Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Medical-Device Flaws Will Take Time To Heal

Manufacturers are slow to patch up security issues, despite increasing pressure from patients, researchers and federal agencies

Jay Radcliffe takes medical-device security personally.

As a senior security analyst for security firm InGuardians, Radcliffe is frequently called upon to give advice on how best to secure medical systems. Radcliffe is also a diabetic and a user of a portable insulin pump. He became interested in medical device security when he discovered that his current pump had a significant safety issue: Replacing the batteries resets the pump, causing data on how much insulin a user has administered to be lost.

Click here for more of Dark Reading's Black Hat articles.

At the Black Hat USA security conference last week, the security consultant discussed the vulnerabilities that frequently plague medical devices and systems, despite the U.S. Food and Drug Administration's guidance that manufacturers investigate and fix risks to their devices and systems.

"It caused me to have low blood sugar two times, which is a very dangerous condition," Radcliffe says. "I reported that to the FDA, and the vendor very kindly told me that they have no plans to change it."

Problems with medical devices and systems are garnering more attention. University researchers are investigating how widespread such vulnerabilities are and how manufacturers could better fix them. In June 2013, the FDA issued an alert to medical-device makers that they are now responsible for securing their devices against attacks from malware and malicious actors.

[The Food and Drug Administration warns that patient health could be threatened by the introduction of malware into medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. See Medical Devices Subject To Cyberattack, FDA Warns.]

"The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks," the agency stated in the alert.

Medical devices and systems require slightly different approaches to their security. Implantable and wearable medical devices are the most worrisome, because any attack on the device can affect the health of the user. Many modern pacemakers, defibrillators, and insulin pumps allow wireless control to let doctors, medical technicians, and the user to fine tune the device, and that brings risk.

Implantable devices have to have a much more in-depth development process, says John Pescatore, director at the SANS Institute, an information-technology training organization.

"They are like the space shuttle," he says. "You got to pay extra to make sure it's really, really secure and that's why space-shuttle software is really expensive. It's really expensive to update the thing when it is 400,000 miles away, and similarly when it's implanted."

Like SCADA systems, the devices have typically been created to be reliable and do what they are supposed to do, not withstand malicious attackers.

On the other hand, medical machinery is typically connected to a network and has to fend off generic malicious threats, such as the Blaster worm or Conficker. While the focus on large systems, such as MRI machines and x-ray scanners, has typically been to make them reliable, manufacturers have increasingly worked to make them more secure, because the systems are typically connected to hospital networks and encounter any threat on the network.

"Hospitals are now starting to ask, 'How do we do safety so that people cannot change the software in the machine to do something nasty--whether it is malware or a person,'" says Pescatore.

While a medical machine that becomes infected with a virus may not hurt the patient, such machines are huge money-makers for hospitals, so the administrators want to minimize downtime, Pescatore says. For that reason, IT has increasingly begun managing the information technology that controls the systems, requiring more security and better updatability.

In the end, medical manufacturers have to become more sophisticated in their software development. Most companies have not done static analysis, used signed updates, or secured data using a well-vetted encryption software, says Shane Clark, a graduate student in computer science at University of Massachussetts at Amherst and an author of a number of papers on medical-device security.

"Just adopting the Microsoft Secure Development Lifecycle would be a step in the right direction for a lot of these companies," he says.

In a paper to be presented later this month, Clark and his colleagues are investigating the use of power analysis to detect malware in medical machines. Virus infections generally cause machines to perform unexpected tasks, and thus require more power, he says.

Pressure from the U.S. Food and Drug Administration will help put companies on track, but presentations like Radcliffe's talk at Black Hat will likely have a greater impact, because the companies want to do the right thing, Clark says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.