High level overview of current security issues in medical device security, what is being hacked by security researchers, who are the major security players, hacking predictions, FUD vs. Reality.

1. Medical Device Security: State of The Art Shawn Merdinger Network Security Analyst University of Florida & Shands Hospital Academic Health Center NoConName, Barcelona 16 September, 2011

2. Thoughts so far…. I’m very excited to speak at NoConName again Did VoIP phone security talk in 2006 A big thank you to Nico Cons take a lot of work and organization Done out of PASSION and not for $$$$ Important work that builds global connections, research opportunities and friendships

3. Obligatory Speaker Slide Doing security for 10 years Started at Cisco, did internal product hacking Also worked at TippingPoint, and a few other places… Did some private consulting Now: work and school in academic health center University of Florida Hospital, medical school, dentistry, pharmacy, nursing, etc. Network operations, some research on medical devices Getting 2nd master’s degree in Public Health Conference talks and travel when I can 

4. Talk Overview What are medical devices How bad are the risks Who is doing research How you can get involved Trends and predictions Resources

5. Talk Goals You will have…. A better idea of medical device security risks Real world versus FUD and media hype Learned about current research Players, trends Gained insight for your own research, career Ideas / targets for vuln research, conference talks Learned useful medical device security resources Industry knowledge, Keep up to date, follow changes

6. What is a Medical Device? Some are obvious Implants, Infusion Pump, Radiation Many grey areas EMR (electronic medical record) Software Apps (iPad, etc.)

7. SCADA for the Human Body Parallels with SCADA security challenges Specialized devices Built on top of COTS (i.e. Windows, SQL, Java, etc.) Long operational timelines No downtime, critical operations Not designed to be patched Vendor maintained “Black Box” “Lost decade” Missed the opportunity to secure DigitalBondblog post

8. Modern Wired Hospital Room

9. Medical Networks are Complicated

10. Implants are very complicated Dick Cheney’s new heart No heartbeat Whirrrrr noise “System Controller”

11. Home Medical Devices(hrm….what could go wrong?)

12. Home Medical Devices Blood pressure monitor Pulse Oxemiter Glucose monitor

13. Home Medical Monitoring Remote Connected Audio / Video

14. Security Risks to Medical Devices Software Quality Many software recalls already! Vendors not ensuring product security Always an afterthought “Bolt security on, not bake it in” Complexity Hard enough just to make devices “work” Now we must “secure” it? Integration into IT infrastructure = more attack surface Interference in wireless frequencies among devices

15. Security Risks Now part of integrated information systems Electronic Medical Record, data collectors Lack of FDA and FCC regulation and oversight Increasing, especially medical apps FDA Proposal July, 2011 Who owns (pays) for the problem (and fix)? Vendor, integrator, consultant, doctor, patient

16. It will get worse before it gets better But how do we really know how bad? Formal reporting incidents complex and tedious Lots of anecdotal reports Is it a software flaw? A bug? An attack? Identification of actual hacking is a huge challenge Few formal processes today Expect lots and lots of 

17. It will get worse before it gets better Cyber STUXNET-like attack targeting medical devices Nation-state / terrorism / secondary attack Competitors hacking each other’s devices Evil blackhats, hacktivists, disgruntled employees Possible, but doubtful. FUD alert!!!

18. So how bad is the risk? It depends…. 1st biggest risk today is poor software design Errors, crashes, bad user interfaces 2nd biggest risk is “collateral damage” COTS software Pwnd by virus, trojans, bots Complexity of environment 3rd biggest risk is disgruntled, evil or stupid employees Other risks Competitors, industrial sabotage Terrorism, nation-state, “Cyber” Growing “hacker” and security researcher interest Sexy topic, esoteric new gear, very personal, hot area

19. Real world threat: Power Outage San Diego Blackout (Arizona + Mexico) 1 person made a mistake 300km away sub-station Yuma, AZ

20. Real world threat: Imposter Florida hospital Obtained legitimate I.D. Pwnd How? Wanted more access Activity raised questions Weird statements Strange background Impersonated COP Difficult situation Underage, Juvenile Background check Wanna be? Frank Abagnale

21. Real world threat: Evil Employee Ghostexodus… Security guard “Hacked” hospital HVAC Posted on forums Youtubed his “hack” Pwned by Wesley McGrew 

22. Poor Software: Therac-25 First major failed medical device (1980s) Radiation treatment -- linear accelerator Software bug Race condition Result in too much radiation (125 x normal dose)

23. Poor software: 2011 McAfee “glitch”

24. Secure from What? How do you define “secure” Proving a negative = impossible How do you prove “secure” Cannot prove that a device is secure Can only prove resistance to tested attacks VS.

25. MedDev Security is Hot! Pacemakers in 2008 BlackHat and DEFCON Public exposure US Congress involved meh.

26. MedDev Security is Not New “Best Practices” Documents Several Working Groups, Consortiums Good info, but no power or stick to drive change “Work together with vendors…blah, blah” HIMSS medical device security workgroup in 2004 University HealthSystem Consortium Medical Device Security effort in 2005 Formal FDA Statements FDA guidance for COTS software published in 2005 Addresses patching for vulnerabilities

27. FDA Regulation Oversight for Software

28. FDA MAUDE Database

29. Got Buffer Overflow?

30. Current research Academics Security Researchers & “Boutique Security” Corporate Intel McAffee Symantec

31. Academic Researchers Dr. Kevin Fu, University Massachusetts Heart pacemaker (2008) Dr. Tadayoshi Kohno, University Washington Heart pacemaker (2008) Dr. Mark Gasson, University Reading Infected RFID tag in hand Dr. Nathanael Paul, Oak Ridge National Lab Insulin pump (2010) Steve Hanna, UC Berkeley Automated External Defibrillators BobakMortazavi, UC Los Angeles Pulse Oximeter

32. Security Researchers People to watch in the near future….

33. Security Research Predictions What will we see in the next 2 years? More of what security researchers can get… Personal medical devices (hacking their own) Low-end medical equipment (Ebay) Pharmacy dispenser cabinets (device aftermarket) Home medical equipment (grandmother’s box) Other medical equipment (defibrillator)

34. Hacker Access to Medical Devices Access to MedDev Documentation Hackers love documentation MedDev vendors have tight document control Very difficult to find and download Restricted information, Non-disclosure agreement Access to Devices Difficult to acquire in many cases US Federal Law restricts sale of some devices US aftermarket is a very grey area

35. Ebay & Medical Devices Medical pharmacy cabinets, patient monitoring, diagnostics systems, data storage, COW (Computer on Wheels), etc. Ebay search results: medical ethernet

36. Security Research Predictions Apps, Apps, Apps 17,000 medical apps Many types Personal health monitoring Specialty (PACS Dicom, Electronic Medical Record) Connected to medical devices (diabetic insulin pumps) Month of Medical App Bugs? Need this for Med Apps -> DerbyCon (30 Sept., 2011)

37. Trends to Watch Expect big industry and gov’t fight What is a medical device? Who has regulatory control? Lobby money, politics, etc. Who owns the problem? Who is legally liable? US Supreme Court “Medtronic ruling” impact? Limits vendor liability if FDA approved device Lots and lots more FUD Fear, Uncertainty, Doubt Media sensationalism

38. Trends to Watch:Stifled Security Research Researchers are reluctant to name vendors Why? Fear of getting sued by companies Research scares powerful people Media coverage adds to fear Academics want research funding Jerome Radcliff = Public fighting with Medtronic Stay tuned to this…. “Cone of Silence”

39. Careers and Job Outlook Expect growth and demand for security pros Will accelerate in next 1-3 years Industry is building a new ecosystem Vendors, device manufacturers, consultants, hospital IT Hot security areas Healthcare IT Security Hospitals, vendors, consulting Medical mobile apps security analysis Expect a certification process from FDA Big security firms (McAfee, Symantec, etc.) Boutique firms (Fishnet)

40. Want to hack? Target Mobile Medical Apps. Why? Cheap, accessible platform Ties into other medical devices = broad attack surface Research, attack tools and docs available Security evaluation of multipleapps Development set-up for iPhone / Android Look at marketplace, target popular apps When hacking, look for Personal information disclosure Read, write, modify, destroy data Crash + execute + exploit Send your bugs to CERT/CC and FDA and FCC Write whitepapers, talk at security conferences

41. Resources USENIX HealthSec Conference http://www.usenix.org/event/healthsec11 http://www.usenix.org/event/healthsec10 Draft Guidance - Mobile Medical Applications (July, 2011) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf IEC 80001‐1: Application of Risk Management for IT‐Networks Incorporating Medical Devices http://www.iso.org/iso/catalogue_detail.htm?csnumber=44863 Getting Started with IEC 80001: Essential Information for Healthcare Providers Managing Medical IT‐Networks http://www.aami.org/publications/Books/80001‐GS.html HITSP – Health Information Technology Standards http://www.hitsp.org

42. Resources Medical Device Security Center www.secure-medicine.org Medical Device Isolation Architecture Guide, Department of Veterans Affairs http://www.himss.org/Content/files/VA_VLAN_Guide_040430.pdf FDA: Cybersecurity for Medical Devices is a Shared Responsibility http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm FDA Medical Device related databases http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Databases/default.htm

43. Resources HIMSS Manufacturer Disclosure Statement for Medical Device Security – MDS2 (2004) MDISS - Medical device Innovation, Safety and Security Consortium www.mdiss.org North Carolina Healthcare Information & Communications Alliance Vendor Security Matrix (2003) Killed by Code: Software Transparency in Implantable Medical Devices http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html Therac-25 http://www.bowdoin.edu/~allen/courses/cs260/readings/therac.pdf http://sunnyday.mit.edu/papers/therac.pdf http://www.ircrisk.com/blognet/?tag=/cancer

44. Thanks! MedSec group on LinkedIn – please join  Twitter: @shawnmer shawnmer@ufl.edu shawnmer@gmail.com