Noticias y Alertas
Header

Y la seguridad en la SALUD? (#2)

junio 5th, 2017 | Posted by kwelladm in Publicaciones | Salud
Ahora, un nuevo estudio de Billy Rios y Jonathan Butts de la empresa Whitescope han puesto en evidencia la brutal inseguridad de la que “presumen” estos dispositivos; ninguno de los grandes fabricantes del sector se salvan. Los investigadores analizaron marcapasos, desfibriladores, y los sistemas usados para monitorizarlos, de cuatro fabricantes y los resultados fueron impactantes….

Para entender un poco más sobre el tema, describimos a continuación algo de la teoría para comprender la seguridad en estos dispositivos vitales.

Understanding Pacemaker Systems Cybersecurity

Part I – Introductions and Pacemaker Programmers:

In October of 2016 exceptions to the DMCA related to medical device cybersecurity research went into effect.  The EFF and several notable infosec organizations championed amendments to the DMCA to allow for more open exchange of Medical Device cyber security research.  We’d like to thank  those organizations that championed the changes to the DMCA.

This post is provided in spirit of those DMCA exceptions.  Specifically, this post (and follow-on posts) provide insight into technical details as to how pacemaker systems work and some of the cybersecurity challenges manufacturers face when implementing these systems.  When this document references “pacemaker systems”, we are referring to pacemakers, Implantable Cardioverter Defibrillators (ICD), Pulse Generators, and Cardiac Rhythm Management (CRM).  Surprisingly, the architecture and even technical implementation of pacemaker systems across manufacturers is very similar.  We suspect that some of this similarity is due to the technical restraints associated with implanted technologies.  Other similarities, however, indicate that there is some cross-pollination between pacemaker manufacturers.  Given the similarities between systems, we hope that pacemaker manufacturers work together to share innovative cyber security designs and compete on user experience and health benefits as opposed to competing on cybersecurity.

Discussions associated with the cybersecurity of pacemaker systems can be an emotionally charged topic.  Our approach is to keep this discussion focused on technical data (“more research, less drama”), but we hope this data is used to spur civilized discussions about how we can improve implantable medical device cybersecurity.  When possible, technical data is presented in a vendor neutral manner.  A document describing our research has been provided to the NH-ISAC, you can find that document here.  In the spirit of coordinated disclosure, any potential vulnerabilities discovered during this project was/will be reported through DHS ICS-CERT.  Specific vulnerabilities, weaknesses associated with specific vendors, and exploits will not be discussed in these blogposts.

As shown in previous research efforts, cybersecurity researchers can obtaining a variety of medical devices, including “big iron” medical devices.

Pacemaker systems are no exception.  For this project, we acquired pacemaker programmers, home monitors, and pacemaker devices made by four different manufacturers.  These devices are supposed to be “controlled”, as in they are supposed to be returned to the manufacturer after use by a hospital, but all manufacturers have devices that are available on auction websites.  Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300, and pacemaker devices $200-$3000.

Pacemaker systems are “system-of-systems”.  Looking at all four manufacturers, there are essentially four components to modern pacemaker system deployments: the pacemaker devices, pacemaker programmers, home monitoring systems, and the supporting/update infrastructure.  All components are vital to the safe functioning of the pacemaker system.  The figure below shows how these components interact with each other.

 
Pacemaker System Ecosystem

As seen in other medical device verticals (https://ics-cert.us-cert.gov/advisories/ICSMA-16-089-01), keeping devices fully patched and updated continues to be a challenge.  Despite efforts from the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities.  Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers.

 
Outdated Third Party Components

We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date.  No one vendor really stood out as having a better/worse update story when compared to their competitors.  In two instances, we were able to confirm that patient data was stored unencrypted on the programmer.  In one instance, we discovered actual unencrypted patient data (SSNs, names, phone numbers, medical data…etc) on a pacemaker programmer.  The patient data belonged to a well-known hospital on the east coast and has been reported to the appropriate agency.  These types of issues highlight the need for strong device disposal policies from hospitals.

 

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Deja un comentario