws, not to access the security of every device. Private companies would then have a financial incentive to ensure their code is secure.
Yes (Score:2)
absolutely.
how about the NSA instead of the FDA? (Score:2)
Re: (Score:2)
Their charter is for DoD computer systems, not medical devices. Another agency would be better... and of course they can always be asked to check out a medical device that will be provided to a head-of-state. Surely various regulations already cover other medical devices - what agency accredits those?
Re: (Score:2)
The NSA has been doing this for years now. They invented implantable chips as a means of monitoring and controlling anyone they can get their hands on.
How's that working for you?
Ridiculous. (Score:3)
More ridiculous government nonsense.
There are already a million and one law about unauthorised computer access and there are already a million and one law about causing harm to people, and this situation falls under all of those provisions already.
This is just another way to raise the costs, increase government apparatus, increase government spending, lower the economic activity and probably this is going to end up costing a number of lives, as products are prevented from entering the market at all or soon enough at lower costs.
Re: (Score:2)
No matter where you set the bar, sooner or later the universe will deliver you a bigger asshat.
So we all get to pay more for health care (Score:1)
How about just making "hacker proof" hospitals for assholes.
Re: (Score:2)
"Rich asshole"? Seriously, a pacemaker isn't just for the rich asshole. Failing to assess these devices for security controls would be ridiculous negligence. Malicious software has a tendency to spread where it can, it doesn't need a reason to compromise a pacemaker if its able to. I guarantee that if proper security controls aren't implemented in medical devices you will see deaths related to failed or compromised devices. It doesn't even have to be intended malice, if a piece of malware compromises a devi
Yes (Score:1)
Re: (Score:2)
Quite. A lot of our "medical devices" are actually software programs running on PCs. Many of them require a specific environment to run.
I can think of one package that will only run on: Windows XP32-bit (No service pack) and Java 1.4. It simply won't run on anything more recent (no idea why), and the developer of this (very expensive) package has gone bust, and the product is no-longer supported (but the finance department budgeted on a 10 year usable life-span, so it's not getting replaced for 10 years fol
You have to (Score:2)
If you don't protect a computer (whatever shape that computer comes in), some hacker somewhere will hack it just because they can. The fact that the computer controls a piece of factory equipment, city sewer system, a person's pacemaker or any other thing is irrelevant. Someone will hack it because they can, that's just the way the hacker works.
Companies have a habit of saying something can't be hacked, would be impractical to hack, or no one would want to hack our /whatever/ for decades. Hackers than have
Alternative (Score:2)
Something definitely needs to be done because I can vouch that very few programmers even consider security, especially embedded software developers. It is worse than average in the medical industry since the idea of putting a medical device on a network is totally new to them. To put it in perspective, many new medical devices being built today use 9600 baud serial ports for communication.
Alternatively, you could change the law so that if someone hacks a medical device the hacker is not liable - the desig
Expensive (Score:2)
We're already years behind the curve where I work (hospital) because FDA certification costs so much. Yay, because the vendor won't spend another $50K or so, our brand new IV pumps are stuck for eternity with 2.4GHz radios (802.11b/g). Also, because the older model that could manage 4 IV's at a time was so buggy, we're replacing them with the wireless ones that only do 1 IV. Wireless because the drug database updates can be pushed, saving a ton of time putting hands on each device. Now we add a bunch of ext
173 infected with malware between 2009-11? (Score:2)
Dick Cheney had an LVAD, or a Left Ventricular Assist Device, implanted in 2010. Hmmmm.
Yes they should (Score:2)
Not the FDA... (Score:2)
While a competent security assessment is a very good idea, I highly doubt the FDA is capable of doing it. More likely this would result in another basically worthless "security" certification.
How about... (Score:1)
Yes and no. (Score:2)
I'm not sure if the FDA should set computer security policies. That seems well outside their wheelhouse. That said, security policy on devices should be too dumb to fail.
I can see the virtue of a wireless programmable pacemaker. But the security system should be something that can't be tampered with... not because the security is good but because it LITERALLY cannot be tampered with... at all.
For example, instead of using bluetooth (just an example) or something that is a radio signal, maybe use a different
I have an ICD. (Score:1)
In other words (Score:2)
In other words, a literal "solution in search of a problem." And an excuse to give an already corrupt [wikipedia.org] and counterproductive [eprci.net] government agency more power.
Re: (Score:2)
In other words, a literal "solution in search of a problem."
Finally someone anticipates a problem before it happens, and they get shot down like this?
Re: (Score:2)
When it's being used as an excuse to pre-emptively give a government agency more power, yes. Isn't it bad enough that, typically, they wait for a crisis to happen before exploiting it? Now you're all ready to give them more power merely because of theorized or imagined crises?
Lots of things are classified as medical devices (Score:2)
Medical devices don't just include things like implantable equipment (such as implantable defibrillators, pacemakers, pumps, etc.) but analysis equipment, and more recently computer software running on regular PCs (such as electronic patient records, order management systems, digital X-ray system/picture archiving and communications systems), etc.
Implantable devices have been in the public eye recently because they don't use very secure protocols. Typically, the wireless controller transmits a command prefi
By medical devices they mean (Score:2)
87,000$ Windows 2000 computers with a nice acquisition card in a custom box connected to the internet so all the doctors can look smart video conferencing in a dark room filled with LCD screens.
force them to let the hospital IT team do updates/ (Score:2)
force them to let the hospital IT team to do windows updates / install there AV software / there firewall software.
Also they can't force the device to go connect to a 3rd party out site sever. If they need some kind of sever to talk to it must be open to being run in house with full admin the sever OS to the IT team so they can install the windows updates / AV software.
Re: (Score:1)
I'm pretty sure that regulation currently prohibits hospital IT and others to change the medical device software (yes, AV, drivers, OS also belongs to that) to some configuration which has not gone through validation testing.
Re: (Score:2)
then what about when crapware gets on a unpatched system and starts spamming the network and you can't block the system on the firewall as it needs to talk to outside systems?
Re: (Score:1)
then what about when crapware gets on a unpatched system and starts spamming the network and you can't block the system on the firewall as it needs to talk to outside systems?
Hospital IT can put a firewall between the medical device and the hospital network and configure it accordingly. Or detach the system from the network and call service.
FDA states on this topic pretty clearly (http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm):
"All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices."
This pretty much means that the medical device manu
Worry about basic medical device safety first (Score:2)
Should they get involved assessing medical devices against hackers? Maybe. But first how about getting them involved in assessing medical devices in general? Ok, so medical devices from the FDA's standpoint encompass everything from simple mechanical gizmos all the way up to complex microprocessor based devices. So, specifically in regard to the "computer" type devices, you know the FDA doesn't really "asses" them at all in general. Their requirements are for the manufacturers to "use industry best practice
No, they should FOAD (Score:2)
The FDA is a millstone around the neck of freedom. It should not have the power to prohibit anything, only to certify some things as "approved". If everyone at the FDA were unemployed tomorrow it would only be what they deserve.