The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

Categories

podcasts
general
microcasts

Archives

2019
January

2018
August
June
May
March
February
January

2017
October
September
August
June
May
April
March
February

2016
November
October
September
August
June
May
April
March
February
January

2015
November
October
September
August
July
June
May
April
March
February
January

2014
November
October
September
August
July
June
May
April
March
February

2013
December
November
October
September
July
June
May
April
March
February
January

2012
December
November
October
September
August
July
June
May
April
March
February
January

2011
December
November
October
September
August
July
June
May
April
March
February
January

2010
December
November
October
September
August
July
June
May
April
March
February
January

April 2024
S M T W T F S
     
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Syndication

Tue, 31 January 2017
Episode 189 - Medical Device Security

SFS Podcast Episode: 189

 

Medical Device Security

 

  1. Intro
    1. Hospital devices (infusion pumps, CT, MRI, etc)
    2. Personal devices (pacemaker, insulin pumps, etc)
  2. Medical Devices are a broad category
    1. Discussion of Sentinel Events...
  3. This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.
    1. Lead times for device approval
    2. Fixed configurations / FDA compliance
    3. Working life of devices
    4. “Well just replace them all!” Cost of devices (esp for small/struggling hospitals)
    5. Sheer number of devices can be overwhelming when looking to upgrade/replace
    6. Vendors that bring in things for a trial w/o involvement of IT/IS
  4. Challenges to Fixing The Problem:
    1. Vuln Disclosure  
      1. Muddy Waters / St Jude
        1. Problem there wasn’t disclosure it was the look of the profit motive
        2. August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/
        3. SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343
        4. http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19
        5. Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
        6. Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1
        1. http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking
      3. Bug Bounties
    3. FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
      1. I Am The Cavalry - https://iamthecavalry.org/oath
        1. HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity
        2. Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com
        3. NH-ISAC - http://www.nhisac.org/
        4. MDISS - http://www.mdiss.org
      2. Other interest groups
    4. Other groups
  5. How Can it Get Better
    1. Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.
    2. There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security
    3. What will regulators do?  (eg DLink and the FTC)
  6. What’s the Future?
  7. Outro & Credits
Direct download: SFS_Podcast_-_Episode_189.mp3
Category:general -- posted at: 7:56pm EDT