A terrorist hacks into the US Vice President’s pacemaker to murder him. It happened on the Showtime series Homeland, but could it happen in real life? Most security experts agree that such a scenario is highly unlikely or even downright impossible. However, that doesn’t mean you should ignore the real security risks that medical devices and systems introduce. They may not be as extreme as Hollywood portrayals, but security vulnerabilities and data breaches in medical devices and systems can put patient safety at risk and expose healthcare companies to data-disclosure and HIPAA regulatory risks.
On Thursday researchers Mike Ahmadi of Synopsys and Billy Rios of WhiteScope disclosed 460 vulnerabilities in Philips Xper Connect, an optional bidirectional hospital information system (HIS) interface. 272 of these vulnerabilities they said are present in five software packages in the Xper IM Connect system software. 188 of the vulnerabilities are associated with Windows XP operating system, which is no longer supported by Microsoft.
The U.S. Department of Veteran Affairs (VA) and UL (Underwriters Laboratories) have signed Cooperative Research and Development Agreement Program (CRADA) for medical devices cybersecurity standards and certification approaches.
Ransomware is malicious software that encrypts data until a ransom is paid. Recently there has been a spate of attacks against healthcare organizations. On Monday, Washington-based MedStar Health had to shut down operations because of ransomware.
Back in my Codenomicon days security researcher Billy Rios and I began looking at software running on medical devices using our AppCheck product (now known as Black Duck Binary Analysis). We were hoping to find a few software vulnerabilities to determine how effective our product was at finding such bugs. Once we began investigating we were quite taken aback by how many vulnerabilities were present on the medical devices. We typically saw bugs numbering in the two digit range on the low side, and into the thousands on the high side. Wow!
Posted in Medical Device Security | Comments Off on Synopsys finds 1,418 medical device vulnerabilities in 1 product
Hoping to end manufacturer responsibility around the issuance of software updates for medical devices, and whether or not such updates change the device’s compliance status, the Food & Drug Administration (FDA) last Friday released a new draft document that also calls for greater collaboration among medical device manufacturers around cybersecurity in general. The document looks at both pre-market considerations as well as post-market considerations for the mitigation of patient risk when improving the security posture of their products.
From a security viewpoint, medical devices differ from conventional web applications, mobile applications, and other types of embedded applications which security researchers commonly encounter.
I recently attended the MobCon Digital Health conference in downtown Minneapolis, which highlighted the healthcare hot topic: mobile digital health. The sessions I attended ranged from FDA representative Bakul Patel’s on FDA’s classification of mobile apps to PhysIQ and the Mayo Clinic’s combined talk about remote care platform opportunities and challenges.
Making connected healthcare devices safer requires building security into medical devices during development, not bolting it on later or relying on patches.
Groups are stepping up to meet the medical device security challenge head on. Find out what developments are being made to improve medical device security.