Hackers Penetrate Top Medical Device Makers 76
An anonymous reader writes "Hackers have penetrated the computer networks of the country's top medical device makers, The Chronicle has learned. The attacks struck Medtronic, the world's largest medical device maker, Boston Scientific and St. Jude Medical sometime during the first half of 2013 and might have lasted as long as several months, according to a source close to the companies."
Response (Score:2, Insightful)
When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.
Re: Response (Score:5, Funny)
When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.
Do you want to lick them?
No, I want to make them use Slashdot Beta.
Re: (Score:1, Troll)
Re: (Score:1)
You sir are a twat. And a troll.
The blacks who marched for civil rights would be completely ashamed at the thug gangstas populating every city today. How could there be a more complete rejection of what they stood for?
Take what they can get (Score:5, Interesting)
I imagine they'll take what they can get: IP, personal data, or just more computers to control.
If it really is China as suggested in the article that could make sense. China's population is going to be aging, and medical devices would be handy for either internal use or for another technology to develop and market.
This is interesting (FTA): "The medical device makers were not aware of the intrusions until federal authorities contacted them, and they have formed task forces to investigate the breach, he said."
Who do you suppose noticed the breaches, and how?
Re:Take what they can get (Score:4, Funny)
Many of these device companies have network access/business agreements with healthcare providers around the nation.
Hence the real reason that the federal government is concerned. They're afraid that the intruders will use that network access to reduce outstanding medical bills to reasonable levels.
Re: (Score:1)
Someone got bored hijacking your secure email at the NSA and decided to go trolling for medical device companies?
Re: (Score:1)
-- green le
Re: (Score:2)
Re: (Score:3, Funny)
Who do you suppose noticed the breaches, and how?
If the machine next to your hospital bed displays a laughing skull and starts playing mod tunes whilst demanding you pay by credit card to an account in Russia to avoid being "pwned by l33tgr0up" that is likely not a good sign.
Re: (Score:2)
China pirates a lot of devices. Russia too. Not necessarily state sanctioned but there is a huge market for cloned medical devices.
New Level of Ransomware (Score:4, Interesting)
Re: (Score:2)
Re: New Level of Ransomware (Score:2)
Better go watch repo men.
That is true ransom ware.
Re: (Score:3)
What is already happening is these devices are getting hard coded safety envelopes. You would be able to give them commands within that envelope but that would be it. It is not a problem but the medical device companies though they would have to deal with but they seem to be working on the problem pretty efficiently. So you could tell the heart to speed up a little or slow down a little but there would be hard coded controls so that you could not make it stop, run too fast, run too slow, run for very long a
Re: New Level of Ransomware (Score:2)
Re: (Score:2)
Wouldn't one of the limits be on the oscillations allowed? Even when designing process controllers for industry for chemical reactors there are limits like that. There should be no input to these devices you can give which would endanger the patient.
Re: (Score:2)
Similar to "Repo Men".
http://www.imdb.com/title/tt10... [imdb.com]
Re: (Score:2)
There was concern shortly after 9/11 that terrorist hackers could shut down Dick Cheney's pacemaker using a proximate signal. He's rumored to have had surgery to turn off the remote command feature.
http://abcnews.go.com/Health/d... [go.com]
Re: (Score:2)
Doesn't mean it's impossible of course, just that it seems right at this moment like a remote concern.
Wireless programming is common in implanted electr (Score:1)
Pacemakers and defibrillators can be reprogrammed wirelessly by physicians. The more sophisticated ones (usually defibrillators) often have a patient unit, which can be kept at home, and can query the device and send telemetry back to the physician over the internet. This can reduce the need to travel to the hospital for routine examinations.
In general, there is no real authentication performed between the wireless programmer and the implanted device, other than a check of the serial number. The channel is
Re: (Score:1)
My wife's (Medtronic) pacemaker can be checked, logs read, and reprogrammed by hanging a device that's about the size and shape of a computer mouse on her chest. That device is connected to a computer that the cardiac technician sits in front of to do his thing.
As far as I'm aware, the entire pacemaker is controlled by the technician's computer. There is no phyiscal penetration required at all.
This is what you get.... (Score:5, Insightful)
When you think of IT as that annoying office of geeks you have to tolerate in the company.
They are your first line of defense, when they ask for something you GIVE IT TO THEM.
Re: (Score:1)
This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.
Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.
Re: (Score:3)
This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.
Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.
Nooo.... This is what you get when people who don't understand IT, and who can't be bothered to listen to any explanations, describe their experience when IT tries to explain why it is important to [insert security best practice here]. Yes, there are dickheads in IT too, who are condescending, etc., but that can hardly explain the constantly uphill battle that IT fights when trying to justify this expense or that policy.
Re: (Score:3)
Do you buy Oracle hardware and licenses because its what the DBA knows, or are your requirements satisfied by something less expensive?
Do you need the Rsa connection so admins can remote in, or is that something that should be airgapped?
My point is that you have to either know or trust, and trust is expensive. So hire well and pay generously. Just throwing money at the problem doesn't mean it will be solved well, or at all. As such, it is too simplistic to be taken as advice.
Re: (Score:2)
only if your IT is staffed with "geek squad" level of MCSE bottom barrel people.
Most competent IT departments hate that Sharepoint crap with a passion, it goes hand in hand with how worthless Exchange is.
Re: (Score:2)
It's scary that they're the line of defense, when they can't even find out what the problem is with the computer on the desk or figure out why the network slowed down, and everyone in the staff who does work is in the twenties and all managers are in the forties, and mentioning any topic not included in a Microsoft certification course causes blank stares.
I have definitely been places where the R&D team know more about security than the IT team, which is ok when creating the security on the devices them
Re: (Score:2)
This is a fault of management.
Internet of Things (Score:3, Informative)
Re: (Score:1)
I haven't re-read the article to see if I've missed something, but it seemed more about corporate espionage than causing heart attacks. Seems like the perpetrators were looking for a quick and easy path to the top of the medical device manufacturing food chain.
Would be morally wrong to set up a honeypot loaded with subtly but fatally flawed designs such that the manufacturer stealing said designs would be destroyed by the resulting lawsuits from their customers and/or victims?
Re: (Score:2)
The hacking here is to the corporate computers, not hacking into the devices themselves. Now granted those devices may not be secure in some cases, but that is a different story. The danger is in stealing designs. However if the devices rely on security through obscurity then stealing the designs can allow compromising the devices also. Worse, if someone is dumb enough to store signing certificates on a corporate computer.
have been to hospitals with receptionists with web (Score:1)
with web/Internet access on the same computer they used for admission and they were using Microsoft's Internet Explorer. Same thing for a CPA and her entire office while handling taxes for corps and individuals. So it should be no surprise to hear medical companies have been hacked into. Security is something others with important information do.
Re: (Score:2)
Re: (Score:2)
What, you don't think the doctor should be using wireless stethoscopes?
Re: (Score:2)
Important information omitted: (Score:1, Funny)
Did they get the IP address and password to Dick Cheney's implants? That's what we all want to know.
Re: (Score:1)
The password is deficitsdontmatter
Re: (Score:1)
It doesn't matter. It is "well known" that Dick Cheney has no heart, much like Hillary Clinton has no soul.
Dick Cheney's heart is secured. (Score:2)
Oddly enough, for the very fear of this, Dick Cheney had wifi access to his pacemaker disabled. [arstechnica.com]
His heart is closed to attackers. Just like it is to empathy and humanity.
INFOSEC in medicine is a joke (Score:2)
Recall the story of using bluetooth to kill someone with a pacemaker? [webpronews.com]
Simple fact is people have no idea what they are doing security wise and are designing this stuff to be web enabled.
Re: (Score:1)
Colonoscopy (Score:1)