Sign up to save your podcasts
Or
Share Episode 80: Episode 189 - Medical Device Security
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 80: Episode 189 - Medical Device Security
SFS Podcast Episode: 189
Medical Device Security
- Intro
- Hospital devices (infusion pumps, CT, MRI, etc)
- Personal devices (pacemaker, insulin pumps, etc)
- Medical Devices are a broad category
- Discussion of Sentinel Events...
- This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.
- Lead times for device approval
- Fixed configurations / FDA compliance
- Working life of devices
- “Well just replace them all!” Cost of devices (esp for small/struggling hospitals)
- Sheer number of devices can be overwhelming when looking to upgrade/replace
- Vendors that bring in things for a trial w/o involvement of IT/IS
- Challenges to Fixing The Problem:
- Vuln Disclosure
-
- Muddy Waters / St Jude
-
- Problem there wasn’t disclosure it was the look of the profit motive
- August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/
- SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343
- http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19
- Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
- Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1
- http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking
- Bug Bounties
- FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
- I Am The Cavalry - https://iamthecavalry.org/oath
- HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity
- Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com
- NH-ISAC - http://www.nhisac.org/
- MDISS - http://www.mdiss.org
- Other interest groups
- I Am The Cavalry - https://iamthecavalry.org/oath
- Other groups
- How Can it Get Better
- Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.
- There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security
- What will regulators do? (eg DLink and the FTC)
- What’s the Future?
- Outro & Credits
View all episodes
SFS Podcast Episode: 189
Medical Device Security
- Intro
- Hospital devices (infusion pumps, CT, MRI, etc)
- Personal devices (pacemaker, insulin pumps, etc)
- Medical Devices are a broad category
- Discussion of Sentinel Events...
- This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.
- Lead times for device approval
- Fixed configurations / FDA compliance
- Working life of devices
- “Well just replace them all!” Cost of devices (esp for small/struggling hospitals)
- Sheer number of devices can be overwhelming when looking to upgrade/replace
- Vendors that bring in things for a trial w/o involvement of IT/IS
- Challenges to Fixing The Problem:
- Vuln Disclosure
-
- Muddy Waters / St Jude
-
- Problem there wasn’t disclosure it was the look of the profit motive
- August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/
- SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343
- http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19
- Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
- Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1
- http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking
- Bug Bounties
- FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
- I Am The Cavalry - https://iamthecavalry.org/oath
- HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity
- Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com
- NH-ISAC - http://www.nhisac.org/
- MDISS - http://www.mdiss.org
- Other interest groups
- I Am The Cavalry - https://iamthecavalry.org/oath
- Other groups
- How Can it Get Better
- Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.
- There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security
- What will regulators do? (eg DLink and the FTC)
- What’s the Future?
- Outro & Credits