US Government Task Force Urges Cash Incentives For Ditching Insecure Medical Devices (securityledger.com) 64
chicksdaddy shares this report from The Security Ledger:
The healthcare sector in the U.S. is in critical condition and in dire need of an overhaul to address widespread and systemic information security weakness that puts patient privacy and even safety at risk, a Congressional Task Force has concluded... On the controversial issue of medical device security, the report suggests that the Federal government and industry might use incentives akin to the "cash for clunkers" car buyback program to encourage healthcare organizations to jettison insecure, legacy medical equipment...
The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.
Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."
The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.
Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."
Re: (Score:1)
fines? (Score:1)
How about we start fining these irresponsible companies when they negligently use known insecure devices and have security breaches?
Re: (Score:2)
Re: I have an IoT medical device (Score:2)
Well, not with that attitude, you won't!
Of course, the lengthy and expensive cert process (Score:5, Informative)
.. . . makes even PATCHING existing gear for security holes an extended and tedious process.
Consider, my eldest daughter was working as a ward admin, IT relied on her for backup, because for an entire 445 bed hospital. . . was two junior techs. The password on everything EXCEPT the email and timecard system. . .was "password".
And, of course, that didn't even include the systems you could physically exploit. . . like a "Pyxis" supply dispenser. The tool needed to "hack" it. . . is a flat-head screwdriver. . .
We could just hire more people (Score:2)
Once again, this is a problem that could be solved but we'll be damned if we're gonna do it because nobody wants to pay for it. He'll, when you suggest they d
Re: (Score:2)
don't kid yourself, you can't do intensive training like that while working full time to support yourself
Good thing I did not read your post before I did exactly that.
Re: Of course, the lengthy and expensive cert pro (Score:2)
I read it all. GP has good points. GASP.. are you wrong on the internet? Go go, log off right now, go hide.
Re: (Score:2)
As a developer in the medical device area, the biggest obstacle of creating the devices was the FDA. So the regulations that were attached were daunting. Not only was their an audit annually with respect to every device we created, we had to have detailed design, creation, maintenance and release of each object. This produced quite a bit of paperwork. At the time, the FDA would not accept electronic documents that could have (at the time) be put on a CD for every device. Every change or enhancements al
Re: (Score:1)
As far as I'm concerned, the commenter whose posting was broken apart line-by-line knows exactly what he/she is talking about, and their engineering judgment should not be questioned.
In the medical device arena, an obvious two line of code change can easily take 3-4 days to complete the necessary reviews and documentation updates; the testing can take a week or two. Now imagine that a patch was made in the networking subsystem of a real-time operating system to deal with a security hole. Completing the re
Re: (Score:2)
That's surprising - Pyxis machines are frequently used to dispense Schedule II drugs.
Maybe they changed out the stock screws ... one can hope.
Re: (Score:2)
Maybe they changed out the stock screws ... one can hope.
You probably have to go to Harbor Freight and buy a $3.99 security bit set, now.
Re: (Score:2)
. . . which would be a configuration change, and require yet ANOTHER audit and paper trail. . . Not that it would fix the actual problem, which is a latch that is easily and tracelessly jimmied with a simple screwdriver. . .
Re: (Score:2)
What does the certification process for equipment have to due to size of the IT staff?
Resource poor? BS (Score:2)
Resource poor? When I have to pay over $300 for a simple doctor appointment, or over $600 for an appointment with a specialist?
No, there are plenty of resources. It's the priorities that are the problem.
You can thank our healthcare system for that (Score:2)
This is what happens when you let middle men run your healthcare system.
Re: (Score:2)
Isn't that what I said? "priorities".
Re: (Score:2)
Poor healthcare companies (Score:3)
US healthcare is more expensive than anywhere in the world. Profits of healthcare companies are higher in the US than anywhere. There are no limits to what they charge.
Now they are saying they can't afford to fix the crap they've been foisting on the public?
Crocodile tears...
Buyback? (Score:1)
Why should these highly profitable corporations receive public money to do the right thing to protect themselves and the patients? If they won't do it voluntarily, the law should make them.
Re: (Score:1)
Yes, the incentive should be to not punish them for failures to adhere to the HIPPA law, not to give them cash for the bad decisions they've made without regard to privacy!
Re: (Score:3)
More Information, Please (Score:2)
Where can I find out which of the local hospitals and surgical suites uses up-to-date secure stuff and which ones don't give a damn?
Because I will vote with my wallet.
Re: (Score:2)
Currently they are in the event that the device causes the harm and the flaw was proven to cause said harm. If it is "user" error, then it is not the responsibility of the maker, but the hospital. Most medical devices I was involved with creating utilized standard security practices and if setup properly they would be a reliable secure device, but only as secure as the network in which it is placed.
Politics..Again (Score:2)
I like this site and I really liked it when the byline used to be "News for nerds Stuff that matter". Is there an extension or bookmarklet or something that I can use to filter out stories based on keywords? Keywords like Comey, Trump, Government, Clinton, Democrat, Republican, Brexit, and on and on? I sure would like that. I really would.
Need a similar buy back ... (Score:2)
... program for the NSA.
Dare they be patients in their own hospitals? (Score:2)
I once spoke to (tried to pull) a smart, bright, knowledgeable, beautiful female programmer, who worked in the software development department of a very large well known manufacturer of hospital equipment. The sort of equipment you hook up to patients and use to monitor their well-being, or interconnect to their bodies in various ways.
She told me she had been admitted to hospital once and been hooked up to such a machine. She had felt very relieved when she saw it was made by a competing manufacturer and no
Re: (Score:2)
She relaxed in the hospital bed, hoping thee competitors had better software that her own employer.
...but they didn't and when the insulin pump started running a DDOS botnet, a bitcoin fab, a spam spewer and a ransomware distributor, it unfortunately also started dispensing too much insulin. Hence she's been in a coma ever since. And the popup asking for an update to the WinXP antivirus is routinely ignored as medical staff press on Cancel at every reboot. Which happens multiples times per day.
Here's a cash incentive (Score:2)
Ditch your insecure shit or face HIPPA fines and fees.
Medical Costs (Score:2)
With the money I (my insurance company) am paying to hospitals and doctors, I can see no reason for the Federal Government to subsidize ANYTHING medical related. However, with the difficulty of certification, red tape and long durations of testing new or upgraded devices, I can understand why hospitals and doctors are resistant to replacing equipment that seems to work perfectly. Once again the Feds create a problem and then go back to taxpayers for more money to fix it.