Jay Radcliffe, a security researcher who has focused a bulk of his attention to medical device security, led a roundtable discussion on the real state of medical device security at the Black Hat conference on Thursday.
It would be far easier, and more likely, for an attacker to sneak up and hit him fatally over the head with a baseball bat than to kill him with a medical device, Radcliffe noted. Medical devices do more good than harm for the time being, he said.
Understanding medical device security is difficult because the term “medical device” no longer means anything. It could mean insulin pumps and pacemakers and other devices that patients use to manage their health. It could also refer to MRI machines and echo-cardiograms and computers in the hospital running Windows XP. Mobile apps and health-related consumer-focused applications could also be considered under this broad umbrella.
The term medical device is as useful as the term cyber, Radcliffe said.
Another issue has to do with responsibility. A 2009 FDA guidance specified that both device manufactures and hospitals share the responsibility of keeping the devices updated and bug-free. This interferes with normal vulnerability and patch management processes. The hospital can either pay to have the manufacture deploy the patches, or do it themselves, which may void the warranty.
It's also not clear what government agency has oversight over medical devices. Some devices are regulated by the FDA, and others are handled by the FCC or the DHS. When every one is in charge, regulations don't get enforced consistently.
“I buy used devices online and find all sorts of data that shouldn’t be there,”
It is very easy to fall in the trap of thinking all security practices are universal, such as requiring all medical devices have strong authentication. However, in the medical world, patient health always comes first, Radcliffe reminded the audience. If the patient needs immediate attention and the pacemaker has to be stopped within a few minutes or the patient will die, the last thing the medical professional wants is to lose precious minutes trying to enter the long complex password stored in LastPass, he said..
“We can't use the security used to protect credit card information to medicine,”Jay Radcliffe, Security Researcher
The session was well attended, with representatives from the device manufacturers themselves, the administrators tasked with securing and managing medical devices, and people who use medical devices for their own health reasons.
This isn't the first time the security of medical devices came up at Black Hat. Radcliffe showed how he was able to tamper with the information being sent to his insulin pump three years ago.