Wednesday, RSA 2018: On any given day, there are more than 150 sessions to choose from here. Good luck getting to even 5% of those. The good news is that attendees can get access to most of the sessions they missed after the fact, since the slide presentations are posted and videos are made of just about every one. So you can keep “attending” for months to come. But from a small slice of it in real time: It didn’t get nearly as much buzz as the keynote from Monica Lewinsky of Bill-Clinton-and-blue-dress fame, but the message was still powerful: Behavioral analytics is changing the world of security.
Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.
The original version of this post was published on SecurityWeek. I recently had reason to spend an overnight visit in the hospital. When friends and family left me late in the evening I was confronted with a subject that I had considered professionally but never had to face personally: the connected medical device. When software security gets personal The device that dominated my attention was the infusion pump attached to my IV line. First, it became my constant companion if I left my bed, so we quickly became quite close. Second, it reminded me of specific hacks demonstrated by security researcher Billy Rios. Specifically, the hack where he shows how such a device could be used to endanger the life of the patient. For those of you who have never had the pleasure of being connected to an infusion pump, it is a device that continuously meters and dispenses medicine intravenously into the patient. These pumps are widely deployed and used for a wide range of treatments and medical conditions. They are not terribly complex or exotic, so they represent a fair example of a connected medical device. They also stretch the term “connected” as they are connected to the network and connected to the patient.
In a new report, Synopsys found that 67% of medical device manufacturers and 56% of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organization is likely to occur over the next 12 months.
Posted in Medical Device Security | Comments Off on Synopsys report finds the medical device industry vulnerable to attack
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report from Synopsys and the Ponemon Institute on medical device security.
On December 28, 2016, the US Food and Drug Administration (FDA) finalized its guidance on the “Postmarket Management of Cybersecurity in Medical Devices.” The release of the guidance was accompanied by an official blog post, which points out that as medical devices become increasingly sophisticated and connected, they become more prone to attack. Successful attacks can result in physical harm or even death to real people.
Philips has named Mike Ahmadi, global director of critical systems security for Synopsys Software Integrity Group, to its Responsible Disclosure Hall of Honors.
Following recent vulnerabilities disclosed in medical devices, a panel of experts discussed current remediation efforts and steps toward developing industry best practices.
Posted in Medical Device Security | Comments Off on The digital doctors are in: Are you covered?
It took a few years to make it happen, but the AAMI TIR57 “Principles for medical device security – Risk management” standard was finally published by AAMI this summer, and the FDA formally recognized it as a foundational standard less than a month after it came out.
A terrorist hacks into the US Vice President’s pacemaker to murder him. It happened on the Showtime series Homeland, but could it happen in real life? Most security experts agree that such a scenario is highly unlikely or even downright impossible. However, that doesn’t mean you should ignore the real security risks that medical devices and systems introduce. They may not be as extreme as Hollywood portrayals, but security vulnerabilities and data breaches in medical devices and systems can put patient safety at risk and expose healthcare companies to data-disclosure and HIPAA regulatory risks.