Full Disclosure mailing list archives
Re: Reliable reports on attacks on medical software and IT-systems available?
From: Shawn Merdinger <shawnmer () gmail com>
Date: Wed, 25 Aug 2010 12:23:37 -0400
Hi Halfdog, While I have not come across any specific documentation of willful attacks, security (and software quality) issues abound in the medical device space. You might try researching some of the databases at the FDA [1]. In particular, a good place to start is the FDA MAUDE database (Manufacturer and User Facility Device Experience) [2] A few search tips for MAUDE: 1. Choose the "Event Type" to focus in on injuries (death, injury, etc.) 2. Set a wide date range 3. Do a number of different searches using the various selections under "Product Problem" -- you can only choose one at a time. The values vary, but there's "Computer failure," "Computer hardware error," "Computer operating system issue,", "Computer system security issue," "Fail-safe design failure," "Failure to back-up," etc. For more focused databases, such as radiation-related, there's the "Medical & Radiation Emitting Device Recalls." Search tips for this DB include putting very general terms into the "Reason for recall" field, like "computer" to start. An example of what you'll find in these databases: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=1447254 "...the system locked up with a message stating there was insufficient disk space to run windows. The system took several reboots to make it operational. The pt was experiencing a cardiac infarct during the failure." Overall, I see a lack of rigorous guidelines for the data entry. That is, the problem descriptions are often vague, and in a narrative. Nor is there any severity rating or ranking, etc. We've a long way to go in structuring the reporting. We've likely even further to go regarding issue follow-up. [1] http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Databases/default.htm [2] http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.CFM [3] http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfRES/res.cfm Cheers, --scm On Tue, Aug 10, 2010 at 5:03 PM, halfdog <me () halfdog net> wrote:
I have no knowledge of ongoing or planned attacks. I was just searching for historic reports of any age.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 11)
- Re: Reliable reports on attacks on medical software and IT-systems available? Caspian (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Jeffrey Walton (Aug 13)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? BMF (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Shawn Merdinger (Aug 25)