Full Disclosure mailing list archives
Re: Reliable reports on attacks on medical software and IT-systems available?
From: Caspian () random-interrupt org
Date: Wed, 11 Aug 2010 22:48:11 -0400
halfdog wrote:
Paul Schmehl wrote:--On Tuesday, August 10, 2010 21:03:35 +0000 halfdog <me () halfdog net> wrote:* There are reports, but I do not know about them (so I'm asking around)Most likely answer. I know about some, but I'm not telling you. Or anyone else for that matter. :-)So your are telling that problems with hospital IT/medical systems are not reported and published? From my understanding, the medical devices directive would force producers to report incidents and these reports _have_ to be published. I also think that laboratory/clinics information systems do not fall in that category, so reporting might be optional.
That depends on where you are, and who is enforcing the requirement.. Non-lethal attacks are happening, for sure, but they're buried in the deluge of press about sensational data breaches, SCADA, GSM hacks and exploding generators- and usually the data exposed is the same as everywhere else- PII and financial stuff. The health records, on the other hand, might be of interest to insurance companies and other groups that could benefit from that kind of information on their clients or employees. However, if those companies and groups are interested enogh, they probably already have a way of getting that information.
Anyway, these reports would be useful to perform sensible risk assessment when producing new software and would allow fixing of "community-known-bugs" before someone turns them against infrastructure or people.
The reports exist. If you're looking for risk assessment information, you may want to start with groups like IHE, who do quite a lot of technical policy work. The people who work there have been involved in medical IT since before it was a buzzword. In the world of radiology, anyway, there are famous cases of accidental damage and death caused by code errors (see:Therac-25), and it's not too much of a stretch to imagine human-driven attacks, rather than just poor code. Some hospitals have a well guarded network. Some Medical IT systems are secure. Some are not. The Threat Environment for medical institutions is similar to any other large company, except there's the added risk of medical records and data being exposed- which might be handy for all sorts of things (think insurance fraud, blackmail, etc). The truth is, it doesn't make much of a difference- the attack surface is also pretty similar to any other large institution; so much of it depends on internal policy and politics, as well as the technical stuff.
* Medical personal in hospitals with high grade of IT-system usage are so trained and skilled, so that they detect manipulation and no harm is doneLaughable. Medical personnel wouldn't have a clue about whether their systems have been hacked. Their IT staff *might*.
Most Radiology personnel would catch on to this pretty quickly- assuming it was meant to be a lethal attack. Pretty much any operator who has to train to the level these people do should be able to spot a lethal attack in progress, since the attack would cause the machine to behave erratically. You need the equivalent of an associate's degree to be an x-ray tech where I am, at least, and I think it's the same for most of North America and Europe. Hospitals often have their own specialists who tend to train like pilots- a certain number of hours with a specific machine, and then retraining when it gets updated. IT staff are sometimes part of that group. This level of training may not, however, be the case for something like a network-enabled IV (don't laugh! they exist)- since the telemetry that the IV is sending to the nurse's station could be falsified, and you don't really need specialized staff for this type of system. The same goes for things like heart rate monitors, etc... This is why we have local audits, external audits and Audit repositories, along with node and program authentication as a base requirement for the IT and data interchange standards that I'm aware of that certify these devices. Obviously, audit trails are post-facto, but proper monitoring should be able to detect an attack in progress. I'd suggest looking to the standards groups in whatever area you're in to see if you can find the risk and attack statistics; IHE is global, and they have a number of partner organizations- it's a reasonable starting point. -- -- Caspian Kilkelly (caspian () random-interrupt org) -- " L'homme se découvre quand il se mesure avec l'obstacle." -Antoine De Saint Exupery, Terre des hommes _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 11)
- Re: Reliable reports on attacks on medical software and IT-systems available? Caspian (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 12)
- Re: Reliable reports on attacks on medical software and IT-systems available? Jeffrey Walton (Aug 13)
- Re: Reliable reports on attacks on medical software and IT-systems available? Paul Schmehl (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? halfdog (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? BMF (Aug 10)
- Re: Reliable reports on attacks on medical software and IT-systems available? Shawn Merdinger (Aug 25)