Re: Reliable reports on attacks on medical software and IT-systems available?

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On Tuesday, August 10, 2010 21:03:35 +0000 halfdog <me () halfdog net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Just to clarify some points from off-list messages:
>
> I have no knowledge of ongoing or planned attacks. I was just searching for
> historic reports of any age. I wonder why powerplants, telephone systems,
> corporate IT systems are frequently affected by attacks, some just made for
> fun of causing damage, but there are nearly no reports on attacks on medical
> systems to cause damage, although these systems are quite widespread also.
> Possible answers might be (sorted by probability):
>
> * My guessing about the size of the attack surface of medical software is
> wrong. Is there any data available (statistical analysis, estimations), how
> big the attack surface of medical systems is compared to the surface of e.g.
> the power-grid system?
>
> * All hackers keep some sense of ethics, so that they feel it is OK to attack
> "technical" targets but find it inacceptable to attack the health of innocent
> people (if this is the main cause, terrorists might cause significant change
> in risk assessment of medical software and services)

Not a chance.  How would they even know they were medical devices until *after* 
they have successfully attacked them?

> * There are reports, but I do not know about them (so I'm asking around)

Most likely answer.  I know about some, but I'm not telling you.  Or anyone 
else for that matter.  :-)

> * Medical personal in hospitals with high grade of IT-system usage are so
> trained and skilled, so that they detect manipulation and no harm is done

Laughable.  Medical personnel wouldn't have a clue about whether their systems 
have been hacked.  Their IT staff *might*.

> * Medical institutions do not talk about such incidents (here for example,
> they are closed systems, it took until now, that the government tries to keep
> records of accidents and prevented accidents)

Very likely.

> * Medical IT is so safe, that manipulation is not easy (Although data theft
> and mass virus intrusions seem to occur from time to time. And from what I
> have seen in clinics, it seems that the software is not always highly stable,
> which could indicate programming weaknesses.)

Beyond the realm of possibility.  Most medical instruments are controlled by 
old versions of easily hackable systems that cannot be patched or they lose 
accreditation.  In many cases they are not even allowed to run security 
software on them (antivirus, firewalls, etc.)

> * Government tries to suppress reports to avoid panic reaction (for many
> patients health and logic does not go together) or to inhibit terrorism in
> that area.

Government probably doesn't know about them.  When they do, they will pass a 
stupid law that will make them feel better and extract money from the victims 
but will not solve any problems.  Case in point: HIPAA.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/