Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Medicine Security Hardware

Why Aren't There Better Cybersecurity Regulations For Medical Devices? (vice.com) 99

citadrianne writes with an excerpt from Motherboard about some of the factors behind the long-decried security problems that surround medical hardware, and that will only become more pressing as some long-term treatments become both more portable (in the form of drug pumps, muscle stimulators, etc), more connected to sensors and controllers, and more dependent on software. There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them. A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines "do not establish legally enforceable responsibilities." "In theory you could sell a bunch of medical devices without ever having gone through a security review," the well-known independent medical device security researcher Billy Rios told Motherboard.
This discussion has been archived. No new comments can be posted.

Why Aren't There Better Cybersecurity Regulations For Medical Devices?

Comments Filter:
  • Medical devices have gone under the guise of "security by obscurity" for far too long. They have no standards. They are plugged into the network without any worry at all to what could happen. Insulin pumps are terrible at this [extremetech.com].

    Even Dick Cheney had to have special consideration taken for his pacemaker, since the technology is so bad [popsci.com].

    It isn't just device makers. In general most don't give a shit about security. From banking "apps" to healthcare "apps" - security is generally the last checkbox checked b
    • The problem is the age of most equipment.
      Most medical Equipment talks HL7 v2. And is sent via a standard unencrypted port, and the more medical equipment it is easier to setup an other port, then to parse messages by their message source.

      It isn't as much as not caring, but the age of most of this stuff is so old, that you need to keep backwards compatibility, as for the most part they were designed for Serial port communication, with a TCP/IP hack. When TCP/IP no longer was considered a passing fad.

      • by hsmith ( 818216 )
        True, HL7 is garbage and makes me hate life. I'd say it is a combination of both. Any of the new tech coming out still suffers from these issues. But then again, it isn't like hospital INFOSEC people are the cream of the crop. I recently filled out a questionnaire if we had a "HIPAA Certification" - of which none exist (Unless you count the new HITRUST bullshit certification, which they weren't talking about)
      • Even ASTM doesn't specify encryption or authentication. So most of the PHI data being ferried between the hospital LIS and the device is free for anyone to intercept and read in plaintext. The truth is that the communication protocols will be more difficult to update with security than the individual devices with hardcoded accounts and passwords. As soon as you have to support a legacy device that can't handle encryption it's an automatic weak point/vulnerability.
    • I think the major problem is that most software developers don't have a good enough grasp of security concerns. If the individual developers aren't thinking about security when implementing actual code, then it's hard to actually get secure systems. You can't just make a policy of "write secure code" if the developers don't have a clue how to do that. This is similar to making code easy to maintain, or making code that doesn't repeat. It takes a high level coder with years of experience before they figure

    • I believe you are putting the cart before the horse. Nobody gives a shit about security in medical devices because it's not profitable to do so. If there was money to be had, you can bet your ass you would have FUD commercials running 24/7 and companies offering lifetime protection for just about everything.

      People did not care too much about what us techie people said in regards to their digital security. We don't own enough media to be heard. But, WHOLLY BUCKETS OF CASH BATMAN! INFOMERCIAL! has people

  • I have a software application that was cleared by the FDA under the 510(k) class 2 classification. I actually had to submit cybersecurity documentation. The FDA is now doing it, but all the legacy applications will not have this in place.

  • Sadly any answer probably boils down to the fact that not enough people have been injured and/or died yet. Hang a few bodies around the problem and you can bet the government will start taking security on these devices much more seriously. Hang a few lawsuits on them and the companies might do something about it themselves.

    • Just like after a few people have been murdered we will all have a security team escorting us everywhere we go.
  • Devices should be secure, or at least securable. As should internal hospital networks.

    At the same time the risk from bio-medical network hacking remains theoretical. There's a small but serious risk that harm could spread on a wide scale, but so far no exploits have been made.

    The risk of network issues during critical, potentially confusing, seconds-count scenarios is also real. Having some kind of network incompatibility or security interface issue could easily mean the difference between life and death

  • because the incentives are all wrong - as long as CMS drives the cost out then security will lose. if CMS values it, then it will be part of the equation. FDA has a role too, and they have to require security too. it's as simple as that.
    • by fche ( 36607 )

      The FDA has no incentives to get regulations right. If something goes right, the FDA is not rewarded. If something goes wrong, the FDA is not liable.

      • Big Medical Devices is very comfortable with regulation. Their Regulatory Affairs staffers are on a first name basis with the FDA staffers. And the high regulatory threshold keeps out upstarts. BMD can use 510k equivalency to get their next-Gen product approved at low cost. While owning the patents that keep upstart competitors from using the same approval process. The startups have to go through the whole clinical trials process.

  • I figure there's two possible reasons for this:

    1) The regulators are lazy/incompetent and haven't bothered.
    2) The lobbyists for the medical devices industry have asked for it to keep profits higher.

    But that there is little or no security in these things should be far more widely reported than it apparently is. Consumer electronics have really bad security; medical devices can't even be said to have security in a lot of cases.

    Given what I've heard about the security and frequency of malware on hospital ne

    • I think that at some level, we just have to trust that the most people aren't psychotic. There's a lot of vulnerabilities we all live with on a daily basis. Most people don't walk down the street with armor, even though it would technically be quite easy for someone to come along and stab them with a knife. We just assume that people won't do that. The brakes on most cars could easily be mechanically disabled, but we don't go to any lengths to stop people from cutting the brake lines. What is it about c

      • I think that at some level, we just have to trust that the most people aren't psychotic

        Well, ignoring the specific definition of 'psychotic' here (which isn't how you're using it) ... the problem with comparing this to your car is there's a significantly higher level of people doing malicious things on the intertubes just for the hell of it.

        So, yes, people aren't likely to go around cutting brake lines on cars just for amusement sake. But from a network security perspective? I've found assuming the intern

        • So perhaps the solution isn't to require device manufacturers to make them more secure. You can guarantee that they won't do it, or will mess something up along the way. Instead, why wouldn't the hospital put all the monitoring and other patient connected equipment on a separate network which isn't accessible from the outside because it isn't physically connected. For personal devices like pace makers and insulin pumps it might be less convenient to require things to be plugged in, but it would be a lot mo

  • by xxxJonBoyxxx ( 565205 ) on Tuesday October 20, 2015 @10:45AM (#50765531)

    If you work for a typically paper-pushing corporation, the priority on the "CIA triad' (confidentiality, integrity and availability) is usually: C, then A then I. If you work for a utility ("ICS"), it's often A then I then C. And if you work with medical devices, it's definitely I then A and maybe way down the line maybe C, because there's the HIPAA legal hammer to take care of all that. Hardly anyone in this stack understands authentication, but the key with at least the last two is that if someone's trying to use a machine or device and they are standing right next to it, they are assumed to be authorized. Unfortunately, that line of thinking leaks out into web interfaces, telnet and other craziness, and that's why it's all a mess at the moment.

  • I've worked on and off in the medical devices field for a long time, and have been directly involved with the FDA approval process of several products. One thing I can add to this discussion is that anyone who has been through this process recognizes that "not legally enforceable guidelines" still need to be addressed before one can actually get a product released. Sure, maybe an organization could argue around them, but there are so many ways that the FDA can hold up a release or generally cause an organiz
  • ... nobody wants a patient to die while the ER team is trying to remember the password for the defibrillator.

  • Because that would require regulation, and the GOP will not pass new regulations for fear of looking like 'big government' and giving their tea party opponents fuel to get them replaced in office with more 'conservative' people.

  • ... not for you - did your seventh-grade government school teacher perhaps try to tell you otherwise? Try to deal with empirical reality, not platitudes.

    The entrenched interests that give high-paying jobs to former regulators are delighted that startups can't compete and that the products only have to be safe on paper, not subject to real competitive review (notice that Consumer Reports doesn't compare replacement needs - Consumers' Union does lobbying instead, unlike cars).

    Gosh, back when I was doing medi

  • by Anonymous Coward on Tuesday October 20, 2015 @11:06AM (#50765695)

    I am a physician. While I don't implant pacemakers or defibrillators, I do take care of a number of patients who have these devices.

    One critical issue here is accessibility of these devices. Suppose someone gets an implantable cardiac defibrillator for a failing heart. If the patient's cardiac status worsens, they device may activate and keep the heart beating. In these circumstances, it's critical that the physicians at the hospital have immediate and unrestricted access to the data on the device. Without this data, the physicians are at a serious disadvantage in trying to keep the patient alive.

    To further complicate things, a patient in the midst of a cardiac event may not be able to provide a password. Even if the password is stored somewhere in the medical records, modern electronic record systems are often cumbersome to find such data. For example, if the device was implanted at a different hospital, the records typically have to be printed, faxed and then scanned in order to access the data. Those ridiculous steps translate into delays in care.

    The real conundrum is whether a particular security modality is going to save more lives by thwarting hackers that it will cause deaths by delaying medical treatment.

  • I don't know why, but security has been a problem every time a new class of device gains connectivity.

    Robert Morris' internet worm got loose in 1988 - 27 years ago... WTF?

  • most of the hacking is done by criminals to make and steal money. how would you make money from hacking medical devices?
  • I worked in security in the health care system for a short time and there was a ton of resistance to any security solutions we tried to implement. Some of it was that the medical staff felt it was impeding their ability to do their jobs, but it mostly seemed like they didn't like change.

    • Pretty much this.

      I'm an anesthesiologist. I need IV pumps to work now. Not five minutes from now, but NOW. Could you make them more secure? Sure, you could require some kind of patient/drug/pharmacist-verification code, but I don't have the luxury of waiting for that to happen, because the patient needs it NOW. Nurses do the same thing on a slightly slower schedule. Go watch someone actively trying to die and a medical team trying to prevent that (a "code") and tell me your solutions.

      FFS, I had the state
      • by jonwil ( 467024 )

        The right answer is to stop connecting important medical devices like IV pumps to insecure networks. If someone actually has to be standing next to the device in order to hack it, the risk of hacks goes way down.

        • I'd rather none of them were networked; I know enough about computer security for that to scare the hell out of me. But IT insists (though it's not their idea), and I don't have a veto.
  • What's the goal of medical device software?

    Currently, you have to prove that your target user can actually use your product without making mistakes. Make things too complicated in any way, and you're required to have a specialist on hand to turn the thing on. You don't decide what "too complicated" is, the FDA does.

    The current solutions for maximum usability (hard coded passwords, no changing of passwords) are likely the result of existing regulation, not laziness on the part of medical device makers.


  • Shit's too easy to spoof.... well, maybe if you eliminate all inputs..

  • Anyone remotely familiar with the giant pile of manure known as HIPPA knows that government regulations in IT are not only ineffective but also total waste of time and money.

  • At it's very best, you have unhackable encryption for e-data. Now I will show you that that data can be hacked.

    At some point, some human has to take some action to access the unencrypted form of that data. If that human can do it, then it can be done by another human, some other unauthorized way. That's called hacking.

    There is no way around this. The problem with e-records is *you don't have to be physically present to steal them- they can be copied and they can be transported and the original source is non

  • Not everyone writing software should be nor should they need to be a security expert.

    I think the proper method here is to not trust devices to be secure, ever. Instead look to a provider of security software and/or hardware to put your devices behind.

    A firewall device in front of every connected device would seem to be the best approach.

    Just like every computer should have a firewall, every device should too.

  • I'd say that security is weak because it would be difficult to profit from hacking medical devices. Regulation is weak because there have been no headline-grabbing incidents to bring the issue to the attention of regulators.
    It would take a particular type of psycho to hack medical devices and harm people simply for the sake of harming people. That's probably what it will take before manufacturers improve security or government passes some knee-jerk regulations however.

  • As an area that I am very close to, I decided to sum up my comments in a single post rather than scatter replies to many of the uninformed, hyperbolic statements already made on this issue.

    The FDA is not lazy or incompetent on this topic. I have personally worked with the people there who are driving this topic. There is a guidance document that was put through the draft/final review cycle on a fast track for FDA work (about 15 months between the two phases, which often takes 2-4 years).
    http://www.fda.gov [fda.gov]

  • The reason for the lack of security is obvious - the risk of hacking is present, but not very high. On the other hand, if the medical equipment does not work as designed, the patient may die because of that failure. Currently it's better to have the equipment work for sure and risk a hack than to put too many complicated steps into setting things up securely.
  • In my last job I worked on the development of a medical diagnostic instrument. While not immediately life-threatening if compromised, lots of patient details could be stored on the system with no encryption. Now, it wasn't normally networked, so to get the information you had to stand in front of it. But here's where it got interesting: you could create an account to give yourself access to the data, and only a password was required - no username. Just one single string of characters. And because that was t

"I don't believe in sweeping social change being manifested by one person, unless he has an atomic weapon." -- Howard Chaykin