Wednesday, February 26, 2014

A Gentle Reminder to Dan Haley of Athenahealth on FDA and Software Updates

I noticed an article in the Boston Globe about an attempt to remove safety checks on certain medical device software.

"The industry asserts that excessive regulation of software changes, for instance, could hinder the continuous software updates that are required to fix bugs."

I'd like to share with Mr. Haley my now classic one page guidance document on FDA and software updates.

"'That would essentially kill the way we do business and kill our ability to continually improve our product for doctors and patients,' said Haley of Athenahealth."

Shouldn't the dialog instead focus finding methods to not kill patients with unsafe software as recommended by the Institute of Medicine?

Sunday, February 23, 2014

An Apple (Security Flaw) a Day Keeps the Doctor Away?

Unless you're living under a rock, you've probably heard of the critical security flaw across various Apple computing products ranging from web browsers and mail programs to certain versions of MacOS and iPad/iPhone/iFoo products. Apple has started to release patches, but they probably have a rough weekend in Cupertino. I am wondering if this flaw will change how hospital CIOs and CISOs think about BYOD in the operating rooms, clinical care, electronic health record management, etc.

Today at the HIMSS symposium on Medical Device Security Risks and Challenges, I had a conversation about physicians who demand BYOD products like iPads for delivery of patient care. Nothing fundamentally wrong with considering the benefits of BYOD, but what is wrong is blind faith and overconfidence in the trustworthiness of software. This conversation is all in the context of the critical security flaw across several Apple products, and for which Apple is scrambling to patch. The flaw allows a network adversary to mount a "man in the middle" attack, effectively defeating the security normally provided by SSL (layperson speak: that little lock symbol in your web browser). You can go to with your web browsers to test this particular flaw. Some organizations are recommending that people not use Apple Mail or the Safari web browser on wireless networks until Apple releases a MacOS patch.

The consequences may range from invasion of privacy (network adversaries reading your sending and receiving of mail and web browsing) to security issues (capturing long-term secrets, authentication cookies, and passwords transmitted using an unpatched device). What might be most disturbing is how fragile our computing systems are. A single line of code appears to have led to this flaw that effectively turns secure SSL-protected communication into unprotected communication. Things to ponder:

  • All software has security and privacy risk. Consider the consequences when the rug is pulled out from under your feet.
  • Failures are rarely independent. A single flaw can affect multiple product lines, causing havoc with continuity plans.
  • "reasonably secure" and "completely insecure" are indistinguishable at the surface. Manage the risk.

Friday, February 14, 2014

Embedded Software, Malware, and Medical Devices

I've occasionally heard from the lips of well meaning but uninformed persons that a medical device is secure because it uses embedded software. I'd like to introduce you to self-replicating malware for embedded firmware in routers.

I'd also like to take this opportunity to draw attention to a quote regarding the router's embedded firmware:
Unfortunately, no update is available for E1000 models, since they are no longer supported.
Sound familiar? Oh yes, Microsoft is ending all support for Windows XP Professional on April 8th of this year (2014).  No more patches, no more security updates.  Hope there aren't too many XP-based medical devices out there.

Wednesday, February 12, 2014

Security and Privacy for Telehealth, Invoking the FTC

Joe Hall and Deven McGraw from the Center for Democracy and Technology have published a thought provoking article, "For Telehealth To Succeed, Privacy And Security Risks Must Be Identified And Addressed" in the journal of Health Affairs.  They argue for the Federal Trade Commission to ensure health data privacy is protected on medical devices and apps.  The authors have considerable experience and success in explaining such nuanced arguments with federal policy makers and legislators.