Tag Archive for: medical
The PATCH Act: Protecting Medical Devices from Cyber Attacks | Spilman Thomas & Battle, PLLC
INTRODUCTION
In a previous issue of Decoded, we discussed the alarming fact that many medical devices, including those implanted in patients’ bodies, are leaving the manufacturers with known cybersecurity flaws. Due to these known flaws, these devices are vulnerable to being hacked, and patients’ personal/protected health information (“PHI”) stolen; or worse, the device being held hostage in a ransomware attack. In hopes of preventing a medical disaster associated with unprotected medical devices, this year, the House and the Senate are considering companion bills intended to significantly improve security and safety for medical devices. Senate Bill 3983, the “Protecting and Transforming Cyber Health Care Act” or “PATCH Act,” and the House companion, the PATCH Act of 2022, H.R. 7084, are currently under consideration in their respective Committees. The PATCH Act represents a major step forward in securing networkable medical devices, but there are significant shortcomings in the way it addresses the ever-evolving threat of cybersecurity vulnerabilities in those medical devices.
A PROBLEMATIC DEFINITION OF “CYBER DEVICE”
At the outset, the PATCH Act must define what medical devices it intends to cover. Medical devices come in all shapes and sizes – from implanted devices such as a pacemaker or a child’s RFID tag, to robotic assisted surgical equipment such as the Da Vinci, or even MRI or X-Ray imaging machinery. These devices are known to be vulnerable to cyberattacks, with a wide range of medical impacts and risks to health and safety. With the PATCH Act, Congress is trying to address vulnerabilities of all of these devices under the simple umbrella of “cyber devices.”
The PATCH Act defines a “cyber device” as “a device that (A) includes software; or (B) is intended to connect to the internet.” This definition demonstrates the complexity of the issue, because it includes amorphous terms. What constitutes “software” in this context? Is software specific computer programing, or does it include passive RFID chip technology? Title 21 of the United States does not otherwise define “software” as a standalone term. Likewise, the phrase “intended…
Medical devices under hack threat | Information Age
Cybercriminals can control and disable devices anywhere in the world. Photo: Shutterstock
Businesses are already ducking and covering as the invasion of Ukraine drives a surge of cybercriminal attacks, but the publication of yet another severe security vulnerability has given malicious actors new ways to attack medical and other devices anywhere in the world.
The vulnerabilities – which were revealed and documented by security firm Forescout and have collectively been dubbed Access:7 – are found in a library called PTC Axeda, and its companion Axeda Desktop Server application.
Axeda is used by many Internet of Things (IoT) manufacturers to enable the remote management of devices – but its poorly-designed authentication, including use of hardcoded credentials and unauthenticated services, means that attackers can easily access and control connected devices.
Six other vulnerabilities enable cybercriminals to access devices, reconfigure them, control them remotely, disconnect them, and more.
That’s a major problem for the healthcare environments that make up around 55 per cent of Axeda’s user base – where the software powers systems administering life-sustaining medical care including imaging, laboratory, ventilation, infusion, ventilation, implantables, and surgery.
Over 150 potentially affected devices, from over 100 vendors, have already been identified – from vendors like Abbott, Acuo, Carestream, GE Healthcare, Varian, and Bayer – and Axeda is also used in ATMs, industrial, and other settings.
PTC paid $235m for Axeda back in 2018, integrating the remote management tool into its broader ThingWorx IoT platform and then ending support for Axeda at the end of 2020.
With so many installed devices still so easily exploitable, the vulnerabilities were given CVSS scores as high as 9.8 out of 10 – motivating the US Cybersecurity & Infrastructure Security Agency (CISA) to publish an Industrial Control System (ICS) Advisory warning of the low-complexity attack.
Affected devices should, CISA advised, be disconnected from the Internet, isolated from business networks, and patched with the latest software versions.
New fears in a climate of unrest
Coming on…
Unabomber Ted Kaczynski moved to medical center
The Unabomber has a new home.
Theodore “Ted” Kaczynski, 79, was transferred to the US Bureau of Prison’s Federal Medical Center Butner medical center in eastern North Carolina on Dec. 14, bureau spokesperson Donald Murphy confirmed.
He’d previously spent decades in a maximum security federal prison after being convicted for killing three people in a series of 16 planned explosions targeting scientists.
Murphy declined to give any information regarding Kaczynski’s condition or why he was moved.
Kaczynski pleaded guilty to setting 16 explosions that killed three people and injured 23 others in various parts of the country between 1978 and 1995. He was arrested at his remote cabin in western Montana in 1996, and is currently serving a life-sentence with no chance of parole.
FMC Butner, which is located just northeast of Durham in Granville County, offers medical services for prisoners including oncology, surgery, neurodiagnostics and dialysis, according to the Bureau of Prisons. It opened an advanced care and hospice unit in 2010.
The facility, which currently hosts 771 inmates, has been a home for other notorious criminals such as serial killer John Hinckley Jr. and ponzi-scheme mastermind Bernie Madoff, who died there earlier this year.
Kaczynski, a Harvard graduate, sent his bombs to his victims by mail including a package that exploded on an American Airlines flight that caused widespread panic among airlines and mail carriers. In 1995, he threatened to blow up a plane departing from Los Angeles before July 4. He was dubbed the Unabomber by the FBI because his early targets appeared to be universities and airlines.
Kaczynski killed computer rental store owner Hugh Scrutton, advertising executive Thomas Mosser and timber industry lobbyist Gilbert Murray. California geneticist Charles Epstein and Yale University computer expert David Gelernter were maimed by bombs two days apart in June…