SoylentNews is people
SoylentNews
from the don't-add-them-to-begin-with dept.
Why fixing security vulnerabilities in medical devices, IoT is so hard:
When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.
The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space.
URGENT/11 is a vulnerability in the Interpeak Networks TCP/IP stack (IPNet), which was licensed out to multiple vendors of embedded operating systems. IPNet also became the main networking stack in Wind River VxWorks, until Wind River acquired Interpeak in 2006 and stopped supporting IPNet. (Wind River itself was acquired by Intel in 2009 and spun off in 2018.) But the end of support didn't stop several other manufacturers from continuing to use IPNet. When critical bugs were discovered in IPNet, it set off a scare among the numerous medical device manufacturers that run it as part of their product build.
The average medical or Internet of Things (IoT) device relies on multiple free software or open source utilities. These pieces of software are maintained by any number of third parties—often by just one or two people. In the case of Network Time Protocol (ntp)—software that is in billions of devices—its code is maintained by a single person. And when the OpenSSL Heartbleed vulnerability came out in 2014, the OpenSSL project had two developers working on it. While there are many more developers working on it now, the Heartbleed crisis is emblematic of what happens when we use free software in our devices—the software gets adapted, not really patched, and not really maintained on the device, and little benefit goes back to the project.
The S in IoT stands for Security
(Score: 1, Informative) by Anonymous Coward on Wednesday February 26 2020, @04:27PM (1 child)
Good point - they initiate contact and that is indeed the way it needs to be. I wonder what would happen if a full DDOS attack were launched at the IP where the data is coming from (I doubt that the devices carry static IP's, but I don't know which would be worse - having a static range to be assaulted, or a dynamic range which rotates such that the receiving end can't lock out incorrect IP ranges). I also wonder how/if the system manufacturer hardens against such a possibility. Hopefully the cell towers themselves would serve as a stronger firewall buffer as well.
Anyway, not a doctor but I have more than layperson's knowledge. And using the cloak of AC so that nobody treats any of this as medical advice. (I'm not being paid for it anyway, but still don't want it directly attributed to me). I know there are devices (not implanted) which can be remotely accessed, though, without the end user needing to initiate it. That should change (something like a WiFi configuration button to let the device know it is OK to accept an unsolicited inbound connection in addition to all the other security). And pacemaker bases can initiate the connection on their own when they have significant data to report. Most implanted defibrillators require the end user to initiate the data upload.
The monitoring software does indeed detect rhythm anomalies and reports them. For externally worn monitors (pads on skin) they are accurate maybe 50% of the time at best, and for the 50% of the time they are accurate maybe 10% are of actual clinical significance. (Premature ventricular contraction, for example, when the second part of the beat sequence decides to fire early. 2 in a row are not uncommon in some kind of periodic rolling sequence, and so long as it is "stably unstable" it's not to worry about. 3 or 4 in a row are of some concern. More than that and you wonder what's going wrong. Internally fixed ones (like pacemakers) are much more accurate and do not suffer nearly as much from anomalies like breathing motion or other movement fuzzing up the picture. But the point is that it still takes a human monitoring and the point of the monitor room is that there is a human who makes the judgment whether or not to call the nurse about a given issue.
Heart block.... you can Google a lot on it but I can speak a little bit about it.
Forgive me if you already know this (we're a smarter than average bunch, so maybe many of us already know the first bits of cardiac circulation). But the electrical contraction wave starts at the top right of the heart ("right" from the patient's right side... the sinoatrial node), passes to nearly the center of the mass (septum between the atria and the ventricles, atrioventricular or AV node), then into the bundle and down two separate paths (Bundle of His and Left and Right bundles) to the bottom center of the apex where it wraps back around upwards and outside on the ventricles (purkinje fibers). It's better to see it, and here's a great animation even if the narration could be more interesting: https://www.youtube.com/watch?v=RYZ4daFwMa8 [youtube.com]
So a heart block occurs below the AV node. The conduction pathway gets lost somewhere after the AV node. So the top part (atrial contraction) fires regularly and on time. But the part below (ventricles) don't fall in the correct rhythm. A fun thing about the heart is that it has conductivity (the depolarizing and repolarizing should occur in smooth waves giving you a regular ECG picture) but it also has automaticity - those lower parts of the heart will try and fire on their own if they don't receive a signal from above....... but it does so more slowly. This can cause a rhythm problem where the part of the heart (and it can be both top/bottom and side-side) starts firing out of rhythm to the system, which if you think about it as a two-phase pump can be a problem.
Anyhoo, now to what you were asking.... What your friend most likely has is a ventricular demand pacemaker. It is sensing the the atrial depolarization wave (first bump) and then monitoring for the ventricular wave (the big spike). It counts from when it determines the peak of the atrial wave has occured and if it does not sense a timely ventricular spike (about 160 milliseconds from top of P wave to initiation of Q wave) it will fire. The heart is pacing itself but the pacemaker is sending the second wave that isn't getting to the ventricle), hence it is supplied "on demand."
This isn't your friend's condition, but if the opposite is happening and the atrial wave isn't happening on time the pulse rate will be somewhere between 20 and 59(ish) beats per minute. The midline or the ventricles will send out their waves even without input, but slower, see? (Strong atheletes can get a pulse in the 50s naturally which is fine). So instead the pacemaker looks at the QRS complex (the spike) and then counts a specified interval, and if no wave happens it will stimulate the atria. The stimulation may be a few milliseconds late, but that's OK. As long as the heart had time to repolarize, the next beat will then progress naturally. The pacemaker sends the first wave (that isn't going to the atria), hence it is Atrial Demand.'
If neither the atria nor the ventricles are supplying waves with good timing then usually an automatic pacemaker is called for. This can either be just an atrial spike, or if the patient also has a block in addition to the loss of the sinoatrial conduction, it can supply both atrial and ventricular pulses (which is interesting to see on an EKG, two very rapid double spikes about 40 milliseconds apart and then one sees the rest of the wave).
Anyway, sorry for going on about it. The cardiac system is really awesome and fun to study even if you have no interest in medicine. :)
(Score: 2) by RS3 on Thursday February 27 2020, @04:07PM
> "Anyway, sorry for going on about it."
Sorry? Are you kidding? This is awesome; I can not thank you enough!
Being somewhat medically savvy, and just trying to pay attention and help where I can, over recent months I occasionally checked friend's mom's pulse at wrist. It was always quite irregular. I also have a finger clip "pulse ox" that has an LED that blinks for each detected heartbeat. It was quite erratic too.
Not knowing what that meant, I didn't think to do anything. She did have regular doctor checkups. I assume he was checking her heart. She just had a checkup in December. Maybe "heart block" happened since then?
I'll have to do some research on what can cause "heart block".
Another area of curiosity- "cardioversion". I know some people who've had that done. I pretty much know what it is and what the procedure is. My question is: if there's a problem with rhythm, how can one "zap" fix the problem? I'll do some research...
Thank you again so much.