I used to work in this field. One device we worked with, which would reside in an OR ,we wanted to be able to push updates to it and receive bug tracking information through the Internet, but pretty much everyone knew that the hospitals would never let it be connected to the Internet. I can’t really cite any statistics, just know that it was something that company talked about quite a bit as it limited us. All the software updates had to be performed by technicians who came in with USB sticks or laptops that they connected to the devices. It could be very time consuming, and of course the hospitals would rather be using their ORs for surgeries and not have a technician in there updating their devices.
That’s largely irrelevant when we’re talking about networked devices vulnerable to wireless (WiFi/Bluetooth) attacks from inside.
I would think that most hospital networks don’t protect well from inside attacks - even from commodity devices like printers, scanners, etc.
Then there’s the whole issue of remote servicing by vendors. Even though a NAT firewall might seem like a prudent protection, it still allows a device to initiate a VPN back to the vendor - and the appeal of remote servicing is great. And that VPN (in effect) extends the soft-and-chewy hospital network out to the vendor, and whoever else the vendor trusts.
Basically, hospitals are big attractive collections of embedded devices, and as these devices become more automated and integrated (and networked), the more appealing they are purely as networking/CPU resources for spamming, botnets, or Bitcoin mining.
That’s even worse; it’s like running two lots of anti virus software at once.
That was more like an emergency bug fix.
Francis had to make John Paul II (who stopped Vatican reform) a saint so he also made the pope who started the reforms a saint too.
In this context, I think security theater would be a website, for example, that forces your password to include uppers, lowers, numbers and symbols - making it impossible to memorize your password, so users are forced to write it on a scrap. Then - true story - one site I use regularly requires a password from 6-8 characters long. No more, no less.
How much does this do to reduce account security? Plenty. But it provides the feeling of security - thus, theater. Medical machines could do just the same thing; in fact, I think it’s likely to happen if this article gets traction.
As for my nurse example, a complete stranger could run down someone on any street or shoot them with a deer rifle.
I agree with a lot of your points, but I don’t understand your inclusion of this. I suppose you are trying to say that we can’t protect against everything, which is true.
The types of assaults you mention though are exactly the kinds of things we can’t predict, and therefore are too expensive to consider in the security model. Whether you want to call them a “Movie Plot Threat” or FUD, they just distract from the real issues here.
Sorry Boundegar. This was supposed to be a reply to dobby, but I apparently clicked on your last comment when replying to him. There doesn’t seem to be an easy way to reassign the comment with the bbs software.
I get what you are talking about and it does happen. I also think hospital IT staff rely on the fact that most hospital workers are not super tech savvy in a technician/network specialist/admin kind of way and that the technicians that come in are from trusted companies. People who work on medical devices have specialized knowledge, and the relationships the companies have with the hospitals are very important. I think hospitals rely more on those human bonds than security systems.
That’s rather speculative though isn’t it? To say that getting traction on fixing an issue is going to lead to a poor solution because you’ve seen poor solutions other places? Taking your password issue as an example, what about 2 factor authentication and other challenge response type systems? Why assume the solution is going to be worse than the problem?
Don’t worry, Ballmer is on the case!
That is part of my directive to my wife… If you pull the plug, please plug it back in a for a few seconds to see if I reboot.
Is bringing Microsoft's renowned "Five 7s" of system reliability to the medical device field.
Kinda like bringing Typhoid Mary in to oversee the infection control group…
Be afraid! Be very afraid!
Fear mongering at its worse.
At the one university hospital where I worked, the IT staff didn’t get involved much at all with devices or computers that controlled devices – that was usually the bailiwick of the Biomedical Engineering Group. IT just provided pipes to the device if the engineering group needed them.
It sounds like many of the manufacturers of these devices and the devices users are in violation of the many U.S. Federal and state laws restricting access to personal health information.
Yeah, pushing updates to OR equipment like some Android or iOS device. What could possibly go wrong.
It’s called cynicism.
It wasn’t in contact with the patient and it was very easy to manually perform the same functions the device did, so it was not going to create any real problem, whereas having a technician in for a couple of hours every other week created its share of hassles.
Yes, they usually are separate departments.
Anyway, my point was that they don’t just let anyone near these kinds of specialized medical equipment - every hospital has a screening process before they let people in. It’s not just like, oh, you’re a contractor for our contractor flash your badge and you are all good.
This topic was automatically closed after 5 days. New replies are no longer allowed.