Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Medical-Device Flaws Will Take Time To Heal

Manufacturers are slow to patch up security issues, despite increasing pressure from patients, researchers and federal agencies

Jay Radcliffe takes medical-device security personally.

As a senior security analyst for security firm InGuardians, Radcliffe is frequently called upon to give advice on how best to secure medical systems. Radcliffe is also a diabetic and a user of a portable insulin pump. He became interested in medical device security when he discovered that his current pump had a significant safety issue: Replacing the batteries resets the pump, causing data on how much insulin a user has administered to be lost.

Click here for more of Dark Reading's Black Hat articles.

At the Black Hat USA security conference last week, the security consultant discussed the vulnerabilities that frequently plague medical devices and systems, despite the U.S. Food and Drug Administration's guidance that manufacturers investigate and fix risks to their devices and systems.

"It caused me to have low blood sugar two times, which is a very dangerous condition," Radcliffe says. "I reported that to the FDA, and the vendor very kindly told me that they have no plans to change it."

Problems with medical devices and systems are garnering more attention. University researchers are investigating how widespread such vulnerabilities are and how manufacturers could better fix them. In June 2013, the FDA issued an alert to medical-device makers that they are now responsible for securing their devices against attacks from malware and malicious actors.

[The Food and Drug Administration warns that patient health could be threatened by the introduction of malware into medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. See Medical Devices Subject To Cyberattack, FDA Warns.]

"The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks," the agency stated in the alert.

Medical devices and systems require slightly different approaches to their security. Implantable and wearable medical devices are the most worrisome, because any attack on the device can affect the health of the user. Many modern pacemakers, defibrillators, and insulin pumps allow wireless control to let doctors, medical technicians, and the user to fine tune the device, and that brings risk.

Implantable devices have to have a much more in-depth development process, says John Pescatore, director at the SANS Institute, an information-technology training organization.

"They are like the space shuttle," he says. "You got to pay extra to make sure it's really, really secure and that's why space-shuttle software is really expensive. It's really expensive to update the thing when it is 400,000 miles away, and similarly when it's implanted."

Like SCADA systems, the devices have typically been created to be reliable and do what they are supposed to do, not withstand malicious attackers.

On the other hand, medical machinery is typically connected to a network and has to fend off generic malicious threats, such as the Blaster worm or Conficker. While the focus on large systems, such as MRI machines and x-ray scanners, has typically been to make them reliable, manufacturers have increasingly worked to make them more secure, because the systems are typically connected to hospital networks and encounter any threat on the network.

"Hospitals are now starting to ask, 'How do we do safety so that people cannot change the software in the machine to do something nasty--whether it is malware or a person,'" says Pescatore.

While a medical machine that becomes infected with a virus may not hurt the patient, such machines are huge money-makers for hospitals, so the administrators want to minimize downtime, Pescatore says. For that reason, IT has increasingly begun managing the information technology that controls the systems, requiring more security and better updatability.

In the end, medical manufacturers have to become more sophisticated in their software development. Most companies have not done static analysis, used signed updates, or secured data using a well-vetted encryption software, says Shane Clark, a graduate student in computer science at University of Massachussetts at Amherst and an author of a number of papers on medical-device security.

"Just adopting the Microsoft Secure Development Lifecycle would be a step in the right direction for a lot of these companies," he says.

In a paper to be presented later this month, Clark and his colleagues are investigating the use of power analysis to detect malware in medical machines. Virus infections generally cause machines to perform unexpected tasks, and thus require more power, he says.

Pressure from the U.S. Food and Drug Administration will help put companies on track, but presentations like Radcliffe's talk at Black Hat will likely have a greater impact, because the companies want to do the right thing, Clark says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...