Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Medicine Biotech Government United States

US Government Task Force Urges Cash Incentives For Ditching Insecure Medical Devices (securityledger.com) 64

chicksdaddy shares this report from The Security Ledger: The healthcare sector in the U.S. is in critical condition and in dire need of an overhaul to address widespread and systemic information security weakness that puts patient privacy and even safety at risk, a Congressional Task Force has concluded... On the controversial issue of medical device security, the report suggests that the Federal government and industry might use incentives akin to the "cash for clunkers" car buyback program to encourage healthcare organizations to jettison insecure, legacy medical equipment...

The report released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.

Joshua Corman, the Director of the Cyber Statecraft Initiative at The Atlantic Council, argues that currently "Healthcare is target rich and resource poor," adding a special warning about the heavy usage of internet-connected healthcare equipment. "If you can't afford to protect it, you can't afford to connect it."
This discussion has been archived. No new comments can be posted.

US Government Task Force Urges Cash Incentives For Ditching Insecure Medical Devices

Comments Filter:
  • by Anonymous Coward

    How about we start fining these irresponsible companies when they negligently use known insecure devices and have security breaches?

    • I'd say, "you can't do that to a medical institution!", but then I remember that they are there for profit like everyone else and I'm totally fine with it.
  • .. . . makes even PATCHING existing gear for security holes an extended and tedious process.

    Consider, my eldest daughter was working as a ward admin, IT relied on her for backup, because for an entire 445 bed hospital. . . was two junior techs. The password on everything EXCEPT the email and timecard system. . .was "password".

    And, of course, that didn't even include the systems you could physically exploit. . . like a "Pyxis" supply dispenser. The tool needed to "hack" it. . . is a flat-head screwdriver. . .

    • I hear there's a shortage of good jobs. But then we'd have to train them. And feed and house and cloth them while they train (don't kid yourself, you can't do intensive training like that while working full time to support yourself, that's why college drop out rates are so high, higher if you consider the ones that didn't get in in the first place).

      Once again, this is a problem that could be solved but we'll be damned if we're gonna do it because nobody wants to pay for it. He'll, when you suggest they d
      • don't kid yourself, you can't do intensive training like that while working full time to support yourself

        Good thing I did not read your post before I did exactly that.

    • That's surprising - Pyxis machines are frequently used to dispense Schedule II drugs.

      Maybe they changed out the stock screws ... one can hope.

      • Maybe they changed out the stock screws ... one can hope.

        You probably have to go to Harbor Freight and buy a $3.99 security bit set, now.

        • by Salgak1 ( 20136 )

          . . . which would be a configuration change, and require yet ANOTHER audit and paper trail. . . Not that it would fix the actual problem, which is a latch that is easily and tracelessly jimmied with a simple screwdriver. . .

    • What does the certification process for equipment have to due to size of the IT staff?

  • Resource poor? When I have to pay over $300 for a simple doctor appointment, or over $600 for an appointment with a specialist?

    No, there are plenty of resources. It's the priorities that are the problem.

    • most of the money goes to the top. Not your Doctors or the infrastructure to support them. Then there's the little matter of 'deductibles', meaning you pay for 'insurance' then you pay for care until you hit your deductible then you pay 80/20 if you're lucky and 60/40 if you're not.

      This is what happens when you let middle men run your healthcare system.
      • most of the money goes to the top. Not your Doctors or the infrastructure to support them.

        Isn't that what I said? "priorities".

    • All those resources are dedicated to filing paperwork or paying for the shiny, new, hi-tech, connected medical equipment that now has to be updated or replaced at no small cost. To patients.
  • by mspohr ( 589790 ) on Sunday June 11, 2017 @05:26PM (#54598149)

    US healthcare is more expensive than anywhere in the world. Profits of healthcare companies are higher in the US than anywhere. There are no limits to what they charge.
    Now they are saying they can't afford to fix the crap they've been foisting on the public?
    Crocodile tears...

  • Why should these highly profitable corporations receive public money to do the right thing to protect themselves and the patients? If they won't do it voluntarily, the law should make them.

    • by Anonymous Coward

      Yes, the incentive should be to not punish them for failures to adhere to the HIPPA law, not to give them cash for the bad decisions they've made without regard to privacy!

    • by dargaud ( 518470 )
      And in addition, nothing so far shows that the new devices are anymore secure than the old ones: they still run on Windows, versions of which don't receive any updates for various reasons, passwords are kept the same forever and everywhere, all ports are open so that various equipment can communicate 'easily', etc...
  • Where can I find out which of the local hospitals and surgical suites uses up-to-date secure stuff and which ones don't give a damn?

    Because I will vote with my wallet.

  • I like this site and I really liked it when the byline used to be "News for nerds Stuff that matter". Is there an extension or bookmarklet or something that I can use to filter out stories based on keywords? Keywords like Comey, Trump, Government, Clinton, Democrat, Republican, Brexit, and on and on? I sure would like that. I really would.

  • ... program for the NSA.

  • I once spoke to (tried to pull) a smart, bright, knowledgeable, beautiful female programmer, who worked in the software development department of a very large well known manufacturer of hospital equipment. The sort of equipment you hook up to patients and use to monitor their well-being, or interconnect to their bodies in various ways.

    She told me she had been admitted to hospital once and been hooked up to such a machine. She had felt very relieved when she saw it was made by a competing manufacturer and no

    • by dargaud ( 518470 )

      She relaxed in the hospital bed, hoping thee competitors had better software that her own employer.

      ...but they didn't and when the insulin pump started running a DDOS botnet, a bitcoin fab, a spam spewer and a ransomware distributor, it unfortunately also started dispensing too much insulin. Hence she's been in a coma ever since. And the popup asking for an update to the WinXP antivirus is routinely ignored as medical staff press on Cancel at every reboot. Which happens multiples times per day.

  • Ditch your insecure shit or face HIPPA fines and fees.

  • With the money I (my insurance company) am paying to hospitals and doctors, I can see no reason for the Federal Government to subsidize ANYTHING medical related. However, with the difficulty of certification, red tape and long durations of testing new or upgraded devices, I can understand why hospitals and doctors are resistant to replacing equipment that seems to work perfectly. Once again the Feds create a problem and then go back to taxpayers for more money to fix it.

Avoid strange women and temporary variables.

Working...