People throughout the globe have
health issues with various parts of their bodies and in differing degrees.
These may be acute or chronic, or life threatening. An issue that is present
involves cardiac problems. For persons with cardiac issues, a
defibrillator/pacemaker is vital and works best with the patient. There are a
number of manufacturers of this product, with each having several models. As the
patients require these to live, in case there were to be an issue, if an
attacker were to compromise a unit, the patients could be placed in mortal
peril. The unit being compromised may also allow for unauthorized access of
protected health information (PHI) (White, 2015). This could provide for a
HIPAA violation (Kohgadai, 2016). This issue could be a very costly learning
opportunity for the manufacturer. Medical records are prime targets for the
attackers. When there happens to be a compromise of this type, merely the fines
are massive. This does not however factor in the costs for forensic work to
review the incident.
With these devices, there has been
any issue with this being a known issue, yet net addressed by the manufacturer.
The data indicates the manufacturer are unprepared in the area. A survey
completed in 2017 from the Ponemon Institute on behalf of Synopsys indicated
only 17% of the manufacturers have worked towards appropriate cyber security
controls (Dellinger, 2017). This lack of focus is due to many issues, including
but not limited to the lack of adequately trained staff, senior management not
appreciating the short- and long-term financial and operational risks, issues
with testing and other significant issues.
History
Medical
connected devices have been present and in use for decades. Consumers have
presented the need for assistance with bodily functions. Although these were
designed with the best intentions and functionality in mind, there were still
issues with the equipment. From 1990-2000, the FDA issued recalls on 114,645
devices (Burns, Johnson, & Honeyman, 2016). As security has become more of
an issue, there have been more presentations and security-oriented
developments. On August 4, 2011 Jerome Radcliffe presented at Black Hat a
compromise for an insulin pump. As a diabetic, he was acutely aware of.
Radcliffe was able to reverse engineer the communication protocols. With this
protocol in hand, he was able to access the pump and control it (Burns,
Johnson, & Honeyman, 2016). On October 17, 2012, Barnaby Jack presented a
video at the Ruxcon Breakpoint Security Conference showing the method to direct
a pacemaker to deliver a shock using the serial and model number.
A recent example of the effect from
a lack of security was with Johnson & Johnson. In 3Q2016, Johnson &
Johnson informed 14k doctors and diabetic patients of three vulnerabilities in
their Animus insulin pumps. These and many more examples abound as security is
not applied to these.
In 2013, Barnaby Jack was supposed
to present a compromise on a pacemaker at a hacker conference in Las Vegas. He
passed on the evening prior.
Normal Process
As with piece of equipment there is
a standard process for the device to work. Millions of people depend on the
devices across the globe (Wadhwa, 2012). As this is the case, the tolerances
and parameters have to be narrowly construed. Most pacemakers have their data
retrieved and settings configured via a wand or other device being placed
proximate to the pacemaker. This may be relatively close or within a few feet
of the device. The apparatus retrieves the data and makes adjustments to the
sensors, thresholds, and rates (Lyle, 2015).
This remote access is significantly
beneficial. The patient can’t have a USB through their chest wall and skin.
This also allows for simple adjustments. This is a simple way to collect data
used by doctors and medical to aid the patients (Knapton, 2014). If there were
need to be adjustments to the equipment, this may be done over-the-air (OTA)
(Wadhwa, 2012).
Worst Case Scenario
Anytime there is a death or
disability, this is not the optimal situation and a shame. Many people have
pacemakers and defibrillators through society. These persons work as mechanics,
teachers, professors, CEOs, CFOs, diplomats, dignitaries, Presidential Cabinet
members, and nation leaders.
In a case shown in a recent
dramatized television program, a political figure has the pacemaker/defibrillator
implanted. The person is arriving for a meeting. Another group would prefer the
person with the implanted device not to be using oxygen anymore. If it were to
be possible to compromise the pacemaker, by extension it would be possible to
assist the person with their transition. Although this is a simple case and
application, this scenario could upgraded to a Secretary of State.
Regulation
“I have no
problem with science…I just wish that it would give the law time to catch up.”
~Law &
Order-Seed; 2/15/95, S5 E15
It is difficult at best to couple
InfoSec with the law. The wheels of justice and law move incredibly slow. Most
legislators have minimal ideas of what is going on with InfoSec other than the
sound bites and headlines. There also has tended to be a rather firm process in
place to enact legislation, which is exceptionally unfriendly to change.
In comparison, the InfoSec community
moves rather quickly. This seems to change daily. There, procedurally with the
process in place, is no way for the legal system to keep pace. This is
unfortunately the reality.
The FTC has attempted to start the
legal process. There were generic proposals in 2013 (Armstrong, Kleidermacher,
Klonoff, & Slepian, 2016). When a business engineers an IoT device, this
should implement a suitable level of security. Per this endeavor, the data
collected should be minimal, the data retained should be minimal, and other
measures. This is weak, but a start.
Applicable to Other Equipment
This issue is not limited to
pacemakers. This also is completely applicable to most other connected medical
device. The manufacturers need to understand not only the intended processes
with the equipment, but also the hazards and potential harm with a lack of
security being applied. The manufacturers need to define these risks with the
system and put controls in place (Wu & Eagles, 2016). This risk analysis should
complete a risk analysis based on the applicable standards.
As a secondary point, to mitigate
these issues the manufacture needs to review the controls related to the
technical side of the product. This team effort of review and implementation
would produce a document. This would involve applying the appropriate form and
level of governance (Williams & Woodward, 2015). To have the optimal
situation, this step would need to be proactive.
There are several real-world
examples of this. In 2016, Johnson & Johnson informed their clients of
vulnerabilities. A model of their insulin pumps exhibited a vulnerability which
would allow access to the insulin pump. In theory, an unauthorized party could
direct the insulin pump to input a fatal dose of insulin. The vulnerable model
was the Animas One Touch Ping. The distinct vulnerability was partially due to
the equipment being connected (Harper, 2017).
In 2015, there was an issue with the
Hospira Sybiq infusion pump. The vulnerability here also allowed an
unauthorized access. This however was through the hospital’s network (Harper,
2017). Lastly, in 2013, Barnaby Jack was to give a presentation on the
methodology to compromise a pacemaker at a security conference in Las Vegas.
The attack could take place up to 50 feet away. He passed on the night before
the presentation (Harper, 2017).
St. Jude Medical (SJM) Lawsuit
As a rule of thumb, a lawsuit is the
last stage of the confrontation. Once this is filed, the situation becomes
rather expansive in terms of finances, and funding. Most entities would have
worked with SJM (Dark Reading, 2016). In the past, however, SJM brushed off
attempts to fix the issues and patch management. MedSec elected to work with
Muddy Waters in disclosing the issues (Dark Reading, 2016). MedSec stated the
pacemaker and defibrillator could be compromised and manipulated (Pierson &
Finkle, 2016) via the equipment vulnerabilities (Osborne, 2016). MedSec also
stated that SJM should recall its pacemakers as these were vulnerable to attack
(Tucker, 2016). These vulnerabilities were relative to the pacemaker and
defibrillator were detailed in the report. (Nichols, 2010). These were rather
significant (News-checker, 2016).This would allow the pacemaker to malfunction
(Tucker, 2016).
SJM sued Muddy Waters Consulting
LLC, Muddy Waters Capital LLC, MedSec Holdings, Ltd., MedSec LLC, and the three
persons who were principals in the businesses (Business Wire, 2016; Dark
Reading, 2016; Tucker, 2016). The matter was filed in the USDC for the District
of Minnesota as the St. Jude Medical v. Muddy Waters, MedSec Holdings, et al.
with case number 16-cv-0302 (Pierson & Finkle, 2016). The full filing may
be viewed at https://regmedia.co.uk/2016/09/08/medsec_lawsuit.pdf.
The claimed cause of action was the
defendants defamed SJD with false information (Dark Reading, 2016) and intended
to be malicious (Pierson & Finkle, 2016). SJM stated these were false
warnings (Osborne, 2016). In particular, the cause of action were the false
statements, false advertising, conspiracy, and manipulation of the public
market (Business Wire, 2016; Tucker, 2016). In short, SJM sued MedSec, et al.
to correct the alleged false information that had been provided to the media
(Osborne, 2016).
As a result of the disclosures
and/or the lawsuit, the SJM shares decreased significantly (Dark Reading,
2016). The stock share price was lowered an estimated 10% during the day and
rebounded so the net effect was only an estimated decrease of 3% (Pierson &
Finkle, 2016). SJM claimed the attackers only did this to provide a profit to
the firm (Kan, 2016).
SJM had a rather distinct focus on
the MedSec and Muddy Waters groups. SJM claimed the research and investment
firms were false (Nichols, 2016), had applied flawed testing methods, used
outdated software, and simply did not understand the medical device technology
(Osborne, 2016; Kan, 2016). SJM stated
MedSec’s claims were made-up (Nichols, 2016). SJM went as far as to retain the
University of Michigan to attempt to replicate the study. The UM research team
arrived as a different result. The research team at UM stated MedSec’s research
was flawed and UM could find no evidence to support the claims (Tucker, 2016;
Newmarker, 2016).
MedSec’s defense was rather simple.
The disclosure was correct (Dark Reading, 2016) and the University of Michigan
research team was wrong. Arising from this set of issues was a class action
lawsuit against SJM (Daniels, 2016). The cause of action for the class action
lawsuit was a failure to adequately secure the equipment with the remote
tracking function (Daniels, 2016).
Insecurity
No product is 100% perfect. A
dedicated set of engineers collaborating with the InfoSec staff have the
opportunity to create a product that has the appropriate safety and security
features built in. There are other instances however when this is not the case
and the security is not appropriately applied. This is especially an issue when
the device is attached to a person via being implanted (Wadhwa, 2012) and a
connected device, as the results from an attack may be deadly (Knapton, 2014).
These connected devices have been
known to be insecure by the industry and manufacturers. The manufacturers have
not overall been working diligently to secure these. A few distinct
manufacturers also have declared their devices are perfectly safe to the
public. The primary attack point has been the wireless communication. This acts
to regulate the devices assisting the human heart to function properly
(Knapton, 2014). This is an area of vulnerability to be exploited. The
manufacturers simply have not been prepared (Wadhwa, 2012) and security not
integrated (Zorz, 2016).
The lack of security has even
gathered the attention of the U.S. Department of Homeland Security (DHS). In
2014 the DHS began to investigate more than 20 medical devices (Knapton, 2014).
In 2013, the DHS Industrial Control Systems Cyber Emergency Response Team
(OCS-CERT) noted approximately 300 devices manufactured by 40 companies
(Knapton, 2014). The examples for the
vulnerabilities abound. Each manufacturer and product line has the
potential for vulnerabilities. These have exhibited insecure architecture,
hard-coded passwords that were not able to be changed, and other insecure
protocols. As for the passwords, this would allow an unauthorized third party
to access the machine (Knapton, 2014).
MedSec
In
pacemakers alone, there has been noted more than 8,000 vulnerabilities in the
program code (Vaas, 2017). This sample was from four manufacturers. This number
does not represent a majority of the manufacturers present in the market.
This
also applies to the MedSec issues. The vulnerabilities were blatantly present,
yet not acted on by SJM. The security was so poor that the FDA threatened legal
action against SJM if these vulnerabilities were not addressed. This was
significant to the extent the FDA and DHS both issued a notice or warning letter
of these insecurities (Uchill, 2017). SJM, on the same day as the notice, noted
these were “extremely low cyber-security risks” (Vaas, 2017). MedSec did push
the patches for this set of issues (Carlson, 2017).
There
were a number of vulnerabilities with the pacemaker product. These included:
·
A lack of strong authentication (Daniels, 2016).
·
Commands may be issued from a distance.
·
SJM included a code which could be used for the
purpose of over-riding. This was a fixed 3byte code.
·
The communications channel between the endpoints
(pacemaker and the Merlin@home base unit) was weak (Vaas, 2017; Brenner, 2017;
Daniels, 2016).
·
A 3-byte back door was left open.
·
Poor level of encryption.
·
The anti-debugging tools were weak.
In Closing…
Medical
devices are pertinent to our lives and will continue to grow in usage and
visibility. These should not be treated as just another piece of equipment, but
as a device that has to be secured. Without this security, adequately and
appropriately in place, the potential for compromises will be there, waiting to
be implemented.
References and
Resources
Ahmadi, M.
(2017). FDA and medical industry fear ware of medical-device hacks. Retrieved
from http://www.informationsecuritybuzz.com/expert-comments/fda-medical-industry-fear-wave-medical-device-hacks/
Armstrong, D.G.,
Kleidermacher, D.N., Klonoff, D.C., & Slepian, M.J. (2015). Cybersecurity
regulation of wisdom devices for performance and assurance in the age of
“medjacking”. Journal of Diabetes Science and Technology, 10(2),
435-438. doi:10.1177/1932296815602100
BBC. (2016).
Medical device cyber-safety rules issued by US watchdog. Retrieved from http://www.bbc.com/news/technology-38458864
Bethell, M.
(2016, October 19). Cyber hackers threatens security of lifesaving medical
devices. Retrieved from http://www.dailytech.com/Cyber+Hack+Threaten+Security+of+Lifesaving+Medical+Devices+/article37716.htm
Brenner, B.
(2017, January 23). St. Jude case highlights ongoing divide over ‘responsible
bugs disclosure’. Retrieved from https://nakedsecurity.sophos.com/2017/01/23/st-jude-case-highlights-ongoing-divide-over-responsible-bugs-disclosure
Burns, A.J.,
Johnson, M.E., & Honeyman, P. (2016). A brief chronology of medical device
security. Communications of the ACM, 59(10), 66-72. doi:10.1145/2890488.
Retrieved from http://cacm.acm.org/magazine/2016/10/207766-a-brief-chronology-of-medical-device-security/fulltext
Business Wire.
(2016, September 7). St. jude medical brings legal action against muddy waters
and medsec. Retrieved from http://www.nasdaq.com/press-release/st-jude-medical-brings-legal-action-against-muddy-waters-and-medsec-20160907/00282
Business Wire.
(2017, January 9). St. jude medical announces cybersecurity updates. Retrieved
from http://www.businesswire.com/news/home/20170109005921/en/st.-jude-medical-announces-cybersecurity-updates
Carlson, J.
(2017, January 10). FDA says st. jude heart devices vulnerable to hacking.
Retrieved from http://www.startribune.com/fda-says-st-jude-heart-devices-vulnerable-to-hacking/410153595/
Castellucci, M.
(2016, October 18). St. jude medical steps up cybersecurity measures after
questions about device safety. Retrieved from http://www.modernhealthcare.com/article/20161018/NEWS/161019901
CBS News. (2017,
January 10). U.S. warns of security flaw that could allow hackers control of
heart devices. Retrieved from http://www.cbsnews.com/news/cybersecurity-flaw-that-could-allow-hackers-control-of-heart-devices-united-states-warns/
Center for
Devices and Radiological Health. (2002, January 11). General principles of
software validation; Final guidance for industry and FDA staff. Retrieved from http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM085281.html
Centerwatch.
(2016, Septembe 12). St. jude medical sues muddy waters and medsec. Retrieved
from https://www.centerwatch.com/news-online/2016/09/21/st-jude-medical-sues-muddy-waters-medsec/
Cherry, S. (2013,
April 30). Hacking pacemakers. Retrieved from http://spectrum.ieee.org/podcast/biomedical/devices/hacking-pacemakers
Claburn, T.
(2008, March 12). Three medical schools demonstrate the wireless dangers that
can disturb an implantable cardioverter defibrillator like the medtronic maximo
DR. Retrieved from http://www.informationweek.com/pacemakers-vulnerable-to-hacking/d/d-id/1065618
Cloud Security
Alliance. (2016, October 6). HIPAA violations examples and cases-Eight
cautionary tales. Retrieved from https://blog.cloudsecurityalliance.org/2016/10/06/hipaa-vioations-examples-cases-eight-cautionary-tales/
Cluley, G. (2016,
December 1). Under attack: How hackers could remotely target your pacemaker.
Retrieved from https://www.tripwire.com/state-of-security/featured/under-atack-how-hackers-could-remotely-target-your-pacemaker/#
Cluley, G. (2017,
January 10). Security scare over hackable heart implants. Retrieved from http://www.welivesecurity.com/2017/01/10/security-scare-hackable-heart-implants/
Daniels, M.
(2016, August 29). St. jude heart devices have security weaknesses, suit says.
Retrieved form http://www.law360.com/articles/833622/st-jude-heart-devices-have-security-weakness-suit-says
Dark Reading
Staff. (2016, September 7). Medical device vulnerability-Disclosure flap
intensifies. Retrieved from http://www.darkreading.com/vulnerabilities-threats/st-jude-sues-muddy-waters-medec/d/d-id/1326837
Data Breach
Today. (2016, January 18). FDA issues more medical device security guidance. Retrieved
from http://www.databreachtoday.com/fda-issues-more-medical-device-security-guidance-a-8805
Dellinger, A.J.
(2017, May 30). Medical device makers expect attacks within the next year, but
aren’t prepared. Retrieved from http://newsweek.com/medical-device-safety-can-they-be-hacked-companies-manufacturers-concerned-617507
Densford, F.
(2017, January 9). St. jude releases FDA-cleared merlin@home cybersecurity
update. Retrieved from http://www.massdevice.com/st-jude-releases-fda-cleared-merlinhome-cybersecurity-update/
FDA. (2016).
Cybersecurity. Retrieved from http://www.fda.gov/MedicalDevices/DigitalHealth/UCM373213.htm
Finkle, J. (2017,
January 9). St. jude heart devices get cyber security updates after probe into
hack vulnerability. Retrieved from http://www.huffingtonpost.com/entry/st-jude-heart-devices-get-cyber-security-updates-after-probe-into-hack-vulnerability_us_5873d482e4b099cdb0fea482
Halperin, D., Heydt-Benjamin, T.S.,
Ransford, B., Clark, S.S., Defend, B., Morgan, W., Fu, K., Kohno, T., &
Maisel, W. (2008). Pacemakers and implantable cardiac defibrillators: Software
radio attacks and zero-power defenses. 2008 IEEE Symposium on Security and
Privacy, 1-14. Retrieved from http://www.secure-medicin.org/public/publications/icd-study.pdf
Harper, C. (2017,
April 10). FDA, industry fear wave of medical-device hacks. Retrieved from http://thehill.com/policy/healthcare/328120-fda-industry-fear-wave-of-medical-device-hacks
Hatmaker, T.
(2016, December 28). FDA issues new security guidelines so that your pacemaker
won’t get hacked. Retrieved from https://techcrunch.com/2016/12/28/fda-issues-new-security-guidance-so-that-your-pacemaker-wont-get-hacked/
Help Net
Security. (2016, October 19). Securing medical devices: Cybersecurity spending
to triple by 2021. Retrieved from https://www.helpnetsecurity.com/2016/10/19/securing-medical-devices/
HIMSS. (2013).
Medical device security. Retrieved from http://www.himss.org/medical-device-security
Ismail, N. (2017,
April 3). IoT to improve the programming of implantable devices. Retrieved from
http://www.information-age.com/iot-impreve-programming-implantable-devices-123465487/
Ismail, N. (2017,
April 11). Medical devices at severe risk of hack attacks. Retrieved from http://www.information-age.com/medical-devices-severe-risk-hack-attacks-123465684
Kan, M. (2016,
August 29). Medical device security disclosure ignites an ethics firestorm.
Retrieved from http://www.computerworld.com/article/3113385/security/medical-device-security-ignites-an-ethics-firestorm.html
Khandelwal, S.
(2017, June 5). Over 8,600 vulnerabilities found in pacemakers. Retrieved from http://thehackernews.com/2017/06/pacemaker-vulnerability.html
Knapton, S.
(2014, November 6). Terrorists could hack pacemakers like in homeland, say
security experts. Retrieved from http://www.telegraph.co.uk/news/science/science-news/11212777/Terrorists-could-hack-pacemakers-like-in-homeland-say-security-experts.html
Kohgadai, A.
(2016, October 6). HIPAA violations examples and case-Eight cautionary tales.
Retrieved from https://blog.cloudsecurityalliance.org/2016/10/06/hipaa-violations-examples-cases-eight-cautionary-tales/
Jones, D., &
Rushing, S. (2016). HIPAA compliance-not just an issue for healthcare
providers. Retrieved form http://www.jdsupra.com/legalnews/hipaa-compliance-not-just-an-issue-for-31185/
Lemos, R. (2017,
May 18). Embedded windows medical ‘devices’ infected by wannacry ransomware.
Retrieved from http://www.eweek.com/security/embedded-windows-medical-devices-infected-by-wannacry-ransomware
Lyle, D.P. (2015,
January 14). Hacking pacemakers for murder no longer the perfect crime.
Retrieved from https://writersforensicsblog.wordpress.com/2015/01/14/hacking-pacemaker-for-murder-no-longer-the-perfect-crime/
Marin, E.,
Singelee, D., Garcia, F.D., Chothia, T., Willems, R., & Preneel, B. (2016).
On the (in)security of the latest generations implantable cardiac
defibrillators and how to secure them. ACSAC. doi:http://dx.doi.org/10.1145/2991079.2991094
McGee, M.K.
(2016). FDA issues more medical device security guidance. Retrieved from http://www.databreachtoday.com/fda-issues-more-medical-device-security-guidance-a-8805
Moon, M. (2016,
December 28). FDA issues final guidance on medical devices’ cybersecurity.
Retrieved from https://www.engadget.com/2016/12/28/fda-medical-devices-cyber-security-final-guidance/
Muddy Waters
Capital LLC. (2016, August 25). Muddy waters research. Retrieved from http://d.muddywatersresearch.com/wp-content/uploads/2016/08/MW_STJP_08252016_2.pdf
Newmarker, C.
(2016, September 7). St. jude sues over cybersecurity accusations. Retrieved
from http://www.qmed.com/mpmn/medtechpulse/st-jude-sues-over-cybersecurity-accusations
Nichols, S.
(2016, September 7). St. jude sues short-selling MedSec over pacemaker hack
report. Retrieved from http://www.theregister.co.uk/2016/09/07/st_jude_sues_over_hacking-claim/
Osborne, C.
(2016, September, 8). MedSec sued over st. jude pacemaker vulnerability report.
Retrieved from http://www.zdnet.com/article/medsec-sued-over-st-jude-pacemaker-vulnerability-report
Pierson, R.,
& Finkle, J. (2016, September 7). St. jude sues short-seller over heart
device allegations. Retrieved from http://whtc.com/news/articles/2016/sep/07/st-jude-sues-muddy-waters-medsec-over-heart-device-allegations/
Regmedia. (2016,
September 8). St. Jude Medical, Inc. vs. Muddy Waters Consulting, et al.
Retrieved from https://regmedia.co.uk/2016/09/08/medsec_lawsuit.pdf
Sayer, P. (2016,
December 1). Implantable medical devices can be hacked to harm patients.
Retrieved from http://www.computerworld.com/article/3146215/security/implantable-medical-devices-can-be-hacked-to-harm-patients.html
Snell, E. (n.d.).
How ransomware affects hospital data security. Retrieved from http://healthitsecurity.com/features/how-ransomware-affects-hospital-data-security/
Slabodkin, G.
(2017, February 22). Ransomware emerging as medical devices cybersecurity
threat. Retrieved from https://www.information-management.com/news/
Sorrel, C. (2008,
March 12). Scientists demonstrate deadly wifi pacemaker hack. Retrieved from https://www.wired.com/2008/03/scientists-demo/
Spring, T. (2016,
October 24). St. jude faces new claim heart implants are hackable. Retrieved
from https://threatpost.com/st-jude-faces-new-claim-heart-implants-are-hackable/121504/
Stanford, J.
(2017, June 12). Hacking a heart pacemaker isn’t science fiction. See what
experts are doing to prevent it. Retrieved from http://www.azcentral.com/story/news/local/phoenix/2017/06/12/hacking-pacemaker-isn’t-science-fiction-movie-plotlline-but-reality/378176001
Storm, D. (2015,
September 8). Researchers hack a pacemaker, kill a man (nequin). Retrieved from
http://www.computerworld.com/article/2981527/cybercrime-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html
St. Jude Medical.
(2016, September 7). St. jude medical brings legal action against muddy waters
and medsec. Retrieved from http://media.sjm.com/newsroom/news-releases/news-releases-details/2016/St-Jude-Medical-Brings-Legal-Action-Against-Muddy-Waters-and-MedSec/default.aspx
Sullivan, C.
(2016, October 6). How to mitigate data breaches in health IT. Retrieved from http://www.information-management.com/news/security/how-to-mitigate-data-breaches-in-health-it-100299441.html
Sun, L.H., &
Dennis, B. (2013, June 13). FDA, facing cybersecurity threats, tightens
medical-device standards. The Washington Post.
Thompson, J.
(2016, October 27). It is shocking! Even heart devices can be hacked. Retrieved
from http://www.newseveryday.com/articles/50840/20161027/it-is-shocking-even-heart-devices-can-be-hacked.htm
Tucker, A. (2016,
September 7). St. jude medical filed a lawsuit against MedSec and muddy waters.
Retrieved from http://www.legalreader.com/st-jude-medical-files-lawsuit-against-medsec-and-muddy-waters/
Uchill, J. (2017,
April 13). FDA threatens action against medical device-maker over poor
cybersecurity. Retrieved from http://thehill.com/policy/cybersecurity/328752-fda-threatens-st-jude-medical-device-over-poor-cybersecurity
U.S. Department
of Health and Human Services. (2002, January 11). General principles of
software validation; Final guidance for industry and FDA staff. Retrieved from http://www.fda.gov/MedialDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm085281.html
Vaas, L. (2017,
January 12). Pacemakers patched against potentially life threatening hacks.
Retrieved from https://nakedsecurity.sophos.com/017/01/12/pacemakers-patched-against-potentially-lifethreatening-hacks/
Vaas, L. (2016,
May 30). Security of medical devices ‘is a life or death issue’, warns
researcher. Retrieved from https://naked
security.sophos.com/2017/05/30/security-of-medical-devices-is-a-life-or-death-issue-warns-researcher/
Wadhwa, T. (2012,
December 6). Yes, you can hack a pacemaker (and other medical devices too).
Retrieved from http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#52bd766613e0
White, J. (2015,
October 5). Why medical device security should be top priority. Retrieved from http://www.healthcarebusinesstech.com/medical-device-security/
Williams, P.A.,
& Woodward, A.J. (2015). Cybersecurity vulnerabilities in medical devices:
A complex environment and multi-faceted problem. Medical Devices: Evidence
and Research, 8, 305-316. doi:10.2147:MDER.S50048
Wolf, D.,
Chernuch, M.S., Diamond, J. (writers), & Scardino, D. (producer). (1995).
Law & order-Seed. (S5 E15). Law & Order. Atlanta, GA: TNT.
Wu, F., &
Eagles, S. (2016). Cybersecurity for medical device manufacturers: Ensuing
safety and functionality. Biomedical Instrumentation & Technology, 50(1),
23-34.
Zorz, Z. (2016,
December 1). Insecure pacemakers can be easily hacked. Retrieved from https://www.helpnetsecurity.com/2016/12/01/insecure-pacemakers-easily-hacked/
Zorz, Z. (2017, January
12). FDA urges patients to implement patch to secure their cardiac implants.
FDA urges patients to implement patch to secure their cardiac implants.
Retrieved from https://www.helpnetsecurity.com/2017/01/12/secure-cardiac-implants/
No comments:
Post a Comment