[Ics-security] Threats to Medical Devices
Kelly Mahoney
mahoney at jlab.org
Fri May 18 12:20:13 EDT 2012
An article in e-week news describes how medical devices can be hacked
and controlled remotely. I wonder if the Dilon technologies equipment
is on a secure network?
http://www.eweek.com/c/a/Health-Care-IT/Department-of-Homeland-Security-Issues-Warning-on-Medical-Device-Threats-193136/
Some of the worst non-nuclear radiation exposures recorded were due to
how software development was handled in a medical device. The Therac
25 is the classic benchmark, where people were killed due to errors in
the software development process. See Nancy Leveson's paper on the
event for a good description.
http://sunnyday.mit.edu/papers/therac.pdf
I was at a recent risk management workshop at MIT, and it appears that
software for medical devices has not gotten much better compared to
other high risk systems. (don't get me started on automobile computers!).
The point here is that anything that runs software can be compromised.
In the past, the compromise was from errors introduced in the
development and implementation process. Once an error was introduced,
it sat in a latent state until unique conditions triggered the error.
In cyber security compromise, you have a dynamic process where errors
are actively introduced. The triggers for activation of the error are
known to the hacker. The number and complexity of the errors can morph
and spread in a very short time. Its a new world.
Kelly Mahoney
More information about the ICS-Security
mailing list