“Many hospitals are unaware of the high risk associated with these devices,”
I assure you that while this is the hospital's official stance, many people within the hospital are well aware of the shoddy software on their medical devices and the risks they pose. There are so many opportunities for disruption of every aspect of the healthcare system (from the equipment itself, that this article addresses, to the electronic medical records systems, to more structural aspects of the healthcare system as a whole), but literally none of the incentives for practitioners and hospital administrators are properly aligned to make it possible. I'd love to work with a company trying to break into these markets if they had a plausible route to entry.
TL&DR Regulations need to require interoperability and cross-platform with medical records and images.
As a "Cancer Dad" the electronic medical records and images that are closed and inaccessible between my local hospital where we got our chemotherapy and the Children's Hospital where we did our major surgeries was mind blowingly crazy.
I had to drive my bone cancer child 2.5 hours to use their equipment because there was an issue with the image file format. So I had to give my child enough pain killers to knock out a grown adult just so we could get the same pictures we could get 5 miles down the road.
As somebody working in healthcare integration, this may be small consolation, but it that's getting better.
The HITECH act[1] (which was part of the stimulus package in 2009) has gone a long way in getting the industry moving. One of the core deadlines we're scrambling to meet at the moment at my hospital is actually data interchange between facilities, including a portal that allows patients to access their records for themselves.
I realize that doesn't help your situation now, but with Medicare penalties looming for not getting that sort of exchange in place, things are starting to happen quickly in an industry that tends to move at a snail's pace.
Out of curiosity, which HL7 CDAs (and which levels) do you support, and how much lift is it to set up import/export for a new provider or institution?
I'm pessimistic that we'll be able to achieve true level 3 interoperability, even though the basic ontologies (e.g., SNOMED, LOINC, etc) are in place. I'd love to hear that you're having a good experience, though.
Honestly, that end of things is kind of out of my element; I'm mostly involved in the message plumbing side of things.
Our actual HIE integration has been contracted out to Relay Health/McKesson. They're promising the world, but we're not far enough along for me to say whether they'll actually deliver at this point.
I agree with you - I'm sure there are people within the healthcare system who are aware of the situation but are probably not in a position to do anything about it. I'd also guess that this is one of those things where nothing will be done until there's a high-profile "incident". Security will probably end up being reactionary at first.
I mean from every check-in to every release/death, all patient data is collected, tracked. All tests automatically end up in the patient file and every device a patient is hooked up to is part of the same "system". Spend time on an EKG? Every heart beat becomes part of this package. Every shot, every weigh-in, every blood pressure test. This should also tie in to inventory systems etc.
Got the sniffles? The system shows you get them every year at this time, and that it's atypical of any other tracked infectious outbreak, but correlates to three cyclical natural events including a yearly mold growth that it turns out you're allergic to.
End up incapacitates in the ER? System automatically notes your allergies and past medical history, allowing the ER folks to give you one pain medicine instead of the other one that will kill you. While you're there, all the respirators, etc. all get logged. Take 5 units of blood from 3 donors? All their histories are tracked and fed into your treatment in-case some blood-born illness they suffer from but passed screening shows up in your case.
Blood test shows an abnormality? You get automatic trendlines showing either a progression of this abnormal result (blood sugar continues to get lower) or a weird spike, this way your doctor isn't just working off of one data point like usual.
Every x-ray, cat scan etc. all get stored for later reference. The first cat scan your oncologist takes might not be the first cat scan she can refer to if you have one in your file?
Right now, at least in the U.S., and with different insurances every year (meaning my doctor might change every year), I have to really go out of my way just to make sure my shot records follow me. Within one provider they do an okay job of tracking my medical history and getting x-rays from the x-ray machine to the wall mounted display in the evaluation room, but the moment I need to go to a hospital I'm pretty much filling out my history again by hand and from memory.
Vertically integrated means dumping your medical history into Watson to see if some emergent patterns point to some underlying chronic illness you aren't even aware of and don't have notable symptoms yet.
I agree. I led a team that added network connectivity to one of our high-value medical instruments and one of the highest hurdles to cross wasn't technical: it was getting the hospitals' IT departments to buy in. They are rightfully paranoid about anything connected to their network. Both for the security of the device itself (it stores thousands of patient test records) and the possibility of it being hostile to the rest of the network.
tl;dr: Buyers may not care, but hospital IT certainly does.
There's a market for disruption with some things, but it's mostly about doing more/better for less money. Security isn't really what most people are interested in paying for in many cases.
In the medical space (at least in the U.S.), there's much less room for disruption relative to other markets. The market is significantly regulated / restricted; the law is structured so that even if the vendor and their potential patients both consent to a given transaction or procedure, the government can still step in and deny it.
In essence, the laws are structured under the (not necessarily wrong) assumption that the consumer is too stupid to identify snake-oil. All an incumbent has to do to block a newcomer to the market is make a hard-to-deny snake-oil accusation.
Whilst true, I can with 100% certainty, state that no-one in the medical profession, or the procurement people in the hospitals ever did that calculation.
NICE (the UK's no-you-cant-spend-ten-million-of-taxpayers-money-per-patient-on-a-drug-to-extend-their-life-by-six-weeks agency which gets it in the neck for such things) might be able to take on such a calculation - but I bet you anything even if they did that calculation every machine maker would treble their security departments anyway.
This is only possible because there was no pressure to deploy secure systems. Now there is, and after the first death from a hacked pacemaker, the outcry will be heard from the moon.
>after the first death from a hacked pacemaker, the outcry will be heard from the moon //
Isn't the problem that there will always be a way to kill people, even remotely without touching them (sniper, poison mail, gas bomb, massive microwave in a van that you park next to them, ...). You perhaps don't want to make it easy but it's also not necessarily sensible to waste money on an arms race that you'll never win.
Similarly we don't have enclosed station platforms (in the UK) despite people having been pushed in front of trains in the past.
I had not thought of the rise of microwave terrorism (perhaps with the skin-burning crowd disperser (citation not found) it's already on us).
But my basic tenant is that we / society has an acceptable balance of risk and benefit. Maybe not a rational one but one that is understood by most people. For cars it's pretty high on the risk tolerance. For medical drugs it's really low. For computer hacking it's low too - cf Aaron Schwartz. I would say that medical devices combine low risk tolerance of drugs and low risk tolerance of hacking - making the spectre of hacked implanted devices front page news.
I expect it will be pretty simple to defeat however - only allow networking of a device over near field radio (RFID style). that way there is no remote access in a body, and do a similar thing for any robots or monitors - the only way to connect a surgical robot to the Internet is with a doctors own personal RFID - tcpip convertor, that he takes away with him or is counts back into stores next to the nurses. Massively dropping the risk ratio with a few simple rules.
we can do this - we just need to be sensible about it
Ps
Westminster and canary wharf do have enclosed tube platforms so people cannot jump / be pushed. Because we cannot have bankers or politicians delayed by poverty stricken depressives ...
The difference being that it's tough to kill people at scale and covertly with a rifle or even poison mail. Exploiting a bug in networked pacemakers could give you the means to kill an entire userbase.
For the train comparison, it's the difference between pushing a guy on the rails and derailing a train remotely by accelerating it remotely through a curve and disabling the manual controls.
What's the value to the user of a networked pacemaker? Maybe a lower price? There would be better ways for it to 'speak' to a network to collect data, I should think.
That is just an (excellent) argument for medical devices to have some kind of connectivity to the outside world, but not for having the actual device ever connected to the Internet.
They don't need to do the calculation because their intuition already leads them to the right decision. This is just economics. What is the payoff for the evildoer hacking a pacemaker? Oh right, he's a contract killer? Too many movies for you. It's just more profitable to replace the payment processing app with your own payment skimming app at some big store.
I believe the point of exercises like this is to show that the risk of being hacked is higher than was previously thought. The easier it is to do, the more likely an attacker will pull it off when they attempt it, and for someone whose goal is to wreak havoc rather than defeat an interestingly difficult system, the more likely an attacker will make the attempt in the first place.
Certainly it could be the case that the benefit exceeds the risk, but if such calculations were made, they may need to be reevaluated.
What are the chances that someone would actually doing the hacking? I don't see any monetary reason to do so. Maybe that's one reason why we haven't seen many reports of people hacking medical devices?
It could be done as a murder for hire, or as a terrorist event. It's possible some hackers would do it 'for the lulz' or maybe they just want to test out a hack and accidentally go to far, though these are more unlikely. And there is also extortion, maybe you find everyone that has a vulnerable pacemaker, and demand they pay you or else you stop their heart. Criminals are clever, if they find a way to attack people they can often exploit it.
Bob is on a medical device. It take readings (which it hides from him) and provides medication at a rate which is set by someone else.
Every few weeks / months Bob needs to see a doctor w o enters a password, retrieves the data, and makes changes to the settings.
Bob feels that the $DISEASE community can help him interpret the data and tweak the settings and Bob could then reduce doctor visits to once every six months.
Ann is an undisclosed drug addict and wishes to hack her morphine pump to supply more than she is currently getting.
Collateral damage from a poorly designed worm would be one thing I'd worry about. We've seen multiple vector attacks, I could imagine one gaining a foothold within the network and another component of the attack interfering with medical devices.
They also found surgery robots connected to internal networks. Although the robots generally have software firewalls to block connections to them, Erven and his team found that simply running an off-the-shelf vulnerability scanner against the firewall caused it to turn off and fail open.
Wow, just wow.
If someone ever hacks an active surgery robot it's going to be Saw meets Snow Crash, and not in a good way.
I'm working in that space, and sampling from the ones I've dealt with, I'd replace some with most.
Some of the ones I deal with are also running those XPs with old IE versions, 6 & 7. This is because they bought, then never upgraded, systems that won't run right with newer browsers.
Although vendors often tell customers they can’t remove hard coded passwords from their devices or take other steps to secure their systems because it would require them to take the systems back to the FDA for approval afterward, Erven points out that the FDA guidelines for medical equipment includes a cybersecurity clause that allows a post-market device to be patched without requiring recertification by the FDA.
These are the same people that have been complaining about how awful it is that the Affordable Care Act imposes a medical device tax. Maybe if they weren't so cavalier about deceiving their customers regulation and certification wouldn't cost as much as it does.
I think you have to always assume that people can't be trusted to do the right thing when it comes to lives of others. The FDA has to employ policies which gives us a reasonable confidence that a vendor's device/test/whatever is safe and effective.
Disclaimer: I have worked on FDA cleared medical devices my entire career.
I think most of the time you can trust people to do the right thing when it comes to the lives of others, when the right thing is sufficiently clear, when the fact that it involves the lives of others is sufficiently salient, and when there are not enormous incentives to do otherwise.
I'm not sure you took my meaning. Even if what you say is true, a regulating body must view everyone with skepticism. They have to walk into an audit/filing review with a "prove it to me" attitude else risk doing real harm to people.
The thing with equipment like this is that security isn't a priority; "who would hack medical equipment?". A lack of high-profile cases where medical equipment was actively hacked is also not giving any incentive to fix these issues.
Worst case, these exploits will suddenly be used to disable or cripple hospitals in case of dirty wars and terrorist campaigns. If the latter is still a problem.
Your comment is a few years out of date. The FDA has recently started caring, and there are high-enough profile cases to be on the industry's radar.
It'll continue to be a mess for years to come, the introduction of new medical hardware and software is slow and I don't know how they plan to handle already deployed items. But not exactly for the reasons you state.
In general the security on the equipment is because hideously high acquisition costs keeping most hobbyists out of fooling around with it. And most places with the equipment won't let somebody sit there and fool around with it. It's not quite security through obscurity, but more like security through expense.
I'm pretty sure this has less to do with high acquisition costs and more to do with the fact that you can basically kill someone if you start tinkering with hospital equipment.
Scary, but this isn't surprising at all. What the hardware does in these cases is more important than the software that runs it. Couple that with devices that sell in relatively small quantities for high cost, and you get undertested, unstressed software.
This is a serious concern, Government and NGOs should come together for ensuring proper security of hospital and healthcare systems and software. Also, any kind of data breach can result into national level threats.
How many of these devices are still running Windows XP?
Weak default passwords on the web interface is just the icing on the cake, the low-hanging fruit. The entire networking stack is likely to be riddled with unpatched vulnerabilities for anyone to exploit.
Relative obscurity and physical security are probably the only things that stand between hospital equipment and certain disaster.
>How many of these devices are still running Windows XP?
A lot. I know we have telemetry systems that are all XP based. Granted, they're on a separate VLAN that doesn't touch the public internet or the rest of our internal network, but there are still physical security concerns there.
>Weak default passwords on the web interface is just the icing on the cake, the low-hanging fruit. The entire networking stack is likely to be riddled with unpatched vulnerabilities for anyone to exploit.
A major problem in healthcare is that vendors tend to use generic credentials for support purposes.
>Relative obscurity and physical security are probably the only things that stand between hospital equipment and certain disaster.
Even then, you can pop on a pair of scrubs and avoid most scrutiny. Keycard systems are there, but those aren't difficult. Sometimes the operating area doesn't have cameras and the area surrounding the 2 million dollar daVinci machines are deserted.
>Even then, you can pop on a pair of scrubs and avoid most scrutiny. Keycard systems are there, but those aren't difficult. Sometimes the operating area doesn't have cameras and the area surrounding the 2 million dollar daVinci machines are deserted.
I can confirm this.
I can also confirm that those daVinci machines are way less impressive looking in person than they are plastered on roadside billboards. :)
This kind of problems is going to be more prominent as "Internet of Things" starts to take off. I was rather concern about Nest, our cars, Fridges etc being connected to the Internet and, on some devices, the security is quite low. This article is shows an example of it.
I've been going to my local Defcon group for almost 2 years, and this isn't the first time this has been discovered. It's insane what could be done with the old tech in hospitals.
I've seen a couple that used unencrypted UDP with bitfields representing the state of solenoids. Imagine what sending a series of all '1' and all '0' packets would do in terms of damage and panic.
Definitely not a surprise. I once had to hack a piece of medical equipment in order to make it print to a printer that was manufactured within the previous decade. The only one that it "officially supported" was from about 15 years before that day. The OS version (patches/updates included) was also that old.
I was actually at the conference talk this guy gave about the subject last week and was talking to him about it the night before. If anyone has questions I can attempt to answer them.
Also interesting to think about is if these devices are getting hacking and people are blaming it on malfunctions.
In a recent hospital visit I noticed that the equipment in the room I was in had bluetooth connectivity enabled. And in fact had all the details you needed to connect to them via bluetooth taped to the sides of the machines. That made me a little worried.
What's the point of rules if you don't follow them? So what if some one feels "insanely" exagerates it. Its the journalists opinion that it is insanely easy. That should be the title. I don't care if an hn moderator feels it is insanely easy or just easy to hack a hospital.
IF he has an opinion on the difficulty to hack topic there is a comment section. The op is not a comment section for mods
I assure you that while this is the hospital's official stance, many people within the hospital are well aware of the shoddy software on their medical devices and the risks they pose. There are so many opportunities for disruption of every aspect of the healthcare system (from the equipment itself, that this article addresses, to the electronic medical records systems, to more structural aspects of the healthcare system as a whole), but literally none of the incentives for practitioners and hospital administrators are properly aligned to make it possible. I'd love to work with a company trying to break into these markets if they had a plausible route to entry.