Stories
Slash Boxes
Comments

SoylentNews is people

US Security Agencies Look at Medical Device Security

posted by azrael on Tuesday October 28 2014, @05:11PM   Printer-friendly
from the hacking-your-tricorder dept.

tonyPick writes:

IEEE Spectrum has a a story on Medical device security, which follows a report from Reuters that The U.S. Department of Homeland Security is investigating possible security flaws in medical devices and hospital equipment.

From Reuters:

The products under review by the agency's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.

According to Spectrum the ICS-CERT team:

wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.

The Spectrum article also references the 2011 case of remotely hacking an insulin pump, demonstrated by Jerome Radcliffe.

 
This discussion has been archived. No new comments can be posted.
US Security Agencies Look at Medical Device Security | Log In/Create an Account | Top | 11 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Sir Garlon on Tuesday October 28 2014, @08:30PM

    by Sir Garlon (1264) on Tuesday October 28 2014, @08:30PM (#110971)

    I understand your frustration and I share it to some considerable extent.

    In my own experience, if you take a demanding and compliance-based approach to security, saying "do X or else!" then people resent it. They become passive-aggressive and they will do the minimum required to achieve the appearance of X, and bitterly refuse to do more. The cynic in me says this is what the PCI standards [pcisecuritystandards.org] have achieved.

    On the other hand, if you can successfully persuade them of the need to do the Right Thing, then they will do what it takes to do the Right Thing.

    Persuading people to do the Right Thing does not have to be all rainbows and unicorns. For example, pointing out that insecure medical devices are a horrendous liability risk (because they are) could be quite persuasive to some suits.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday October 28 2014, @10:54PM

    by Anonymous Coward on Tuesday October 28 2014, @10:54PM (#110995)
    Anon for obvious reasons.

    I worked for a few years at a medical device manufacturer company; one of the big ones that does heart-lung machines and the like. They were all about 'doing the right thing' and 'customer focus' and stuff and had a relatively through CAPA system for all sorts of defects and other reports. But despite that, they had an abysmal investigation rate. There were hundreds of items in the complaint logs for their heart-lung machines that had been 'filed and forgotten'; without even attempting to investigate or reproduce the problems (or very minimal, rudimentary ones). Some of them were pretty serious, like spurious flow rate increases and pump shutdowns.

    The FDA eventually caught on to it through audits, and started their process for getting the company to do a proper job investigating their failures (we're talking heart-lung machines after all, they need to be pretty damn sure they're reliable). The FDA process is actually fairly lengthy and involved, escalating through nearly a dozen different 'levels' over a several-year time frame (allowing for time to implement actions), with the final being the closure of the company for non-compliance.

    What did the company do? Ignore the FDA. So they got elevated to the next level. Now? Ignore the FDA. It took reaching a consent decree, the final step immediately before company closure, coupled with a 35$ million fine, before the company actually did something about it. It's not like the logs were hidden from view or anything, I was in the hardware department and saw them personally. But that didn't matter because they were too wrapped up in developing their next iteration of products (having failed multiple times at getting one to market) and couldn't be bothered to do the investigations (the 'sustaining' department was minimal and overbooked).

    So, a kick to the balls might be more in order than you think, especially when there's a reasonable process in place like the FDA uses and it still takes years and millions of dollars in fines before the company does something about it.....

    • (Score: 2) by Sir Garlon on Wednesday October 29 2014, @12:40AM

      by Sir Garlon (1264) on Wednesday October 29 2014, @12:40AM (#111021)

      Ouch, because from where I'm standing the FDA looks like an extremely industry-friendly agency.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.