Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Medical-Device Flaws Will Take Time To Heal

Manufacturers are slow to patch up security issues, despite increasing pressure from patients, researchers and federal agencies

Jay Radcliffe takes medical-device security personally.

As a senior security analyst for security firm InGuardians, Radcliffe is frequently called upon to give advice on how best to secure medical systems. Radcliffe is also a diabetic and a user of a portable insulin pump. He became interested in medical device security when he discovered that his current pump had a significant safety issue: Replacing the batteries resets the pump, causing data on how much insulin a user has administered to be lost.

Click here for more of Dark Reading's Black Hat articles.

At the Black Hat USA security conference last week, the security consultant discussed the vulnerabilities that frequently plague medical devices and systems, despite the U.S. Food and Drug Administration's guidance that manufacturers investigate and fix risks to their devices and systems.

"It caused me to have low blood sugar two times, which is a very dangerous condition," Radcliffe says. "I reported that to the FDA, and the vendor very kindly told me that they have no plans to change it."

Problems with medical devices and systems are garnering more attention. University researchers are investigating how widespread such vulnerabilities are and how manufacturers could better fix them. In June 2013, the FDA issued an alert to medical-device makers that they are now responsible for securing their devices against attacks from malware and malicious actors.

[The Food and Drug Administration warns that patient health could be threatened by the introduction of malware into medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. See Medical Devices Subject To Cyberattack, FDA Warns.]

"The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks," the agency stated in the alert.

Medical devices and systems require slightly different approaches to their security. Implantable and wearable medical devices are the most worrisome, because any attack on the device can affect the health of the user. Many modern pacemakers, defibrillators, and insulin pumps allow wireless control to let doctors, medical technicians, and the user to fine tune the device, and that brings risk.

Implantable devices have to have a much more in-depth development process, says John Pescatore, director at the SANS Institute, an information-technology training organization.

"They are like the space shuttle," he says. "You got to pay extra to make sure it's really, really secure and that's why space-shuttle software is really expensive. It's really expensive to update the thing when it is 400,000 miles away, and similarly when it's implanted."

Like SCADA systems, the devices have typically been created to be reliable and do what they are supposed to do, not withstand malicious attackers.

On the other hand, medical machinery is typically connected to a network and has to fend off generic malicious threats, such as the Blaster worm or Conficker. While the focus on large systems, such as MRI machines and x-ray scanners, has typically been to make them reliable, manufacturers have increasingly worked to make them more secure, because the systems are typically connected to hospital networks and encounter any threat on the network.

"Hospitals are now starting to ask, 'How do we do safety so that people cannot change the software in the machine to do something nasty--whether it is malware or a person,'" says Pescatore.

While a medical machine that becomes infected with a virus may not hurt the patient, such machines are huge money-makers for hospitals, so the administrators want to minimize downtime, Pescatore says. For that reason, IT has increasingly begun managing the information technology that controls the systems, requiring more security and better updatability.

In the end, medical manufacturers have to become more sophisticated in their software development. Most companies have not done static analysis, used signed updates, or secured data using a well-vetted encryption software, says Shane Clark, a graduate student in computer science at University of Massachussetts at Amherst and an author of a number of papers on medical-device security.

"Just adopting the Microsoft Secure Development Lifecycle would be a step in the right direction for a lot of these companies," he says.

In a paper to be presented later this month, Clark and his colleagues are investigating the use of power analysis to detect malware in medical machines. Virus infections generally cause machines to perform unexpected tasks, and thus require more power, he says.

Pressure from the U.S. Food and Drug Administration will help put companies on track, but presentations like Radcliffe's talk at Black Hat will likely have a greater impact, because the companies want to do the right thing, Clark says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
CVE-2019-12421
PUBLISHED: 2019-11-19
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to m...
CVE-2019-19126
PUBLISHED: 2019-11-19
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR ...