Gary McGraw asks who is in charge of medical device security

Gary McGraw, CTO of Cigital, recently served on a federal advisory committee panel to discuss medical device security. Gary shared his thoughts and recommendations here.

Hot Topic: Ebola, Technology, and Science

Is your IR camera giving you accurate
temperature readings to diagnose Ebola??

Maybe, maybe not.  Re-calibration and angle
causes a 9 degree difference on this IR camera.

This post diverges from medical device security for a moment to address some technical issues related to persons asymptomatic of Ebola. I happen to carry an infrared camera wherever I go. My lab uses it in research, and to leave secret thermal handprint messages on walls (they last about 5 minutes at my office).  I'd like to demonstrate why one should take with a grain of salt the accuracy of temperature readings from infrared imaging to diagnose Ebola.

Reports claim that nurse Kaci Hickox registered an elevated temperature on an infrared scan, but then showed negative for fever with an oral thermometer.  This is not surprising, given that infrared cameras are prone to inaccurate results for all sorts of reasons ranging from reflected light, improper or poorly trained use, calibration, thermal changes on the surface of the sensor, or the condition of the subject.  (Did you just hear a dirty joke and blush?  Or were you upset by an overzealous agent?)   Different IR cameras have different sensitivities, and liquid-cooled sensors will have different properties as well. So I surmise that an IR camera used by an airport security guard will have a higher probability of detecting dirty jokes with low false positives than detecting Ebola with low false positives. Thermal cameras are just tools, but one must choose the right tool for diagnosis. Try taking an IR photo of a row of recently used toilets if you want to feel especially squeamish in exercising the least recently used principle.

Don't trust the digital readings from an infrared camera unless you are trained on its measurement and experimental error.  The absolute numbers are meaningless on their own. Watch MIT Prof. Walter Lewin's physics lecture on measurement error for certainty on this subject.

"Any measurement that you make without the knowledge of its uncertainty is completely meaningless." -Professor Walter Lewin, MIT

Medical device cybersecurity actions and outcomes

After two days of vigorous discussion at the FDA workshop on medical device cybersecurity, Dr. Suzanne Schwartz ended by challenging attendees to commit to (1) a specific cybersecurity action to take in the next week, and (2) a specific cybersecurity outcome to achieve in the next year.

My action for the next week is to create a meme for security engineering.  Here's my attempt.

Original image from here.

FDA visits NIST federal advisory committee on security and privacy

Suzanne Schwartz (FDA), Key Hoyme (Adventium Labs),
Gary McGraw (Cigital), and Kevin Fu (Univ. Michigan)

Update 11/6/2014: The audio recording is now available below.


On Friday, October 24, 2014 at 9AM in Washington, DC, the NIST Information Security and Privacy Advisory Board (ISPAB) will hold a public panel on "Updates on Embedded Device Cybersecurity: Medical Devices to Automobiles."

Coming on the heels of the FDA workshop on cybersecurity, this panel will provide cutting edge updates on federal policies and industry perspectives on embedded security. The panelists include:

• Suzanne B. Schwartz, MD, MBA, Director of Emergency Preparedness/Operations & Medical Countermeasures at FDA, and organizer of the FDA cybersecurity workshop
• Ken Hoyme, PhD, Distinguished Scientist, Adventium Labs
• Gary McGraw, PhD, CTO of Cigital 
• Kevin Fu, PhD, Associate Professor, University of Michigan EECS (moderator)

What will the three PhDs and MD say? For details on the meeting agenda and location, see the following PDF.

3rd Annual Archimedes Workshop on Medical Device Security

Dozens of medical device and security experts
converge in Ann Arbor each summer.

Engineers from medical device manufacturers, safety and security officers from health care providers, Archimedes members, and special guests will converge in Ann Arbor, Michigan for the 3rd Annual Archimedes Workshop on Medical Device Security May 4-5, 2015. This invitation-only event brings together solution-oriented experts in medical device manufacturing and computer security to discuss the new FDA cybersecurity guidance and how to improve information security.

EHR software and ebola, what could possibly go wrong?

Forget malware on medical devices. Try ebola. The Atlantic is reporting that software flaws in the exchange of Electronic Health Records (EHRs) is partly to blame for an ebola patient being sent home from Texas Health Dallas.  More information appears on the hospital's website.

According to Bloomberg news, the EHR software at Texas Health Dallas is made by Epic Systems Corp.

FDA issues final version of long-awaited cybersecurity guidance

The long-awaited guidance will help resolve past
uncertainties about expectations of cybersecurity
in the pre-market review of medical devices.

Today, FDA issued its long-awaited cybersecurity guidance for pre-market review of medical devices.  This is a document years in the making.

A PDF of the actual guidance document appears here.

A second draft cybersecurity guidance document on post-market practices (e.g., vulnerability and incident reporting) is expected later this year.

NBC Chicago interviews patients, physicians, and researchers on medical device security

The TV headline is hyperbolic, but the content is level headed.

Tammy Leitner of NBC Chicago interviewed a number of patients, physicians, and researchers about the challenges of medical device security. Here's a link to the full video.




Had this interview happened in 2008, the tone would have likely been more confrontational. Remember when Archimedes researchers demonstrated radio-controlled security flaws in pacemaker/defibrillators (also see the Schneier commentary)? Back in 2008, manufacturers and FDA were not accustomed to interacting with security researchers reporting such software-based flaws. It's completely understandable. Imagine if an unfamiliar person showed up at your front door to point out security problems of your house. The outcome might be unpleasant. Thus, interactions initially got off to a rocky start. But that's the past.

Fast forward to 2014, and times have changed significantly for the better. The forward-thinking manufacturers, influential researchers, and health care providers regularly interact and help each other to improve medical device security. A few positive examples that brought researchers, clinicians, manufacturers, and regulators together include the draft technical information report on medical device cybersecurity by AAMI (the IETF equivalent of the medical manufacturing world), the Archimedes workshop, and the upcoming FDA workshop on medical device security.

So if you're a future graduate student or budding security researcher, I'd encourage you to read the technical papers from the short history of medical device security. It's no longer a cat-and-mouse game of pointing out buffer overflows and SQL injection attacks. The future is about interdisciplinary computing and health care research to produce technology, best practices, and policies that improve medical device security without interfering with the workflow or delivery of health care.

FDA to hold workshop on medical device security

Every workshop needs a bench and a good dremel.
Photo credit: Travis Goodspeed

Update: The FDA workshop on medical device security filled to capacity, so there is now a wait list. But the webcast remains available.

Unless you've been living under a rock, you have probably heard the announcement about the FDA Workshop on Collaborative Approaches for Medical Device and Healthcare Cybersecurity. Or as the Google translation service explains (select translate Government-ese to English): it's an FDA workshop on medical device security.

This workshop is a follow up to the draft FDA guidance on cybersecurity published in 2013 [here and here].

FDA workshops typically provide time to hear from a broad set of interest groups and stakeholders. In the hallways, you will likely see representatives or lobbyists from manufacturing associations, patient groups, physician groups, the cybersecurity industry, and more. And what might be surprising to the jaded reader: most attendees want the same thing, improved medical device security.

I will be moderating one of the technical panels at the FDA workshop, but I look forward to hearing the perspectives from all the panels.

Here's a quick look back at selected moments in medical device security history so you can prepare for the meeting of minds:

• 2006 talk at FDA on medical device security challenges [slides, paper]
• 2008 research showing security flaws and fixes in a pacemaker/ICD [paper, more]
• 2009 Medical device security Winter begins (Kevin has a baby)
• 2010 Medical device security Winter ends (baby goes to college)
• 2011 demonstration of security analysis of an insulin pump
• 2011 VA, MDISS, and GE present medical device security issues to NIST ISPAB
• 2011 written testimony on trustworthy medical device software for the U.S. Senate
• 2011 research paper on problems and approaches for insulin pump security
• 2011 research paper on improving security with a friendly RF shield
• 2011 raising security awareness for users of insulin pumps by insulin pump user
• 2012 NIST Information Security and Privacy Advisory Board letter to HHS Secretary Sebelius
• 2012 Institute of Medicine commissioned report on trustworthy medical device software
• 2012 NIST on economic incentives to improve medical device security
• 2012 ACM MedCOMM Workshop
• 2012 demo of pacemaker/defibrillator security analysis
• 2013 First graduate course on medical device security offered
• 2013 Archimedes Center for Medical Device Security launches annual workshop
• 2013 FDA publishes draft guidance on medical device security
• 2014 NIST ISPAB on emerging standards and guidance for medical device security
• 2014 Survey paper on IMD security at IEEE Symposium on Security and Privacy

This list is far from complete, so feel free to suggest other moments of medical device security history by posting a comment on this blog along with a link to primary sources of written reports, videos, etc.  Keep the bulleted text to one line.

Several other research papers on medical device security can be found on the http://secure-medicine.org/publications archive. You can also find all the secure-medicine.org blog postings indexed at http://blog.secure-medicine.org/p/index.html.  

$50,000 Internet Defense Prize awarded today at USENIX Security

Graduate Research

Today, Facebook awarded $50,000 to a pair of security researchers who authored a peer-reviewed paper at the 23rd Annual USENIX Security Symposium on “Static Detection of Second-Order Vulnerabilities in Web Applications."  The authors intend to use the funds to take their software prototype to the next level. As the program chair of the USENIX Security Symposium, I am delighted that Facebook selected our conference to search for the best defensive work that prevents vulnerabilities and reduces the effectiveness of attacks.  Facebook intends to make this an annual prize, and may even increase the prize amount.

The reason I mention this award here is for the medical device community to think about effective strategies to encourage the security research community to engage in constructive problem solving to improve medical device security.  I think the industry would see a shift in thinking if constructive problem solving were better rewarded.

NY Times implicates a nation state in compromise of data of 4.5 million patients

Photo from NY Times

The NY Times has an article that examines a recent information breach at a hospital based on an SEC filing.  One interesting aspect is that that article claims the attack was carried out by a nation state.  I would like to see more information to back up this claim, but it is in the realm of possibility.  The SEC filing believes no medical records were compromised, so it's not clear what exactly was taken.

http://bits.blogs.nytimes.com/2014/08/18/hack-of-community-health-systems-affects-4-5-million-patients/

What's Bugging Cigital on Security Analysis of Medical Devices

Bug finding?  (Image licensed with permission.)

Earlier this summer, Gary McGraw and Chandu Ketkar wrote up a refreshingly analytic article on their experiences in analyzing the security of medical devices. Chandu presented more detailed results at the Archimedes Workshop on Medical Device Security. (slides available to institutional members.) It's natural for humans to focus on inputs or outputs that are easily counted (e.g., bugs) rather than less easily countable things such as deeper analysis of causation. Such outcomes often require expert engineers to grok the findings and recommendations. Don't get me wrong: bug finding is an essential ingredient for security. And finding oodles of bugs can help in tangible ways if management needs convincing. However, at the end of the day there are still basic engineering issues one must solve to actionably improve medical device security.

Gary and Chandu talk about the typical architectural flaws they find in medical devices. Want some meaningful improvements in security architecture? Read on.

NIST ISPAB on Emerging Guidance and Standards Affecting Medical Device Security

Download the audio recording of the June 2014 NIST ISPAB panel on medical device security.

As a member of the NIST Information Security and Privacy Advisory Board (ISPAB), I regularly moderate panels on issues affecting medical device security. In June 2014, the ISPAB held a panel on emerging guidance and standards affecting medical device security. The panelists:

• Kevin Fu (moderator), Associate Professor, University of Michigan; Director, Archimedes Center for Medical Device Security
• Ken Hoyme, Distinguished Scientist, Adventium Labs
• Dale Nordenberg, M.D., Co-Founder, Executive Director, Medical Device Innovation, Safety & Security Consortium
• Bakul Patel, Policy Advisor, Office of Center Director, Center for Devices and Radiological Health, FDA

We covered topics ranging from FDA's draft cybersecurity guidance to the AAMI working group on medical device security and its upcoming Technical Information Report.

Not Again! When Anti-Virus Updates Go Awry, Microsoft Forefront and Hospitals?

Long-time readers will remember incidents such as the 2010 event when hospitals were stuck in an endless reboot cycle as a result of an automated update from McAfee gone awry. Also see the NPR report. At the time, a hospital in Rhode Island reportedly had to stop treating certain patients because of the computer malfunction, except for extreme cases like gunshot wounds.

On the heels of XP going out of support, it is happening again, now with Microsoft Forefront.

I am receiving reports from the hospital IT community that a problem in Microsoft Forefront is leading to down time of computers. If a hospital uses an anti-virus product or if a medical device integrates an anti-virus product, a sad risk is that the anti-virus product itself might cause denial of service. It is more difficult to deliver patient care when the computers go down.  It disturbs workflow too.

More technical details below.

• Windows XP Hangs After Latest Forefront Endpoint Protection Update
• Windows XP security fix hangs systems and leaves them partly unprotected
• SCEP 2012 4.3.215.0 with sigs 1.171.1.0 causes XP to hang until MsMpEng finally crashes
• WinXP and/or Win2003 with SC Forefront Endpoint Protection installed, MsMpEng.exe crashes after definition update

Programmers are human, so it's not surprising that these problems arise from time to time. But shouldn't devices be resilient to such problems that are certain to happen again? The design controls of a medical device should ensure the device remains safe and effective even if the anti-virus product malfunctions. This is a key reason why I believe in analog, non-software methods to detect malware on high-confidence systems such as medical devices. Less integrated software, less complexity, less risk. Independent failure modes!

A Gentle Reminder to Dan Haley of Athenahealth on FDA and Software Updates

I noticed an article in the Boston Globe about an attempt to remove safety checks on certain medical device software.

"The industry asserts that excessive regulation of software changes, for instance, could hinder the continuous software updates that are required to fix bugs."

I'd like to share with Mr. Haley my now classic one page guidance document on FDA and software updates.

"'That would essentially kill the way we do business and kill our ability to continually improve our product for doctors and patients,' said Haley of Athenahealth."

Shouldn't the dialog instead focus finding methods to not kill patients with unsafe software as recommended by the Institute of Medicine?

An Apple (Security Flaw) a Day Keeps the Doctor Away?

Unless you're living under a rock, you've probably heard of the critical security flaw across various Apple computing products ranging from web browsers and mail programs to certain versions of MacOS and iPad/iPhone/iFoo products. Apple has started to release patches, but they probably have a rough weekend in Cupertino. I am wondering if this flaw will change how hospital CIOs and CISOs think about BYOD in the operating rooms, clinical care, electronic health record management, etc.

Today at the HIMSS symposium on Medical Device Security Risks and Challenges, I had a conversation about physicians who demand BYOD products like iPads for delivery of patient care. Nothing fundamentally wrong with considering the benefits of BYOD, but what is wrong is blind faith and overconfidence in the trustworthiness of software. This conversation is all in the context of the critical security flaw across several Apple products, and for which Apple is scrambling to patch. The flaw allows a network adversary to mount a "man in the middle" attack, effectively defeating the security normally provided by SSL (layperson speak: that little lock symbol in your web browser). You can go to GOTOFAIL.com with your web browsers to test this particular flaw. Some organizations are recommending that people not use Apple Mail or the Safari web browser on wireless networks until Apple releases a MacOS patch.

The consequences may range from invasion of privacy (network adversaries reading your sending and receiving of mail and web browsing) to security issues (capturing long-term secrets, authentication cookies, and passwords transmitted using an unpatched device). What might be most disturbing is how fragile our computing systems are. A single line of code appears to have led to this flaw that effectively turns secure SSL-protected communication into unprotected communication. Things to ponder:

• All software has security and privacy risk. Consider the consequences when the rug is pulled out from under your feet.
• Failures are rarely independent. A single flaw can affect multiple product lines, causing havoc with continuity plans.
• "reasonably secure" and "completely insecure" are indistinguishable at the surface. Manage the risk.

Embedded Software, Malware, and Medical Devices

I've occasionally heard from the lips of well meaning but uninformed persons that a medical device is secure because it uses embedded software. I'd like to introduce you to self-replicating malware for embedded firmware in routers.

Bizarre attack infects Linksys routers with self-replicating malware

I'd also like to take this opportunity to draw attention to a quote regarding the router's embedded firmware:

Unfortunately, no update is available for E1000 models, since they are no longer supported.

Sound familiar? Oh yes, Microsoft is ending all support for Windows XP Professional on April 8th of this year (2014).  No more patches, no more security updates.  Hope there aren't too many XP-based medical devices out there.

Security and Privacy for Telehealth, Invoking the FTC

Joe Hall and Deven McGraw from the Center for Democracy and Technology have published a thought provoking article, "For Telehealth To Succeed, Privacy And Security Risks Must Be Identified And Addressed" in the journal of Health Affairs.  They argue for the Federal Trade Commission to ensure health data privacy is protected on medical devices and apps.  The authors have considerable experience and success in explaining such nuanced arguments with federal policy makers and legislators.

NPR on the Security and Privacy of Health-Related Devices

Weight, weight, don't hack me!

This morning NPR broadcast an interview from CES that highlights the growing pains of security and privacy for health-related devices. It highlights the paradox: you can't bolt on security after the fact; you need to build it in. But what happens to a fledgling startup more worried about basic survival and getting their first customers? I think it's foolish to say one cannot think about cybersecurity at all just because a company is struggling to stay in existence. Instead, one must innovate and make frugal yet wise choices for cybersecurity risk management. A product's core architecture should not preclude security properties. A threat model is as essential as a specification of software behavior. Here's to 2014. May your product not become a cybersecurity admonition when it finally takes off in the marketplace. Be frugal, not cheap.

Startups Often Focus On Data Security Too Late, If At All

http://www.npr.org/2014/01/10/261271818/startups-often-focus-on-data-security-too-late-if-at-all