One of the briefings at Black Hat this year was a session on how vulnerable medical devices are to cyber attack, given by Jay Radcliff. Although the actual demonstration of an insulin pump being induced to given an insulin overdose as a result of switching batteries was interesting, the more disturbing take away from the briefing was the lack of controls and incentives on medical device manufacturers to ensure that their devices are secured from tampering. Some key points were:
- Although there is a database of medical device problems called MAUDE, it’s nearly useless from an information security standpoint since 90+% of the entries are related to user experience issues (one entry discusses whether a device would still function after being dropped into a toilet) rather than awareness of potential security vulnerabilities in the devices themselves.
- Hospitals are put in a bind between because in order to maintain the security of their devices connected computers will often need to be patched, but the medical device vendors may refuse to support the device if the original configuration is changed (including operating system patches). Medical devices will by definition become more vulnerable as time passes. Part of this is due to vendors not taking the time to test every patch that comes out.
- Doctors who are responsible for making decisions on equipment purchases don’t have the IT backgrounds to ask questions regarding the information security aspects of the equipment, and IT is rarely involved in a purchase decision for a medical device.
- Medical devices are become more networked every day, but the security requirements that should accompany any networking of a device are not keeping up. There are patents out for insulin pumps that can hook up to wifi and be controlled via a web browser, a scary thought when one considers how many exploits exist and are being developed daily to compromise web interfaces.
Another presentation by Barnab
Interestingly, for Department of Defense hospitals, because of the requirement for every device, including medical devices, attached to a military network to comply with the DIACAP (Department of Defense Information Assurance Certification and Accreditation) process, any medical device which is networked must be evaluated and certified from an information security standpoint before being used. Civilian hospitals may want to adopt a similar process before criminals exploit the weaknesses of medical devices to the harm, or death, of others.