Re: Reliable reports on attacks on medical software and IT-systems available?

[Jeffrey Walton <noloader () gmail com>]

On Wed, Aug 11, 2010 at 10:48 PM,  <Caspian () random-interrupt org> wrote:
> halfdog wrote:
> > Paul Schmehl wrote:
> > > --On Tuesday, August 10, 2010 21:03:35 +0000 halfdog <me () halfdog net> wrote:

[SNIP]

> > > > * Medical personal in hospitals with high grade of IT-system usage are so
> > > > trained and skilled, so that they detect manipulation and no harm is done
> > > Laughable.  Medical personnel wouldn't have a clue about whether their systems
> > > have been hacked.  Their IT staff *might*.
>
> Most Radiology personnel would catch on to this pretty quickly- assuming
> it was meant to be a lethal attack. Pretty much any operator who has to
> train to the level these people do should be able to spot a lethal
> attack in progress, since the attack would cause the machine to behave
> erratically.
Like the Therac-25? "...it was involved with at least six accidents
between 1985 and 1987, in which patients were given massive overdoses
of radiation, approximately 100 times the intended dose... Three of
the six patients died as a direct consequence....." (
(http://en.wikipedia.org/wiki/Therac-25).

BTW, what is the difference in erratic behavior due to a software bug,
and erratic behavior due to an attacker?

> You need the equivalent of an associate's degree to be an
> x-ray tech where I am, at least, and I think it's the same for most of
> North America and Europe. Hospitals often have their own specialists who
> tend to train like pilots- a certain number of hours with a specific
> machine, and then retraining when it gets updated. IT staff are
> sometimes part of that group.
>
> [SNIP]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/