

A New Cyber Concern: Hack Attacks on Medical Devices - RougeFemme
http://www.scientificamerican.com/article.cfm?id=a-new-cyber-concern-hack

======
WestCoastJustin
Of possible interest -- There was a homeland episode [1], where they used a
hack on a pacemaker to assassinate someone. This caused lots of discussion
around medical device security [2] [3] [4] [5].

[1] [http://www.huffingtonpost.com/michael-hogan/homeland-
recap-s...](http://www.huffingtonpost.com/michael-hogan/homeland-recap-
season-2-episode-10-broken-hearts_b_2229246.html)

[2] [http://www.forbes.com/sites/singularity/2012/12/06/yes-
you-c...](http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-
a-pacemaker-and-other-medical-devices-too/)

[3] [http://www.cnbc.com/id/100306578](http://www.cnbc.com/id/100306578)

[4] [http://www.linkedin.com/groups/Homeland-Pacemaker-
Hack-22063...](http://www.linkedin.com/groups/Homeland-Pacemaker-
Hack-2206357.S.192475623)

[5] [http://blog.ioactive.com/2013/02/broken-hearts-how-
plausible...](http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-
was.html)

~~~
shawn-furyan
The Forbes article is a little more informative than the SciAm one (normally
I'm a fan of Scientific American, but the writer of this article just did not
seem to know the right questions to ask to give an indication of just what's
going on here; also, that title, jeez...), but I am still having trouble here.
Do pacemakers and internal insulin pumps run old versions of Windows without
security updates, or are we talking about more customary systems within the
hospital (computerized equipment is so incredibly vague a descriptor)?[1] If
it's the former, than that just seems like such a bad idea. Even a stripped
down Linux system with GNU tools seems incredibly bad. I know that generally
security through obscurity is looked down upon, but gah, you don't want common
viruses looking for new botnet nodes on the least common denominator systems
to have any chance of running on your pacemaker. It's much better to at least
engineer the system so that these devices have to be specifically targeted,
rather than being susceptible to being caught up in the most common attacks.
But surely this isn't what's going on right? Surely I'm just reading that
quote in an overly paranoid way, right? Right?

[1] "In hospitals around the country there has been a dangerous rise of
malware infections in computerized equipment. Many of these systems are
running very old versions of Windows that are susceptible to viruses from
years ago. Some manufacturers will not allow their equipment to be modified,
even with security updates, partially due to regulatory restrictions."
[http://www.forbes.com/sites/singularity/2012/12/06/yes-
you-c...](http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-
a-pacemaker-and-other-medical-devices-too/)

------
pherz
Not exactly new, the FDA is just getting around* to releasing draft guidance
[0] and is/has been ramping up their consideration of device security in the
PMA/401k approval processes already. What really lit the fire under medical
companies asses was the 2011 Blackhat presentation [1] of the hacked insulin
pump. Depressingly and unsurprisingly the risk to reputation has been the
biggest driver of security so far. The blowback also lead to congress
commissioning a GAO report released almost a year ago [2] that concluded that
the FDA really should do something and is actually more meaningful on
evaluating software than the recent draft guidance. There was already some FDA
guidance on security of devices containing COTS from 2005 [3], but wasn't just
about COTS, and even the author of that guidance would tell you the biggest
mistake in it was mentioning COTS in the title.

[0]
[http://www.fda.gov/downloads/MedicalDevices/DeviceRegulation...](http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf)
[1] [http://www.blackhat.com/html/bh-us-11/bh-
us-11-briefings.htm...](http://www.blackhat.com/html/bh-us-11/bh-
us-11-briefings.html#Radcliffe) [2]
[http://www.gao.gov/products/GAO-12-816](http://www.gao.gov/products/GAO-12-816)
[3]
[http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidanc...](http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm)

* This guidance is overdue and vague as usual. The FDA is generally well intentioned but politics will slow them down even after it's a forgone conclusion that they're going to do something.

------
achillean
It will be interesting to see how well vendors are at integrating security
best-practices into their engineering. Medical devices have already started to
popup on Shodan, such as baby heart rate monitors and glucose meters. And I
wonder whether the FDA will offer guidance on proofing hardware that's already
deployed. It's often not just a problem of protecting new medical devices as
they're being developed, but how to protect old stuff that's now going to be
exposed to the Internet/ network.

------
sergers
i would say true, majority of hospital environments are unaware of what the
devices are running. disclosure I am a Solution Architect for a PACS Vendor
for 15 years, knows the ins and out of hospital equipment and networks/systems
at many of the largest hospitals in USA and some international.

malware infections in hospitals has risen and definitely more targeted to
harvest patient data or take down the system. never heard of a device like
they mentioned getting hacked like an insulin pump in the "field"

the better systems are already locked down and are treated with limited
access, following HIPAA, ISO, FDA compliances. IT/networking monitor the
equipment as any other equipment.

then again many old modalities (ct/xray scanners) are running old versions of
windows NT or 2000 or XP that have never been patched with MS updates nor have
they ever had any AV installed.

and sometimes you need to import data from small facilities, these have
potential to be malware infected. this data is usually imported directly into
the system, so if precautions arent already setup on that system then you just
infected your system

------
microcolonel
[https://youtu.be/nFZGpES-St8](https://youtu.be/nFZGpES-St8) << not a new
"cyber" concern, a very old concern, with a new scientific american article.

