Episode 189 - Medical Device Security

SFS Podcast Episode: 189

Medical Device Security

  1. Intro

  2. Medical Devices are a broad category

    1. Hospital devices (infusion pumps, CT, MRI, etc)

    2. Personal devices (pacemaker, insulin pumps, etc)

  3. This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.

    1. Discussion of Sentinel Events...
  4. Challenges to Fixing The Problem:

    1. Lead times for device approval

    2. Fixed configurations / FDA compliance

    3. Working life of devices

    4. "Well just replace them all!" Cost of devices (esp for small/struggling hospitals)

    5. Sheer number of devices can be overwhelming when looking to upgrade/replace

    6. Vendors that bring in things for a trial w/o involvement of IT/IS

  5. How Can it Get Better

    1. Vuln Disclosure

      1. Muddy Waters / St Jude

        1. Problem there wasn’t disclosure it was the look of the profit motive

        2. August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/

        3. SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343

        4. http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19

        5. Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports

        6. Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1

      2. Bug Bounties

        1. http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking
    2. FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm

    3. Other groups

      1. I Am The Cavalry - https://iamthecavalry.org/oath

      2. Other interest groups

        1. HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity

        2. Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com

        3. NH-ISAC - http://www.nhisac.org/

        4. MDISS - http://www.mdiss.org

  6. What’s the Future?

    1. Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.

    2. There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security

    3. What will regulators do? (eg DLink and the FTC)

  7. Outro & Credits