Welcome to visit NetEase Cloud Community to learn more about NetEase’s technical product operation experience.
“Knowing Things from Learning” is a brand column created by NetEase Yunyi Shield. The words come from Han Wang Chong’s “Discussion balance · Real Knowledge”. People are superior to each other in ability. They know the truth of things by learning, and then they are wise. They do not know without asking. “Know Things by learning” hopes to bring you harvest through articles of technical dry goods, trend interpretation, character thinking and precipitation, but also hope to open your horizon and achieve a different you. Of course, if you have a good cognition or share, you are welcome to contribute by email ([email protected]).
The Fight to Secure Vulnerable Medical Devices From Hackers
By Lindsay Gellman
Joshua Coleman is a cybersecurity researcher who describes himself as a “good hacker.” Last spring, he took his 11-year-old daughter to a New Hampshire hospital for blood treatment. After waiting for several hours, he thought the night was going to be long, so he went back and brought his daughter’s pajamas from home. When he returned, he discovered that his daughter had a Hospira infusion pump attached to her body, which had an Internet connection that was particularly vulnerable to cyber attacks.
“The FOOD and Drug Administration banned hospitals from using the device almost two years ago because it was too dangerous, and they used it on my child,” Coleman told me.
Coleman has been watching the U.S. for the past few days as WannaCry, the ransomware that has infiltrated medical centers around the world, as well as universities and telecommunications companies, spread like crazy through their networks. Ransomware is a type of malicious software that encrypts data on a computer’s hard drive and then demands a ransom in exchange for decrypting the data. As a result, Coleman has long argued that these agencies are not prepared for large-scale hacks and that their security standards often lag behind federal recommendations.
It turns out that much of the medical equipment in hospitals, clinics and doctors’ offices across the country should have been phased out years or even decades ago. Hospitals generally don’t replace internet-connected devices on MRI machines or infusion pumps if they still work. Now, in addition to being a good dad, Coleman is a cybersecurity innovation fellow at the Atlantic Council think tank and co-founder of I Is the Cavalry, a prestigious white hat volunteer organization. Older devices tend to have software vulnerabilities that hackers can easily exploit and that are difficult to fix, cybersecurity professionals say.
“The biggest problem right now is that hospitals don’t buy new equipment, and these devices are full of safety concerns and they stay in use until they break,” Coleman said.
Coleman hopes the old, unsafe equipment will be phased out of hospitals. The concern is that in addition to systems that were frozen or medical records hijacked during the WannaCry spread, hackers could actively manipulate medical devices to harm patients, for example by controlling lethal doses of drugs through infusion pumps. While new devices are not 100 percent secure, they are generally safer. As a result, Coleman and others are urging health care providers to phase out old or “legacy” equipment and replace it with newer models.
To get health care providers moving, he proposed an idea similar to the “cash for clunkers” program. “Cash for Clunkers” is a 2009 federal auto tax rebate program designed to retire gas-guzzlers. Under the program, known as the Car Trade-in allowance, people trade in less fuel-efficient vehicles for cash, which they then use to buy newer, more fuel-efficient vehicles.
Within a few months, however, the program’s budget ran out. Similarly, health-care providers would receive reimbursement for old equipment, which would then be used to buy new equipment, according to Coleman. Coleman said that while he was not an expert on economics, he thought equipment manufacturers might be willing to partially subsidize the program because it would help them clear inventory.
Kevin McDonald, director of clinical information security, says big hospitals like the Mayo Clinic in Rochester, Minn., welcome the program. McDonald called the thousands of network devices built over the years “hotbeds of malware and ransomware.” Vulnerabilities on older devices can include passwords that cannot be changed, running on outdated third-party software (such as Windows XP), and incompatible software patches or upgrade packages. Other software bugs also accumulate as the operating system ages.
The current medical equipment cash discount program is exactly what Coleman had in mind. This is one of many solutions proposed by the Health and Human Services Cyber Security Task Force for the Healthcare industry convened in 2016. “Governments and industry should develop incentives (such as cash for clunkers) to phase out legacy and unsafe healthcare technologies” and promote “better procurement solutions,” the report says.
Dr. Suzanne Schwartz, director of scientific and strategic partnerships in the FDA’s Center for Devices and Radiological Health, told me that the agency has been working in recent years to bring white-hat hackers like Coleman into more traditional areas, like device vendors, and take their advice.
“Security researchers play a very prominent role, mainly because they bring in very specialised knowledge from a technical perspective. Frankly, this kind of expertise doesn’t exist in the healthcare community at large and in the medical device industry at large. “She said.
Ms. Schwartz said the white hat hackers first approached her in 2013 because they found problems in the device’s software. The next year, researcher Bilili OS alerted the U.S. Department of Homeland Security that he had found certain Hospira infusion pumps that could be operated digitally. His warning later reached the FOOD and Drug Administration, which issued a proclamation banning the use of infusion pumps in hospitals in 2015. However, as Coleman discovered, these devices are still used in many clinical applications.
Coleman believes the FDA’s announcement reflects a shift in the agency’s thinking around cyber threats. “In years past, someone had to die for the FDA to act,” he said. “We had to wait for someone to die.” “He added. Coleman says he and others agree that cyber threats are different from other threats and that we need to take precautions against them. He said the agency has focused on software vulnerabilities that have been identified but not yet attacked.
Mr. Schwartz called the proposed cash-for-clunkers program “an interesting idea that deserves further exploration,” adding that “a deeper study is needed in conjunction with economic analysis.” That could fall within the purview of the Healthcare and Public Health Sector Coordinating Council (HSCC), an independent body that brings together public and private groups, she wrote in an email. Greg Garcia, executive director of cyber security at HSCC, said the idea has been the subject of some discussion but has not yet been put forward as a formal proposal.
Fast-track implementation is the task’s second recommendation that the FDA eventually require device manufacturers to provide a “software checklist,” Schwartz said. Coleman likens the concept to a list of all the software programs a device contains. If a large-scale cyberattack was directed at one or more programs, then at least hospitals would be aware that their equipment could be compromised and could do something to reduce the damage. In its April 2018 Medical Device Safety Action Plan, the FDA said it is considering seeking other authorities to require the list as part of the materials that device manufacturers submit to the FDA for review prior to marketing.
Coleman said he is encouraged by the progress, especially since the cybersecurity risks of institutional medical devices have not received much mainstream attention in recent years. Prior to the WannaCry attack, most of the conversation about medical cybersecurity had to do with personal, home devices, such as internet-connected pacemakers or insulin pumps, whose risks had been well described in mainstream media. For example, at a 2011 Miami cybersecurity conference, the late hacker Barnaby Jack demonstrated how a wireless insulin pump could be manipulated to deliver a lethal dose. In 2012, the TV show Homeland depicted an attack on a wireless pacemaker. Former Vice President Dick Cheney watched the episode and turned off the wireless Internet connection to his pacemaker.
Meanwhile, the U.S. Food and Drug Administration announced last year that nearly half a million internet-connected pacemakers were being recalled because they were vulnerable to potential cyber attacks. But device maker Abbott (formerly St. Jude Medical) was quick to offer a firmware update patch that could close a vulnerability that could be exploited by hackers. All patients need to download this patch.
Coleman doesn’t ignore these cybersecurity risks associated with personal products. But he is particularly concerned about the equipment owned by agencies, which is widely used and often too old to repair. In addition, it typically takes six to seven years for a device to go from design to market. Even if the hospital replaced all its old equipment with the latest, it would certainly not be able to cope with the current cyber security problems.
“Right now, Devices based on Windows XP can still get FDA approval.” “It’s super, super old, and Microsoft doesn’t maintain it anymore,” Coleman said. And yet, you can take a brand new device and market it for 15 years.”
Mayo clinic’s McDonald agrees, adding that most of the devices currently in use do not meet desirable safety standards and that an industry-wide push is needed. “We are still buying medical equipment that is not safe,” he said.
Click to try NetEase Cloud Eshield security service for free.
Design of community cache for Kafka messages