*Or, maybe you'd prefer to have some lulz-happy hacker killing you.
Via SANS
*****************************************************************************
TOP OF THE NEWS
–US FDA Issues Cybersecurity Recommendations for Electronic Medical
Devices
(June 13, 2013)
The US Food and Drug Administration (FDA) has issued cybersecurity
recommendations for medical devices. The FDA is urging manufacturers of
these products to incorporate measures to protect them from malware and
attacks, suggesting that the agency might not approve devices that
haven't taken cybersecurity into consideration. The FDA's
recommendations follow news of security issues in certain fetal monitors
and software used in body fluid analysis. The agency also recommended
that health care providers improve their cybersecurity practices, as it
has noted instances in which passwords were widely distributed or even
disabled on software that is supposed to have limited access. There are
also reports that health care providers have not applied security
updates "in a timely manner." There is no evidence that medical devices
are being targeted, and there have been no reports of patients injured
or killed as a result of cybersecurity issues.
http://www.computerworld.com/s/article/9240040/FDA_calls_on_medical_device_makers_to_focus_on_cybersecurity?taxonomyId=17
FDA's Cybersecurity for Medical Devices and Hospital Networks
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
[Editor's Note (Pescatore): This document reinforces a 2005 (8 years
ago!) guidance memo from FDA saying "Note: The FDA typically does not
need to review or approve medical device software changes made solely
to strengthen cybersecurity." Many medical device manufacturers have
been falsely claiming that they couldn't patch vulnerable software
because they would need to go back through device recertification - not
true! Never been true! The rest of the guidance basically reinforces
many of the Critical Security Controls.
(Murray): Medical devices have been targeted by so-called "researchers"
who have been rewarded with sensational news coverage. The coverage has
encouraged and enabled mischief.
(McBride): The broad, potentially toothless, medical device cyber
security guidance is only in draft.]
(((But wait! There's worse!)))
–ICS-CERT Warns Health Care Providers of Hard-Coded Passwords in
Medical Devices
(June 13 & 14, 2013)
The US Department of Homeland Security (DHS) has issued an alert to
hospitals and other health care facilities, warning that many of the
electronic medical devices they use may contain security flaws. The
alert comes from DHS's Industrial Control System Cyber Emergency
Response Team (ISC-CERT). It says that many devices were manufactured
with hard-coded passwords, which attackers could exploit to change the
devices' settings or install malicious firmware. The alert recommends
that the health care facilities isolate the affected devices from the
Internet and their LANs.
http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/
http://www.theregister.co.uk/2013/06/14/medical_device_security_warning/
http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01
[Editor's Note (Pescatore): As we see the "Internet of Things" coming,
I hope the next generation of device designers will look at building in
hard-coded passwords the way today's designers would look at building
asbestos or mercury into their products.]
