Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Medical-Device Flaws Will Take Time To Heal

Manufacturers are slow to patch up security issues, despite increasing pressure from patients, researchers and federal agencies

Jay Radcliffe takes medical-device security personally.

As a senior security analyst for security firm InGuardians, Radcliffe is frequently called upon to give advice on how best to secure medical systems. Radcliffe is also a diabetic and a user of a portable insulin pump. He became interested in medical device security when he discovered that his current pump had a significant safety issue: Replacing the batteries resets the pump, causing data on how much insulin a user has administered to be lost.

Click here for more of Dark Reading's Black Hat articles.

At the Black Hat USA security conference last week, the security consultant discussed the vulnerabilities that frequently plague medical devices and systems, despite the U.S. Food and Drug Administration's guidance that manufacturers investigate and fix risks to their devices and systems.

"It caused me to have low blood sugar two times, which is a very dangerous condition," Radcliffe says. "I reported that to the FDA, and the vendor very kindly told me that they have no plans to change it."

Problems with medical devices and systems are garnering more attention. University researchers are investigating how widespread such vulnerabilities are and how manufacturers could better fix them. In June 2013, the FDA issued an alert to medical-device makers that they are now responsible for securing their devices against attacks from malware and malicious actors.

[The Food and Drug Administration warns that patient health could be threatened by the introduction of malware into medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. See Medical Devices Subject To Cyberattack, FDA Warns.]

"The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks," the agency stated in the alert.

Medical devices and systems require slightly different approaches to their security. Implantable and wearable medical devices are the most worrisome, because any attack on the device can affect the health of the user. Many modern pacemakers, defibrillators, and insulin pumps allow wireless control to let doctors, medical technicians, and the user to fine tune the device, and that brings risk.

Implantable devices have to have a much more in-depth development process, says John Pescatore, director at the SANS Institute, an information-technology training organization.

"They are like the space shuttle," he says. "You got to pay extra to make sure it's really, really secure and that's why space-shuttle software is really expensive. It's really expensive to update the thing when it is 400,000 miles away, and similarly when it's implanted."

Like SCADA systems, the devices have typically been created to be reliable and do what they are supposed to do, not withstand malicious attackers.

On the other hand, medical machinery is typically connected to a network and has to fend off generic malicious threats, such as the Blaster worm or Conficker. While the focus on large systems, such as MRI machines and x-ray scanners, has typically been to make them reliable, manufacturers have increasingly worked to make them more secure, because the systems are typically connected to hospital networks and encounter any threat on the network.

"Hospitals are now starting to ask, 'How do we do safety so that people cannot change the software in the machine to do something nasty--whether it is malware or a person,'" says Pescatore.

While a medical machine that becomes infected with a virus may not hurt the patient, such machines are huge money-makers for hospitals, so the administrators want to minimize downtime, Pescatore says. For that reason, IT has increasingly begun managing the information technology that controls the systems, requiring more security and better updatability.

In the end, medical manufacturers have to become more sophisticated in their software development. Most companies have not done static analysis, used signed updates, or secured data using a well-vetted encryption software, says Shane Clark, a graduate student in computer science at University of Massachussetts at Amherst and an author of a number of papers on medical-device security.

"Just adopting the Microsoft Secure Development Lifecycle would be a step in the right direction for a lot of these companies," he says.

In a paper to be presented later this month, Clark and his colleagues are investigating the use of power analysis to detect malware in medical machines. Virus infections generally cause machines to perform unexpected tasks, and thus require more power, he says.

Pressure from the U.S. Food and Drug Administration will help put companies on track, but presentations like Radcliffe's talk at Black Hat will likely have a greater impact, because the companies want to do the right thing, Clark says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.