Episode 189 - Medical Device Security
SFS Podcast Episode: 189
Medical Device Security
-
Intro
-
Medical Devices are a broad category
-
Hospital devices (infusion pumps, CT, MRI, etc)
-
Personal devices (pacemaker, insulin pumps, etc)
-
-
This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.
- Discussion of Sentinel Events...
-
Challenges to Fixing The Problem:
-
Lead times for device approval
-
Fixed configurations / FDA compliance
-
Working life of devices
-
"Well just replace them all!" Cost of devices (esp for small/struggling hospitals)
-
Sheer number of devices can be overwhelming when looking to upgrade/replace
-
Vendors that bring in things for a trial w/o involvement of IT/IS
-
-
How Can it Get Better
-
Vuln Disclosure
-
Muddy Waters / St Jude
-
Problem there wasn’t disclosure it was the look of the profit motive
-
August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/
-
SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343
-
Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
-
Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1
-
-
Bug Bounties
-
-
FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
-
Other groups
-
I Am The Cavalry - https://iamthecavalry.org/oath
-
Other interest groups
-
HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity
-
Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com
-
NH-ISAC - http://www.nhisac.org/
-
MDISS - http://www.mdiss.org
-
-
-
-
What’s the Future?
-
Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.
-
There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security
-
What will regulators do? (eg DLink and the FTC)
-
-
Outro & Credits