Government // Leadership
Commentary
8/2/2013
02:02 PM

Death By Hacking: Tomorrow's IT Worry?

Medical device software vulnerabilities and cyber threats raise important new liability questions for CIOs and CISOs.



Remote Patient Monitoring: 9 Promising Technologies
Remote Patient Monitoring: 9 Promising Technologies
(click image for larger view)
Technology has permeated virtually every aspect of our lives. That has many benefits and some negatives. But it also means the United States, and the world, have become highly dependent on technology. And as that dependence grows, so does our vulnerability to system failures and cyber attacks.

This year, cybersecurity experts forecast that in 2013, nation-sponsored cyber warfare will go mainstream, and some believe certain cyber attacks will lead to actual deaths.

A look at the role technology and software play in the healthcare industry illustrates why this is no longer an idle threat. And the healthcare industry is not alone. But it also raises new concerns that manufacturers whose products depend on software could face charges of criminal negligence, if they don't take product vulnerabilities more seriously.

The United States is the largest healthcare market in the world. Varying reports suggest that over half the medical devices sold in the U.S. rely on software. Jay Radcliffe, a diabetic patient, was among the first to show how hackers could scan for vulnerable insulin pumps from hundreds of feet away and force the medical device to dispense a lethal dose of insulin. That got the attention of the Department of Homeland Security, government regulators as well as many organizations in the medical community.

Last year the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center issued an unclassified -- for official use only -- document calling attention to the potential impact of cyber threats on the multi-trillion dollar healthcare industry. It warned healthcare organizations how "failure to implement a robust security program will impact the organization's ability to protect patients and their medical information from intentional and unintentional loss or damage."

While some glanced over this statement, other recognized that "protect patients" means protect their lives.

DHS is not the only one calling attention to the massive cybersecurity issue. The Food and Drug Administration, which regulates medical devices, issued a warning in June to medical device manufacturers and healthcare institutions and providers saying it has learned of "cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations."

[ What do you think -- Should FDA Assess Medical Device Defenses Against Hackers? ]

"In a world in which communication networks and medical devices can dictate life or death, these systems, if compromised, pose a significant threat to the public and private sector," the document stated. Other government and private sector organizations have also expressed growing concerns surrounding potential vulnerabilities of medical devices on medical IT networks.

All this combines to paint a clear picture of the risk; a risk that must be addressed immediately given all that is at stake.

When you examine the software used in medical devices, even non-technical observers can see the massive risk that comes with patching. Cybersecurity experts have long warned about how critical it is to apply software code fixes in a timely manner to address known vulnerabilities in software. Forget Patch Tuesdays for medical devices and systems! There are stringent testing requirements that are applied when changes/modifications are made to medical devices and systems.

The FDA has developed an enhanced risk-based validation approach and has issued guidelines on this approach. Based on its definition, validation requires establishing, using objective evidence, that a process consistently produces a result or that a product meets its predetermined specifications.

Importantly, if a software patch is applied to the underlying operating system of a medical device or system, it must be retested to obtain "objective evidence" that the device or system is functioning properly and meets the predetermined specifications.

The additional costs of applying the patches and updates and the revalidation of device/system software would be passed along to the owner/operator of the medical device and system. In most cases, that would require a new maintenance agreement between the manufacturer or service provider as well as the device owner/operator. All that adds up to time, cost and a delay in patching all the vulnerabilities discovered since the device/system was designed or last updated.

There is another issue that is problematic. When organizations test patches in their respective environments, oftentimes they find out that the patch causes problems with custom developed software and other applications that they use. Once that issue is identified, the problem must be diagnosed, remediated, tested and then migrated into the production environment. All of that takes time -- and we are not taking minutes or hours but days, weeks, months and maybe even years.

The big question is, do we have that time? Could someone exploit a disclosed vulnerability, one in software that is commonly used in medical devices and systems, due to the inherent delays of updating and revalidating the software? The answer is yes.

Additional measures must be taken to ensure the integrity of these systems until the patch can be safely applied with a high degree of confidence in the operation of the device or system. This is what DHS was referring to as a "robust security program" to be sure.

Software bugs and security vulnerabilities are inevitable. Missing patches and updates are a reality -- and one that has implications far beyond the healthcare industry. Organizations across many industries are now struggling with vulnerability management and the problem of patching specialized devices in the face of increasingly sophisticated cyber attacks.

Interestingly, I could not find any guidance from Occupational Safety and Health Administration addressing software safety risks for industrial SCADA (supervisory control and data acquisition) systems, but it is likely they will arrive very soon.

Similarly, the National Highway Traffic Safety Administration will probably have to weigh in on software vulnerabilities for transportation vehicles, especially after Richard Clarke's recent comments. The former U.S. national coordinator for security infrastructure protection and counter-terrorism said that university researchers have now shown "it's relatively easy to hack your way into the control system of a car."

There are those skeptics who believe this is not really an issue and that current cybersecurity experts are up to the challenge of addressing these problems. I would suggest that they read "The Seven Deadly Myths of Software Security."

What many also don't see coming is the increasing legal risks executives face from the threat of cyber attacks. While researching this article, I had a couple of discussions with lawyers. What started out as a product liability conversation turned into a discussion about the risks of civil negligence charges. Could a manufacturer, CIO or CISO be charged with criminal negligence if they fail to apply patches and properly secure and maintain their systems, in the event a cyber attack that exploits those factors results in the death of an individual or individuals?

That is one hell of a question and a glimpse of what lies ahead for those who don't take the new world of cyber threats seriously.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/13/2013 | 4:29:03 AM
re: Death By Hacking: Tomorrow's IT Worry?
ItGs interesting to read about this other aspect of hacking and not only about the protection of patient health information and patient demographic information. I really hadnGt given it much thought before but this is actually kind of scary. The thought that a hacker, or anyone wishing harm upon somebody else, could essentially remotely hack into a machine and provide lethal doses is very scary. It makes you skeptical of the machines that are there to supposedly save your life.

Jay Simmons
Information Week Contributor
WKash
50%
50%
WKash,
User Rank: Author
8/7/2013 | 8:53:35 PM
re: Death By Hacking: Tomorrow's IT Worry?
Should get interesting a few years from now when car thieves discover how to pirate driverless cars with little more than a savvy mobile app.
Gadgety
50%
50%
Gadgety,
User Rank: Apprentice
8/5/2013 | 3:28:50 PM
re: Death By Hacking: Tomorrow's IT Worry?
An acquaintance of mine went through a heart transplant. Post surgery there was trouble with the technology in an external box and after weeks of hassles, with untrained nurses who had no idea of what was wrong, finally this guy opened up the electronics and rewired them when no one was around! Who knows what would have happened had he not hacked it...
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 Digital Issue, April 2015
The 27th annual ranking of the leading US users of business technology
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
. We've got a management crisis right now, and we've also got an engagement crisis. Could the two be linked? Tune in for the next installment of IT Life Radio, Wednesday May 20th at 3PM ET to find out.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.