×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHS Steps In As Regulator for Medical Device Security

timothy posted about a year ago | from the handicapper-general dept.

Government 123

mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

123 comments

Fucking Nazi SS (-1)

Anonymous Coward | about a year ago | (#42616099)

...is what this DHS is. The govt's grand plan is to control the holy fuck out of every tiny detail of everyone's lives.

Re:Fucking Nazi SS (4, Interesting)

camperdave (969942) | about a year ago | (#42617407)

After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).

DHS didn't step in as some grand plan. They were asked to intervene by Cylance, a security research company, when Philips wouldn't respond about the detected security holes.

Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.

In other words, "if you (the security research company) find a vulnerability, DHS is the proper channel to report it".

DHS covering an awful lot these days ... (5, Insightful)

gstoddart (321705) | about a year ago | (#42616109)

It seems the DHS keeps expanding its mandate into ever broader areas.

And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.

Re:DHS covering an awful lot these days ... (2, Interesting)

logjon (1411219) | about a year ago | (#42616125)

Re:DHS covering an awful lot these days ... (3, Informative)

Bam_Thwok (2625953) | about a year ago | (#42616907)

What exactly do you think this means? Did you actually read any of the reports? The DHS joined almost all other federal agencies in making it policy not to fuck over the health or environment of low-income populations as part of their operations. E.g. if the coast guard wants to test the effects of a new chemical dispersant for oil spills, this policy directs them to do it somewhere other than a lower-income fishing village in Louisiana. Or if the nuclear regulatory commission wants to build a site to dispose of spent nuclear fuel, they should do it somewhere other than near the aquifer of an Indian reservation.

Re:DHS covering an awful lot these days ... (0)

logjon (1411219) | about a year ago | (#42618817)

It means that the DHS keeps expanding its mandate into broader areas. And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.

Re:DHS covering an awful lot these days ... (1)

Anonymous Coward | about a year ago | (#42617479)

Has slashdot become so partisan that a guy posting a link gets modded to 0 or worse now? He's absolutely on topic with this as whether you agree or disagree with the POLICY, DHS should have zero roll in it.

Re:DHS covering an awful lot these days ... (5, Insightful)

Anonymous Coward | about a year ago | (#42616175)

It was assigned to the wrong DHS... this should fall under the Department of Health and Human Services (HHS [hhs.gov] ). Someone needs to tell a director that Homeland Security is stealing a project that should be theirs (i.e. taking their power).

Re:DHS covering an awful lot these days ... (4, Insightful)

timeOday (582209) | about a year ago | (#42616883)

What does HHS or FDA know about computer security? Nothing. It is a technical niche. Trying to independently stand up a computer security audit group within every niche of government just because they all use computers is crazy.

As for DHS covering too many things.... DHS isn't really anything in itself. It's just an umbrella created after 911 to try and make connections between what where (and still are for the most part) essentially independent organizations that suffer from too much redundancy and tribalism. (Which is not to say the DHS is necessarily doing a good job of solving these problems).

Re:DHS covering an awful lot these days ... (1)

evil_aaronm (671521) | about a year ago | (#42617079)

As it's inevitable that more and more health-care products will contain electronics of sorts, shouldn't HHS or FDA acquire some expertise in this field? If it were a "one off" situation, yeah, I'd agree with you.

Re:DHS covering an awful lot these days ... (1)

camperdave (969942) | about a year ago | (#42617133)

I thought the NSA was responsible for computer security, not the DHS.

Re:DHS covering an awful lot these days ... (1)

IndustrialComplex (975015) | about a year ago | (#42617449)

Information Assurance. You aren't wrong, but it's a slightly better term.

Computer security is something you do as a subset of working towards information assurance.

Re:DHS covering an awful lot these days ... (1)

timeOday (582209) | about a year ago | (#42618273)

This is where technical considerations and political considerations collide. The NSA has high-end capabilities, but is a spy agency that has always been explicitly prohibited from targeting the US. Just as we created the FBI to police ourselves vs. the CIA to police the world. Here is an article [wired.com] on the subject. Personally I do not think we should turn the NSA loose on ourselves. But admittedly in the case of computer security it can be extremely difficult to even determine whether a threat is foreign or domestic.

Re:DHS covering an awful lot these days ... (0)

Anonymous Coward | about a year ago | (#42617379)

What does HHS or FDA know about computer security? Nothing. It is a technical niche. Trying to independently stand up a computer security audit group within every niche of government just because they all use computers is crazy.

What does DHS know about computer security?

Whether it's DHS, HHS, FDA or nearly any other government agency outside the NSA their approach to computer security is uniform: "implement the security measures listed in NIST SP 800-88, implement the security measures listed in NIST SP 800-95, implement the security measures listed in NIST SP 800-53, etc." Federal agencies, including DHS, do not home-grow redundant computer security tribal knowledge. The do supply the operations staff who implement the computer security knowledge of a central agency that is internationally recognized for its knowledge of computer security: NIST.

Re:DHS covering an awful lot these days ... (1)

rickb928 (945187) | about a year ago | (#42617391)

Remember the Therac-25 [wikipedia.org] ? No, probably not.

This happened in the late 80s, a radiation thereapy device had some unfortunate software problems and causes 6 accidents, some fatal. the FDA investigated then.

  NO reason they can't investigate now. Software is software. Grow some expertise.

Re:DHS covering an awful lot these days ... (1)

timeOday (582209) | about a year ago | (#42618301)

I disagree that "software is software." Everything changes in adversarial situations, where you are combatting adaptive, intelligent adversaries. The regulatory regime that is good for safeguarding against flaws in medical devices such as Therac-25 is not appropriate for the day-to-day operations of staying on top of computer security threats.

Re:DHS covering an awful lot these days ... (1)

sycodon (149926) | about a year ago | (#42618805)

Al Qaeda is going to kill us all...one by one, with an X-ray machine...by appointment.

Re:DHS covering an awful lot these days ... (2)

drinkypoo (153816) | about a year ago | (#42617457)

What does HHS or FDA know about computer security? Nothing. It is a technical niche.

What does the DHS know about computer security? Even less.

You don't have to know these things, you hire them in. Now, the issue of whether our government will do that based on merit or more likely not is a good point to raise, but it's a separate problem from not having the experience in-house already.

Re:DHS covering an awful lot these days ... (1)

nbauman (624611) | about a year ago | (#42618749)

What does HHS or FDA know about computer security? Nothing. It is a technical niche.

What does the DHS know about computer security? Even less.

You don't have to know these things, you hire them in. Now, the issue of whether our government will do that based on merit or more likely not is a good point to raise, but it's a separate problem from not having the experience in-house already.

How can you hire, and manage, security experts if you don't know something about security yourself? What's a "security expert"? I know a guy who was a prosecutor for a while, then went looking for jobs as a corporate security consultant. Do you just hire an ex-cop? An ex-FBI agent? An ex-hacker? Do you take it on faith that they know what they're doing?

Years ago, government agencies developed in-house computer expertise, and they did a pretty good job. The VA hospitals developed VISTA, which is a better medical management system than most of the commercial packages. Now the agencies are outsourcing computer development, and the outside contractors haven't done too well. There have been several disasters that ran up costs in the hundreds of millions that never worked, like the FBI's computer system.

They're regulating software already (1)

Beryllium Sphere(tm) (193358) | about a year ago | (#42618553)

Anyone doing that today should understand security. If they can't, then they can get help from NIST and/or NSA, or outsource it and make the device maker pay a specialist for an audit.

Re:DHS covering an awful lot these days ... (2)

nbauman (624611) | about a year ago | (#42618629)

One of the big jobs of the FDA is to screen through millions of accident reports to find the few that are actually relevant to safety.

I've reviewed FDA accident reports. Out of 200 reports on medical lasers, I might find 100 about the hinge on a door to the cabinet being broken, or "malfunctions" of that nature. There might be one report about a serious incident, in which a patient was injured because a cotton swab caught fire or something.

One of the big jobs of the FDA is to screen through those accident reports for a "signal" of a dangerous product. Somebody with an implantable cardiac pacemaker-defibrillator has a heart attack and dies. Was it a failure of the pacemaker-defibrillator? Or would he have died whatever the pacemaker did? It's pretty hard to figure that out. Suppose two patients with the same model pacemaker-defibrillator have heart attacks and die. Is that a failure of the device? When do the reports reach statistical significance? The FDA staff has a lot of expertise in doing that, and they do it about as well as anybody (although the staff sometimes gets overridden by the political managers).

DHS does a notoriously bad job of screening through millions of potential threats and figuring out which are the real threats. They're like a smoke alarm that continually gives false alarms until people ignore it. They're a criminal and military agency, not a scientific agency. The FDA has to balance the risks and costs against the benefits. DHS doesn't care about costs. They've turned our airports into a security circus, installing multi-million-dollar high tech machines without even finding out whether they work. They haven't caught enough terrorists so they go about entrapping them.

In the FDA, you at least have the scientific people fighting the political people, and on some level, there's accountability to a scientific process. In the DHS, it's all politics.

Re:DHS covering an awful lot these days ... (0)

Anonymous Coward | about a year ago | (#42618813)

Information Security is not a "technical niche".
Information Security is actually a business function and not a technical function.
There is a technical component to it and security practitioners use several technical tools as well as work closely with IT, but it is a continuing misperception that Information Security (or "IT Security" as many old school thinkers still call it) belongs somewhere under or within IT.
if they really care, they would take an approach that encompasses security business practices as well as technical controls to address the greater problem rather than just using some security "QA" process to validate some baseline level for health devices.

What do the HHS or FDA know about security? Very little in my opinion.
I should clarify. I imagine that many of the folks working at HHS and FDA know what are good security practices and how things SHOULD be done, but I seriously doubt that they are different from many, if not most, organizations in that the executives dont want to be bothered by, don't care about, or don't understand good security practices.
As for the DHS, have you seen their attempts at practicing physical security lately? Security at airports is a joke at best and an embarrassment at worst.
How could anyone think they would be any better at other areas of security???

Re:DHS covering an awful lot these days ... (1)

rainmayun (842754) | about a year ago | (#42616189)

if I had mod points, I'd mod this up to 10. and I'm saying this as a former contract employee who did work for a DHS agency.

Re:DHS covering an awful lot these days ... (1)

NeutronCowboy (896098) | about a year ago | (#42616229)

Maybe we should rename them.... Umbrella Dept? I know, I know, cheap shot.

Re:DHS covering an awful lot these days ... (4, Interesting)

gstoddart (321705) | about a year ago | (#42616311)

Maybe we should rename them.... Umbrella Dept? I know, I know, cheap shot.

At this point, I'm thinking more like the Ministry of Truth. They're getting more and more involved with everything, and in a very disturbing way -- pretty much Orwellian in fact.

Re:DHS covering an awful lot these days ... (1)

Jetra (2622687) | about a year ago | (#42616373)

Isn't the Ministry of Truth about keeping the wizarding world and the muggles separate? I could be wrong, it's been a while.

I vote we rename them the Bloc from Pendragon: The Quillon Games.

It's about the money (0)

Anonymous Coward | about a year ago | (#42616823)

Most people think way too far into it. The goal of the DHS is not to turn the country into an oppressive police state. That's the rainbow, not the pot of gold. They want you to focus on that rainbow -- splitting hairs over which colors are good, which are bad, and which are ugly -- all the while ignoring the enormous pot of gold at the end.

The people who run the business of government are not power-hungry; they are money-hungry. Power is not the end goal in itself, but merely the stepping stone to riches. Yes, it's a despicable, immoral, and unjust attack on human rights. But they do not attack for the sake of sport. They attack for the sake of riches, and your rights are merely the "collateral damage".

Re:It's about the money (0)

Anonymous Coward | about a year ago | (#42618319)

Talk about splitting hairs, money and power are two sides of the same coin, no pun intended.

And to think, how many here on this www forum identify as socialist? I'm guessing high 80%.

Socialism is the opposite of conservatism and limited government power; but you lot (not you personally AC) by and large all voted for Obama, Reid, Holder and the whole cabal.

And don't give me that crap about the Republicans being no better. Romney would not be out there banning silly things like 10 round magazines. No one is saying Romney would have solved all these problems, fixed the economy and restored individual liberties but it would have been a step towards that goal.

You lot all voted for this power grab, so bend over and grab your ankles sheeple and eat your own dog food.

Re:It's about the money (0)

Anonymous Coward | about a year ago | (#42618459)

Voting is irrelevant IMO. The moral of the story is that a government big enough to give you everything you want is also big enough to take everything you have. But which of those is more likely to be the goal of a person who desires power (a special "right" to employ coercion) over others: to give you everything you want, or to take everything you have? The answer is obvious.

Re:DHS covering an awful lot these days ... (1)

sycodon (149926) | about a year ago | (#42618857)

I don't know..I always thought "Homeland" was too reminiscent of "Fatherland". So their name is already fairly Orwellian sounding.

And from I've been through at the airport, those stupid blue uniforms are equally as Storm Trooper looking.

Re:DHS covering an awful lot these days ... (0)

Anonymous Coward | about a year ago | (#42616295)

It's more than creepy. It's terrifying. Not that your average American knows anything about it as their media feeds are rather 'tepid'...

Re:DHS covering an awful lot these days ... (4, Interesting)

Sarten-X (1102295) | about a year ago | (#42616423)

Personally, I think this is a good thing. Now to just neuter them, and we'll be set.

My current job (IT admin in the financial sector) involves a fair bit of security work. A natural understanding of security is stunningly absent, even in places where security should be one of the highest concerns. Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security. Someone programming a radiation therapy machine [wikipedia.org] won't think about hardware interlocks, because they're trained in programming software, not hardware safety.

Network-connected medical devices are becoming prevalent, and I expect they will only get more useful and necessary in time. They present opportunities for doctors, and hospital managers are trained in hospital management, not security.

I like seeing someone bringing a security-conscious mindset to the public. The DHS certainly wouldn't be my first choice, but they're better than not having anybody. Now if only we could get Bruce Schneier as Secretary...

Re:DHS covering an awful lot these days ... (0)

logjon (1411219) | about a year ago | (#42617963)

Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security.

Joke's on you; I'm trained in both.

Re:DHS covering an awful lot these days ... (0)

Anonymous Coward | about a year ago | (#42618451)

Network-connected medical devices are becoming prevalent, and I expect they will only get more useful and necessary in time.

There IS your problem, Disconnect the Damn things from the network, People are too lazy and too used to convenience with i-Everything mentality, Some things DO NOT need to be connected!

Re:DHS covering an awful lot these days ... (1)

sycodon (149926) | about a year ago | (#42618873)

Someone building an accounting program won't think about encrypting their data, because they're trained in accounting, not security.

Actually, they would probably reject it out of hand because it's terrible slow and a maintenance nightmare.

Re:DHS covering an awful lot these days ... (1)

bbelt16ag (744938) | about a year ago | (#42616437)

OH! thats who its trying to be! Umbrella Corp... er wait wasn't they the bad...

Re:DHS covering an awful lot these days ... (1)

ArhcAngel (247594) | about a year ago | (#42616697)

Although crass our FP AC wasn't so far off base. Also, does Godwin's law apply when the comparison is justifiable? While we're at it, does Bettridge's law of headlines only apply to headlines?

Re:DHS covering an awful lot these days ... (1)

camperdave (969942) | about a year ago | (#42617121)

Pretty scary that a government department that nobody ever heard of pre-9/11 now has such power.

Re:DHS covering an awful lot these days ... (1)

blueg3 (192743) | about a year ago | (#42617229)

...a government department that nobody ever heard of pre-9/11...

You're joking, right?

Re:DHS covering an awful lot these days ... (1)

blueg3 (192743) | about a year ago | (#42617255)

DHS has actually been one of the major government organizations for computer security for quite a while. US-CERT, for example, is a part of DHS.

Re:DHS covering an awful lot these days ... (1)

westlake (615356) | about a year ago | (#42617413)

It seems the DHS keeps expanding its mandate into ever broader areas.
And, quite frankly, that's a little creepy -- it's becoming this vast umbrella which has control over everything.

Well, yeah.

That is sort of the point of the thing.

The reason we have a consolidated Department of Defense (created ca. 1947-1949) is because of the absurd and damaging inter-service rivalries that became very visible in World War II.

The United States Department of Homeland Security (DHS) is a cabinet department of the United States federal government, created in response to the September 11 attacks, and with the primary responsibilities of protecting the United States of America and U.S. territories...from.. terrorist attacks, man-made accidents, and natural disasters.
DHS is the equivalent to the Interior ministries of other countries. An interior ministry (sometimes ministry of home affairs) is a government ministry typically responsible for policing, national security, and immigration matters.

United States Department of Homeland Security [wikipedia.org] , Interior ministry [wikipedia.org]

Re:DHS covering an awful lot these days ... (1)

Shivetya (243324) | about a year ago | (#42617991)

they were down here for the NFL playoffs with other agencies to bust people for fraudulent NFL gear, I kid you not.

Re:DHS covering an awful lot these days ... (2)

Dragonslicer (991472) | about a year ago | (#42618825)

they were down here for the NFL playoffs with other agencies to bust people for fraudulent NFL gear, I kid you not.

That isn't quite as insane as it sounds. My guess is that most of the unlicensed merchandise is imported, and customs falls under DHS. Of course, you're free to feel that they shouldn't be spending the resources on unlicensed merchandise, but if anyone is going to enforce it, it would be DHS.

Re:DHS covering an awful lot these days ... (1)

davester666 (731373) | about a year ago | (#42618835)

Well, they directly fund terrorism with the profits from fraudulent trademarked/copyrighted products.

Fact!

Re:DHS covering an awful lot these days ... (1)

Seumas (6865) | about a year ago | (#42618541)

Like every government agency, once they're formed, their goal is to become as big and expensive as possible to justify their existence.

Re:DHS covering an awful lot these days ... (1)

sycodon (149926) | about a year ago | (#42618757)

I had an x-ray just the other day and some creepy dude in a Blue uniform tried to feel me up.

Nuance (5, Funny)

Toe, The (545098) | about a year ago | (#42616121)

Technology in hospitals? Good.

Internet-connected technology in hospitals? Why?

Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?

The cloud can be cool, but be reasonable. Why not put the operations of the CIA into Salesforce.com while we're at it?

Re:Nuance (2, Interesting)

Anonymous Coward | about a year ago | (#42616257)

But as we have seen, even isolated SCADA devices are getting infected. Isolation is not enough. The devices need to be fixed, and new ones created with security in mind.

Re:Nuance (1)

sinij (911942) | about a year ago | (#42617027)

Isolated SCADA? When? If you refer to Iranian nuclear program, they weren't properly isolated. They just weren't connect to the internet so USB was used as a vector.

Re:Nuance (1)

MangoCats (2757129) | about a year ago | (#42616337)

Naked in the cloud is a bad idea, VPN'ed on the common internet infrastructure has real tangible benefits in infrastructure costs.

Re:Nuance (2, Funny)

Anonymous Coward | about a year ago | (#42616715)

Naked in the cloud is a bad idea,

And there are pictures of me to prove it.

Re:Nuance (4, Interesting)

Tha_Big_Guy23 (603419) | about a year ago | (#42616439)

Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?

As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.

To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.

As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.

Re:Nuance (1)

Dcnjoe60 (682885) | about a year ago | (#42616605)

Sure, people in hospitals need information, but surely something which is assisting in the physical process of a surgery (etc.) doesn't need to be in the cloud, does it?

As someone who works for a company that writes medical systems software, I can tell you that at the very least the systems need network connectivity so that the different systems can consolidate data in one place for examination. The problem is that any network connected device is potentially vulnerable to random Joe plugging a laptop into the network and hacking away.

That's interesting. My uncle had a pacemaker in the 70s and I'm pretty sure it didn't have any network capabilities.

To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.

  As a whole, I think the medical technology industry needs someone to force tighter security requirements on software developers and medical sites as a whole. This is a good thing in my opinion. If that appropriate someone is the DHS may require a different discussion, but some government body needs to start pushing information security in the medical industry.

Re:Nuance (1)

camperdave (969942) | about a year ago | (#42617451)

To illustrate why that's bad, I've run into situations in which a client site (read: Hospital) outright prohibited using SSL/TLS on their servers. They deemed their internal network secure and refused to budge on allowing secure communications between the clients and the servers. Authentication information should always be encrypted and some administrators just don't get that.

I hope you walked away from that client, or ignored their prohibition.

Re:Nuance (1)

evil_aaronm (671521) | about a year ago | (#42617715)

Similarly to Tha_Big_Guy23, elsewhere in this thread, I worked (past tense) for a health care company - Siemens - on a blood analysis unit that had Internet connectivity for support reasons. These units run 24/7 and any downtime is huge. In many cases, the volume of diagnostic information would take too long to send over a dial-up connection, if it was even available. Software updates were supposed to be "push capable." Also, the software provided VNC - desktop sharing - so one operator could keep track of multiple units from a single control console. VNC was supposed to be available back in the global support office, but I'm not sure if they got that working or thought better of it.

Having said that, I often warned that these machines should not be blithely connected to the Internet without some pressing underlying reason, because I knew how vulnerable they were. Security on any level - OS, database, application - was practically non-existent. Worse, very few cared, and certainly no one in management. For support, and only for some customers, it was pre-arranged that the customer would connect the network cable to the appropriate RJ-45 port - these devices had more than one - and that after we got the information we needed, they'd disconnect it.

riiight (0)

Anonymous Coward | about a year ago | (#42616135)

cause the DHS does such a fantastic job with all its other responsibilities so why not give em some more to do

manufacturers need to let os updates and AV softwa (1)

Joe_Dragon (2206452) | about a year ago | (#42616191)

manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network. also why do they need to phone home as well?

Re:manufacturers need to let os updates and AV sof (0)

Anonymous Coward | about a year ago | (#42616297)

I dont think they need to be on the hospital network in the first place, there should be a way for them to update these machines from disk or usb thumb. Also if they do need to be on the network for updates or access to cloud information they should not have access to the web when not needed.

Re:manufacturers need to let os updates and AV sof (5, Insightful)

mcmonkey (96054) | about a year ago | (#42616379)

manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.

Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.

When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?

As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

Re:manufacturers need to let os updates and AV sof (0)

Dcnjoe60 (682885) | about a year ago | (#42616583)

manufacturers need to let os updates and AV software to be install on there systems if they want / need to be on the hospital network.

Because running untested software is a bad idea. Heath care systems and medical device software should get the benefits of updates and patches, but only after those updates have been tested for those specific systems and software. Whatever the vendor does prior to release is insufficient.

When entire hospital processes come to a halt because the latest AV update mistakenly identifies a core OS file as a trojan, you'll come back and say, why are manufactures letting updates to be installed on their systems?

As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

Why update the software? Pacemakers and insulin pumps were available long before you could wirelessly update them. If it is such a threat, then don't enable wireless updates. Plain and simple. My God, how did we exist before computers did everything for us!?

Re:manufacturers need to let os updates and AV sof (2)

mcmonkey (96054) | about a year ago | (#42617433)

Why update the software? Pacemakers and insulin pumps were available long before you could wirelessly update them. If it is such a threat, then don't enable wireless updates. Plain and simple. My God, how did we exist before computers did everything for us!?

This discussion isn't about having computers do anything for us. It's about how we use computers as tools to do things. How did we have conversations before computers? Well, we did, and yet here you are using a network of computers to have a conversation.

As for the ability to update the software in a medical device, it's about trade-offs and compromises. ObCarAnalogy: computers in cars have made maintenance more complicated, so why not take the computers out of cars? Sure, if you also want to remove the improvements in fuel efficiency, traction control, ABS, GPS, mp3-player interfaces, and all the other things those computers are doing.

Ability to wirelessly communicate with an implanted medical device is a risk? Well, so is having to perform surgery to update that devices configuration or to retrieve data. Maybe the risk (a product of the potential effects of a negative event and the likelihood of that event) of wireless communications is greater than the risk of the extra surgery. Maybe not.

My point is, it's not as simple as "all medical information systems should have updates as soon as they are available from the vendor" or "no implanted devices should have wireless communications."

I could be misinterpreting your message because I can read your words, but not the tone of your voice or body language. So rather than posting a message on /. why don't you come over to my office and tell me face to face? Plain and simple, right?

Re:manufacturers need to let os updates and AV sof (1)

Dcnjoe60 (682885) | about a year ago | (#42617719)

You misunderstand my post. I am not saying that we shouldn't have these devices, but if the risk from the software, or somebody hacking the software is so great that homeland security has to take it over, then maybe the very benefits and tradeoffs you mention should be looked at again.

As for the car analogy, computers CAN make cars more fuel efficient, but in reality, they have a smaller impact on fuel efficiency than people think and are really used to keep pollution down and to keep from making the tough decisions that would truly improve fuel efficiency like smaller, lighter vehicles. A 1980 Honda Civic got better mileage than most "fuel efficient" vehicles today and it was computer controlled.

But in reality, the car analogy fails, because it is not the computer that is the problem but the need to be able to update the software remotely and securely. Is this a problem that really requires Homeland Security to solve or even be involved with? If so, then somebody has to ask the question as to whether the ability to do these updates outweighs the benefits. That's all.

It seems to me, that the market can easily fix this problem. Company A says "Buy my pacemaker, it is lower cost." Company B says "By mine, because, it might cost a little more, but then again, you don't have to worry about a stranger with an iPhone turning it off." Which company's pacemaker would you buy? The market is very good at deciding these things, if the market is told the truth.

So, yes, your pacemaker may be vulnerable to somebody hacking it and turning it off and you will die. Then again, without it, you would already be dead. The question is what is the likelihood of your individual pacemaker being hacked and turned off?

Again, the problem is not computers in and of them self. It is what we want to do with them and the trade-offs that must be made to accomplish that. Again, using the pacemaker as an example, it could be as simple as requiring some sort of password. Then again, if only the hospital that installed it knows the password, then what about the paramedics called to your house? What if they need to adjust it on the spot? Most likely, there will be a back door, for the rare situation where that might occur or the hospital simply loses the code. And, like any backdoor, it can be exploited.

I guess, what I am saying is that before turning all of this over to Homeland Security, I'd like to know how many pacemakers and insulin pumps have been hacked versus how many are out there? Is this a true threat or just bad movie plot from the ScyFy Channel that has taken hold in DHS? Or for the paranoid, does DHS want this so they can put their own back door in and turn off the pacemakers of those who are unfriendly to the US?

Again, if it is such a big risk, then go back to when pacemakers and insulin pumps couldn't communicate with the outside world. They might not be as convenient, but if there is such a risk, maybe that is the price to be paid.

As for coming over to your office to meet face to face, well, you'd have to give me the address first. (and please don't).

Re:manufacturers need to let os updates and AV sof (1)

nbauman (624611) | about a year ago | (#42618871)

before turning all of this over to Homeland Security, I'd like to know how many pacemakers and insulin pumps have been hacked versus how many are out there? Is this a true threat or just bad movie plot from the ScyFy Channel that has taken hold in DHS?

That's one of the questions that the FDA answers a lot better than the DHS. The FDA has procedures to decide whether something is really a problem, so they can prioritize their efforts on the real threats. You could search the FDA's public device adverse events reporting database to see if any hacked pacemakers or insulin pumps have been reported.

Re:manufacturers need to let os updates and AV sof (1)

camperdave (969942) | about a year ago | (#42617475)

My God, how did we exist before computers did everything for us!?

Stone knives and bear skins, my friend, stone knives and bear skins.

Re:manufacturers need to let os updates and AV sof (1)

evil_aaronm (671521) | about a year ago | (#42617797)

Medical software runs a wide gamut, and pace makers are at the very bottom end of the scale. Check this out:

http://www.medical.siemens.com/webapp/wcs/stores/servlet/ProductDisplay~q_catalogId~e_-101~a_catTree~e_100001,1023065,1015817~a_langId~e_-101~a_productId~e_172960~a_storeId~e_10001.htm [siemens.com]

This thing has:
  • three operating systems: two running Solaris, one running Win 2000
  • two different databases: Oracle on Solaris; not sure what it runs on Win 2000
  • dozens of mechanical controllers, sensors, pumps and actuators
  • etc

You can bet that on a product of this complexity, there will be updates.

Re:manufacturers need to let os updates and AV sof (1)

drinkypoo (153816) | about a year ago | (#42617471)

As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

Critical systems should also not be connected to the internet.

Re:manufacturers need to let os updates and AV sof (1)

cellocgw (617879) | about a year ago | (#42618145)

As with many things, the best path is in the middle. Critical systems should be updated as preventative maintenance, but administrators cannot rely on vendor testing alone.

Critical systems should also not be connected to the internet.

Or, to be more precise, should not be connected to the internet with unlimited IP address access in either direction. You can obtain (or at least you can if you're dealing with an important-enough Fed agency) nice little boxes that not only encrypt the crap out of your traffic but are set up only to send to specified addresses and only to receive from specified addresses. Aside from deliberate sabotage, this is a safe way to connect to a manufacturer's update-providing hub.

Re:manufacturers need to let os updates and AV sof (1)

sinij (911942) | about a year ago | (#42616919)

AV and OS vulnerabilities is not top security concern. Something like letting unauthenticated user copy entire patient database that for some reason was stored on the device is much bigger threat.

Protecting all terminals is not a very effective strategy for preventing large data breaches. While undeniably required step, it isn't firth thing you do, and it isn't most important thing you do.

For example: Not storing session data locally would be the first step in securing this mess. Preventing access to any kind of stored data without authentication would be second step.

Mandatory Slashdot Open Source Post (1)

Ukab the Great (87152) | about a year ago | (#42616223)

Or they could take the money assigned to DHS for medical device security and instead design a universal open-source electronic medical records system where security is maintained constant peer review and no one company has a monopoly on EMR's system.

I know, I know. You can stop laughing now.

Re:Mandatory Slashdot Open Source Post (2)

ColdWetDog (752185) | about a year ago | (#42616527)

First of all, no one does have a monopoly on EHR systems. There are a couple of large players and a host of smaller ones. I would maintain that you Do. Not. Want. a monoculture here - or anywhere. Security is not 'maintained' by constant 'peer review' (that word doesn't mean what you think it means). Security is a process and open source software is only a small (and not necessary) aspect of that.

There is an open source, Enterprise grade EHR system - VistA from the VA (Veterans Affairs) Department. It basically sucks which is why no one else is using it.

You do want data to be transmitted between systems and there are standards and processes that help with that. Given the complexity of medicine, it's not terribly surprising that the standards don't work quite as well as you would like.

So the magic open source pony isn't going to save the day here.

Re:Mandatory Slashdot Open Source Post (2)

sinij (911942) | about a year ago | (#42616977)

OS is a no-go here mostly due to liability concerns and approval process. Medical Devices cost so much not because they are complicated technology (some of them are) but because when they explode, maim someone and give your uncle cancer there is a manufacturer and insurance to go after. You can design OS that is 100 times better than industry standard and it still won't be used because of the above.

Re:Mandatory Slashdot Open Source Post (0)

Anonymous Coward | about a year ago | (#42619003)

And then we'll just have endless bitching wars of what code syntax to use, which distro to run, where to store config files (and in what format), the endless discussion on how to name the udev conf file formats (if those are used), 5-year debate on whether to use alsa or oss for the audio beeps only to have pulse come later and fuck up everything that already worked, and constant forking because someone throws a fit over how to format some comment header and creates their own standard instead.

Yeah, I'll pass.

Bush's creeping imperial Presidency is scary (0)

Anonymous Coward | about a year ago | (#42616241)

I can't wait to get rid of him.

Re:Bush's creeping imperial Presidency is scary (0)

Anonymous Coward | about a year ago | (#42616497)

He's here to stay, baby.

Re:Bush's creeping imperial Presidency is scary (0)

Anonymous Coward | about a year ago | (#42617293)

"Miss me yet? Bwaahahahaha!"

~GWB

Der Homeland Sekurity (2)

Patent Lover (779809) | about a year ago | (#42616251)

When an entire agency is tasked with finding bogeymen under beds they have to get creative to justify their funding.

Offensive use of network mediacl equipment (2, Interesting)

Anonymous Coward | about a year ago | (#42616261)

Does this mean that DHS has access to source code and 0-day vulnerabilities for network attached medical equipment?
Could this knowledge be user offensively, in a situation where say Kim Jong Un is in hospital for a heart operation, and
DHS remotely pulls the plug on the life support machine?

Can this power be later extended to medical devices implanted in people, like defibrillators, insulin pumps etc.

Sorry to sound like Richard Stallman here for a second, but I would be very apprehensive having a device implanted in my
body that runs proprietary software, whose code development is overseen by a division of a shady foreign military agency.

Here is someone who got stonewalled when asked for the source code for the device she was to be implanted with...
http://www.youtube.com/watch?v=5XDTQLa3NjE

Thanks, Homeland (1)

omems (1869410) | about a year ago | (#42616269)

Thanks go to Homeland for giving them this brilliant idea

Re:Thanks, Homeland (1)

cellocgw (617879) | about a year ago | (#42618205)

Thanks go to Homeland for giving them this brilliant idea

Thanks go to omems for not posting the "Spoiler Alert" tag here, you insensitive clod!

X-Ray scanners (1)

mog007 (677810) | about a year ago | (#42616271)

I'll bet this is just the DHS' attempt at getting a record with medical equipment, so they can rubber stamp the x-ray machines the TSA uses, to keep the FDA out of the loop.

Re:X-Ray scanners (4, Funny)

PolygamousRanchKid (1290638) | about a year ago | (#42616755)

getting a record with medical equipment

Well, the DHS already has experience with medical examinations. They play with my balls before I can fly on a plane.

Funny, though. They never ask me to cough. And I never know why flying with a hernia is such a big deal.

Backdoor (0)

Anonymous Coward | about a year ago | (#42616353)

They will of course also want a backdoor installed in any security in case they want to turn off someone's pacemaker or insulin pump.

Is this a joke? (2)

mcmonkey (96054) | about a year ago | (#42616407)

Is this from the Australian equivalent of the Onion?

We've dropped exploits before on medical systems like Honeywell and Artridum...

Dropped? Is this serious security research or the latest mix tape?

Re:Is this a joke? (0)

Anonymous Coward | about a year ago | (#42617313)

It's SC Magazine, so... kind of? They're a "computer security" magazine.

Nothing wrong with that. (1)

Dcnjoe60 (682885) | about a year ago | (#42616541)

Yeah, there is nothing wrong with that. DHS, the government agency that believes it is alright to do anything in the name of protecting the population, now has control over the pacemakers and insulin pumps of anybody they suspect might threaten the nation or their own power structure. Nothing will go wrong with that.

Source? I couldn't find anything about it on DHS (1)

sinij (911942) | about a year ago | (#42616811)

Source? I couldn't find anything about it on DHS website.

All DHS hate aside, this is much needed change. We have FIPS and it made our crypto much stronger. We have other standards and procurement requirements (CC, PCI, etc) that made inroads on making sure vendors at least consider security. It is about time the same applied to medical devices.

Why DHS, NIAP or NIST would be more appropriate agency to handle this.

Fits in well (-1)

Anonymous Coward | about a year ago | (#42616965)

With Obama's order yesterday attempting to circumvent the Law and give government access to everyones' medical records so that Eric Holder can determine who is a "dangerous person" for the purpose of denying them their gun rights.

DHS will of course "need access to everyones' medical records" to ensure they have not been improperly accessed - and the information sharing XO from yesterday will of course allow DHS to share those records with Eric Holder, who was given absolute authority to determine who was "dangerous."

The puzzle is really coming together now...

This looks like a job for...! (2)

Translation Error (1176675) | about a year ago | (#42617199)

To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF).

Looks like this is right up the DHS's alley.

It's about f%&*ng time someone takes cares of (0)

Anonymous Coward | about a year ago | (#42617489)

We are still forced to run a system on windows NT 4.0 here because of lazy medical systems suppliers even thoug hwe are paying thru the roof for those half baked systems. It's about time someone get's the whip out!

Figures... (0)

Anonymous Coward | about a year ago | (#42617541)

They just want their hands into everyones pants dont they?!

So? (1)

cdrguru (88047) | about a year ago | (#42618473)

The first issue that should be addressed is does anyone believe that 100% total bulletproof security is even possible today? Come on, do you think it is possible to have large, interlocking systems of computers communicating over a network with 100% security?

I think anyone reasonable will say "Heck no you can't!" There might be a few dreamers that think it is possible, but the amount of effort that would be required is beyond any reasonable standard. So sure, it might be possible to force all medical device manufacturers to use a single operating system designed from the ground up for security - but no such OS exists today, not even OpenBSD, and that puts a little crimp in such plans.

So what do we do? Well, there is the idea that access, all access, needs to be logged. Multiple ways with retention of the logs for nearly forever. Also, multiple verifications that you are who you say you are when logging in. Not just biometrics, but things like having to periodically log in with someone watching who then confirms that you are who you say you are. This would be a start, but just a start, for what would be required.

To go along with this there needs to be the kind of draconian penalties dreamed up in the 15th Century for hacking medical systems. You know, hacker gets caught, hacker gets executed by a crowd of nurses on the evening news. No appeals, no commutation of sentence, just swift death by horrible means. An example for the next person that even thinks of doing something similar. And sure, maybe a few good mistakes to ensure nobody wants to even get near to someone that might do something like that.

There is another solution. Something that Dune mentions in passing and the pseudo-Dune-sequel books describe in more detail. It's call removing computer systems from critical paths because you can't trust them. Face it, today we can rely on the fact that there are people out there with malicious intent to do harm by computer. Whether they get money from it or not doesn't really matter - they are out to make sure that people cannot trust their own computer. Open source doesn't fix the problem - unless everyone is a programmer. Anti-virus "solutions" don't fix anything, they just escalate the battle and cost users money. Even locked-down systems like iOS aren't 100% secure and it is assured that once there is a critical mass of important stuff secured by iOS there will be a really strong incentive to find holes and destroy people's trust.

So, if the choice is between having a machine regulate medications or a human doctor doing it, which is more trustworthy today? Twenty years ago the answer was "machine" but anyone that believes that today is an idiot or completely unfamiliar with current events.

So it begins (1)

ThatsNotPudding (1045640) | about a year ago | (#42618517)

The slow, Hooverite acquisition of power. Once they have enough dirt on current legislators and CEOs gleaned from their vile activities, they will be unstoppable.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...