SoylentNews is people
SoylentNews
from the don't-add-them-to-begin-with dept.
Why fixing security vulnerabilities in medical devices, IoT is so hard:
When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.
The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space.
URGENT/11 is a vulnerability in the Interpeak Networks TCP/IP stack (IPNet), which was licensed out to multiple vendors of embedded operating systems. IPNet also became the main networking stack in Wind River VxWorks, until Wind River acquired Interpeak in 2006 and stopped supporting IPNet. (Wind River itself was acquired by Intel in 2009 and spun off in 2018.) But the end of support didn't stop several other manufacturers from continuing to use IPNet. When critical bugs were discovered in IPNet, it set off a scare among the numerous medical device manufacturers that run it as part of their product build.
The average medical or Internet of Things (IoT) device relies on multiple free software or open source utilities. These pieces of software are maintained by any number of third parties—often by just one or two people. In the case of Network Time Protocol (ntp)—software that is in billions of devices—its code is maintained by a single person. And when the OpenSSL Heartbleed vulnerability came out in 2014, the OpenSSL project had two developers working on it. While there are many more developers working on it now, the Heartbleed crisis is emblematic of what happens when we use free software in our devices—the software gets adapted, not really patched, and not really maintained on the device, and little benefit goes back to the project.
The S in IoT stands for Security
(Score: 2) by RS3 on Tuesday February 25 2020, @04:12PM (4 children)
Money is certainly the huge factor, but time is also. For some reason most people don't seem to consider time and timelines when discussing things.
A friend's mom recently had a pacemaker installed. In the old days pacemakers just produced pulses, but now they monitor things too. The point being- if she has a problem that she might not be aware of, the pacemaker system might signal an alert to someone somewhere. It comes with a base station that "talks" directly to cell network. I'm not sure how it communicates with the pacemaker, but for sure the pacemaker itself is not "online".
And I seriously doubt the base station is "online", rather, probably initiates communication with some kind of address somewhere.
An option would be to use an external wearable monitor, such as a "Holter", but they're uncomfortable and skin contact pads need to be replaced every so often. And then it has to be taken to a medical center to read out the data.
Maybe an option could be a semi-sneakernet system where the pacemaker's monitor station would not be online. The patient (or someone) would insert a USB drive and the system would copy some data that then could be uploaded or emailed to a medical center. If changes were needed to the pacemaker's parameters, the monitoring station could be taken to a medical center and programmed manually, or maybe a parameter file could be emailed and checked against a cert, the base station would only accept it if it passes integrity checks, etc. Point being- base station would not be online, exposed to repeated attacks.
BTW, it seems obvious that none of the gruntwork would be done by physicians; no more than the other things that are typically done by nurses and med techs.
(Score: 0) by Anonymous Coward on Tuesday February 25 2020, @04:50PM (3 children)
Of the different ways pacemakers can be classified one is demand versus automatic. Demand pacemakers are always sensing the heart rhythm and when it detects a lack of impulse (either atrial or ventricular) it then delivers the impulse - it senses when you're missing a beat and delivers it. This is different from the 'old school' of automatic where a shock is delivered in time according to its' own frequency whether your heart was going to supply the impulse or not. And a little different from that is an ICD, which senses when your heart is going dysrhythmic and delivers a defibrillating pulse to try and reset the beat. The first and last types can very much benefit from being able to deliver telemetry. It can be very helpful to the client that a central monitoring station reads that a device has monitored 15 premature ventricular contractions in the last 5 minutes.
Yes, there are Holter monitors. They are beginning to be considered old-school, in part because they are limited to recording the length of their onboard memory. There are also telemetry monitors, which likewise are talking to a base station that is relaying your data to a central monitoring point. Telemeters are also used extensively in hospitals... While it may still be called a "Holter" by staff, almost all in-hospital cardiac monitoring is done by telemetry where a staff member may be monitoring 12-30 patients simultaneously.
But the last main thing... yes, many systems do indeed use the cellular network. More to the point, then use cellular data services. Which are connected to.............. oh... Hopefully they're VPNing in - they certainly should be. But TCP/IP is the delivery method of choice.
(Score: 2) by RS3 on Tuesday February 25 2020, @05:34PM (2 children)
I don't know if you're a doctor, but you're certainly knowledgable. I do know all that, but not everyone does, so thanks for writing it up.
Not sure if they're VPNing into the pacemaker monitor. I forget the brand, but I'll write it down when I visit her next. I'm hoping the base station sits quietly offline, and turns on cell data when it wants to upload, check in, etc., rather than always be on and exposed.
BTW, the in hospital monitor systems use software to detect cardiac rhythm anomolies, so the whole system is not limited by 1 human watching so many patients.
My friend's mom has "heart block", so I'm guessing the pacemaker is always pulsing. But that said, I wonder how these new pacemakers know when to speed up or slow down... Maybe you know?
(Score: 1, Informative) by Anonymous Coward on Wednesday February 26 2020, @04:27PM (1 child)
Good point - they initiate contact and that is indeed the way it needs to be. I wonder what would happen if a full DDOS attack were launched at the IP where the data is coming from (I doubt that the devices carry static IP's, but I don't know which would be worse - having a static range to be assaulted, or a dynamic range which rotates such that the receiving end can't lock out incorrect IP ranges). I also wonder how/if the system manufacturer hardens against such a possibility. Hopefully the cell towers themselves would serve as a stronger firewall buffer as well.
Anyway, not a doctor but I have more than layperson's knowledge. And using the cloak of AC so that nobody treats any of this as medical advice. (I'm not being paid for it anyway, but still don't want it directly attributed to me). I know there are devices (not implanted) which can be remotely accessed, though, without the end user needing to initiate it. That should change (something like a WiFi configuration button to let the device know it is OK to accept an unsolicited inbound connection in addition to all the other security). And pacemaker bases can initiate the connection on their own when they have significant data to report. Most implanted defibrillators require the end user to initiate the data upload.
The monitoring software does indeed detect rhythm anomalies and reports them. For externally worn monitors (pads on skin) they are accurate maybe 50% of the time at best, and for the 50% of the time they are accurate maybe 10% are of actual clinical significance. (Premature ventricular contraction, for example, when the second part of the beat sequence decides to fire early. 2 in a row are not uncommon in some kind of periodic rolling sequence, and so long as it is "stably unstable" it's not to worry about. 3 or 4 in a row are of some concern. More than that and you wonder what's going wrong. Internally fixed ones (like pacemakers) are much more accurate and do not suffer nearly as much from anomalies like breathing motion or other movement fuzzing up the picture. But the point is that it still takes a human monitoring and the point of the monitor room is that there is a human who makes the judgment whether or not to call the nurse about a given issue.
Heart block.... you can Google a lot on it but I can speak a little bit about it.
Forgive me if you already know this (we're a smarter than average bunch, so maybe many of us already know the first bits of cardiac circulation). But the electrical contraction wave starts at the top right of the heart ("right" from the patient's right side... the sinoatrial node), passes to nearly the center of the mass (septum between the atria and the ventricles, atrioventricular or AV node), then into the bundle and down two separate paths (Bundle of His and Left and Right bundles) to the bottom center of the apex where it wraps back around upwards and outside on the ventricles (purkinje fibers). It's better to see it, and here's a great animation even if the narration could be more interesting: https://www.youtube.com/watch?v=RYZ4daFwMa8 [youtube.com]
So a heart block occurs below the AV node. The conduction pathway gets lost somewhere after the AV node. So the top part (atrial contraction) fires regularly and on time. But the part below (ventricles) don't fall in the correct rhythm. A fun thing about the heart is that it has conductivity (the depolarizing and repolarizing should occur in smooth waves giving you a regular ECG picture) but it also has automaticity - those lower parts of the heart will try and fire on their own if they don't receive a signal from above....... but it does so more slowly. This can cause a rhythm problem where the part of the heart (and it can be both top/bottom and side-side) starts firing out of rhythm to the system, which if you think about it as a two-phase pump can be a problem.
Anyhoo, now to what you were asking.... What your friend most likely has is a ventricular demand pacemaker. It is sensing the the atrial depolarization wave (first bump) and then monitoring for the ventricular wave (the big spike). It counts from when it determines the peak of the atrial wave has occured and if it does not sense a timely ventricular spike (about 160 milliseconds from top of P wave to initiation of Q wave) it will fire. The heart is pacing itself but the pacemaker is sending the second wave that isn't getting to the ventricle), hence it is supplied "on demand."
This isn't your friend's condition, but if the opposite is happening and the atrial wave isn't happening on time the pulse rate will be somewhere between 20 and 59(ish) beats per minute. The midline or the ventricles will send out their waves even without input, but slower, see? (Strong atheletes can get a pulse in the 50s naturally which is fine). So instead the pacemaker looks at the QRS complex (the spike) and then counts a specified interval, and if no wave happens it will stimulate the atria. The stimulation may be a few milliseconds late, but that's OK. As long as the heart had time to repolarize, the next beat will then progress naturally. The pacemaker sends the first wave (that isn't going to the atria), hence it is Atrial Demand.'
If neither the atria nor the ventricles are supplying waves with good timing then usually an automatic pacemaker is called for. This can either be just an atrial spike, or if the patient also has a block in addition to the loss of the sinoatrial conduction, it can supply both atrial and ventricular pulses (which is interesting to see on an EKG, two very rapid double spikes about 40 milliseconds apart and then one sees the rest of the wave).
Anyway, sorry for going on about it. The cardiac system is really awesome and fun to study even if you have no interest in medicine. :)
(Score: 2) by RS3 on Thursday February 27 2020, @04:07PM
> "Anyway, sorry for going on about it."
Sorry? Are you kidding? This is awesome; I can not thank you enough!
Being somewhat medically savvy, and just trying to pay attention and help where I can, over recent months I occasionally checked friend's mom's pulse at wrist. It was always quite irregular. I also have a finger clip "pulse ox" that has an LED that blinks for each detected heartbeat. It was quite erratic too.
Not knowing what that meant, I didn't think to do anything. She did have regular doctor checkups. I assume he was checking her heart. She just had a checkup in December. Maybe "heart block" happened since then?
I'll have to do some research on what can cause "heart block".
Another area of curiosity- "cardioversion". I know some people who've had that done. I pretty much know what it is and what the procedure is. My question is: if there's a problem with rhythm, how can one "zap" fix the problem? I'll do some research...
Thank you again so much.