Full Disclosure mailing list archives

Re: Reliable reports on attacks on medical software and IT-systems available?


From: Caspian () random-interrupt org
Date: Wed, 11 Aug 2010 22:48:11 -0400

halfdog wrote:
Paul Schmehl wrote:
--On Tuesday, August 10, 2010 21:03:35 +0000 halfdog <me () halfdog net> wrote:
* There are reports, but I do not know about them (so I'm asking around)

Most likely answer.  I know about some, but I'm not telling you.  Or anyone else
for that matter.  :-)

So your are telling that problems with hospital IT/medical systems are not
reported and published? From my understanding, the medical devices directive
would force producers to report incidents and these reports _have_ to be
published. I also think that laboratory/clinics information systems do not fall
in that category, so reporting might be optional.


That depends on where you are, and who is enforcing the requirement..

Non-lethal attacks are happening, for sure, but they're buried in the 
deluge of press about sensational data breaches, SCADA, GSM hacks and 
exploding generators- and usually the data exposed is the same as 
everywhere else- PII and financial stuff. The health records, on the 
other hand, might be of interest to insurance companies and other groups 
that could benefit from that kind of information on their clients or 
employees. However, if those companies and groups are interested enogh, 
they probably already have a way of getting that information.

Anyway, these reports would be useful to perform sensible risk assessment when
producing new software and would allow fixing of "community-known-bugs" before
someone turns them against infrastructure or people.

The reports exist. If you're looking for risk assessment information, 
you may want to start with groups like IHE, who do quite a lot of 
technical policy work. The people who work there have been involved in 
medical IT since before it was a buzzword.

In the world of radiology, anyway, there are famous cases of accidental 
damage and death caused by code errors (see:Therac-25), and it's not too 
much of a stretch to imagine human-driven attacks, rather than just poor 
code.

Some hospitals have a well guarded network. Some Medical IT systems are 
secure. Some are not. The Threat Environment for medical institutions is 
similar to any other large company, except there's the added risk of 
medical records and data being exposed- which might be handy for all 
sorts of things (think insurance fraud, blackmail, etc). The truth is, 
it doesn't make much of a difference- the attack surface is also pretty 
similar to any other large institution; so much of it depends on 
internal policy and politics, as well as the technical stuff.


 
* Medical personal in hospitals with high grade of IT-system usage are so
trained and skilled, so that they detect manipulation and no harm is done

Laughable.  Medical personnel wouldn't have a clue about whether their systems
have been hacked.  Their IT staff *might*.


Most Radiology personnel would catch on to this pretty quickly- assuming 
it was meant to be a lethal attack. Pretty much any operator who has to 
train to the level these people do should be able to spot a lethal 
attack in progress, since the attack would cause the machine to behave 
erratically. You need the equivalent of an associate's degree to be an 
x-ray tech where I am, at least, and I think it's the same for most of 
North America and Europe. Hospitals often have their own specialists who 
tend to train like pilots- a certain number of hours with a specific 
machine, and then retraining when it gets updated. IT staff are 
sometimes part of that group.

This level of training may not, however, be the case for something like 
a network-enabled IV (don't laugh! they exist)- since the telemetry that 
the IV is sending to the nurse's station could be falsified, and you 
don't really need specialized staff for this type of system. The same 
goes for things like heart rate monitors, etc... This is why we have 
local audits, external audits and Audit repositories, along with node 
and program authentication as a base requirement for the IT and data 
interchange standards that I'm aware of that certify these devices. 
Obviously, audit trails are post-facto, but proper monitoring should be 
able to detect an attack in progress.

I'd suggest looking to the standards groups in whatever area you're in 
to see if you can find the risk and attack statistics; IHE is global, 
and they have a number of partner organizations- it's a reasonable 
starting point.

-- 
--
Caspian Kilkelly (caspian () random-interrupt org)
--
" L'homme se découvre quand il se mesure avec l'obstacle." -Antoine De 
Saint Exupery, Terre des hommes




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: