Monday, December 22, 2014

I hope I never need a wireless infusion pump...

I'm serious about that.  In what has to be one of the dumbest things I've read this month (and yes, that does include NYT reporting on the Sony hack), NIST published their recommendations for security surrounding wireless infusion pumps. More accurately, it was the NCCOE (National CyberSecurity Center of Excellence).  After reading the document, if this is the best the US government can do, I want a tax refund (or at least an itemized receipt for this "work").  Seriously. This document is embarrassing.

This introduces a very real concern for patients, as the minimum standard being established is broken right out of the box.  With organizations only doing the bare minimum required to meet compliance, this introduces a risk to not only the organization, but the patient as well.  The stakes in this case are truly, life and death.

The good:
NIST actually cares enough to think about security of wireless medical devices. This is a long time coming.  The security of medical devices is abhorrent and must improve.

The bad: 
Suggestions for "break glass" bypass of access control methods in case of emergency.  I do a lot of health care work, so I understand where this is coming from.  But anyone with 10 minutes of security experience knows that any "break glass" emergency bypass can and will be used in an unauthorized manner.  In security, we normally call these sorts of things backdoors.

*There's more bad here than I have time to write about.  Read the document for yourself and see if you can pick out other blatant violations of security best practices.

The ugly:
Wired Equivalency Privacy (WEP) is listed as a security mechanism for Protected Health Information (PHI), Electronic Health Information (EHR) data, and device logs in three (yes three) different locations in the document.  Come on man.  I don't care how good the rest of the document is (and it isn't that good). When you recommend WEP, a hopelessly broken security standard in 2014, I can't take any of your recommendations seriously.


Contributor List:
When you contribute to a document, you put your name on the recommendations.  I can only hope that these people step forward to explain how WEP ended up in the document.  It's purely inexcusable. An infusion pump that is network accessible but not secure can injure or kill the patient. We're not talking about a credit card number that you can have reissued. This is high stakes.

Core Authors:

Gavin O’Brien  National Cybersecurity Center of Excellence National Institute of Standards and Technology
Gopal Khanna  Technological Leadership Institute University of Minnesota 

Contributors:
Alan Abramson Health Partners
Raymond Gensinger Fairview Health Systems
Matt Kleghorn TLI
Steven Meisel Fairview Health Systems
Dan Mooradian TLI
Kelly Nelson Health IT Professional
Nancy Nielson Hospira
Dale Nordenberg Medical Device Innovation Safety and Security (MDISS)
Eric Ohlson Intuitive Tech
CB Payne Intuitive Tech
James Ryan Minnesota Innovation Lab 
Andrew Sargent Phillips
Axel Wirth Symantec
Aaron Wompach Health Partners 
Linda Zdon Allina

This publication, in its current form, has the potential to harm hundreds of thousands of patients.  We need to strive to ‘first do no harm’ and consider what protection of the patient actually means.  Suggesting known broken and exploitable solutions really does harm those whose very livelihood and health rely on the use of such devices. 

Every person and organization on this list owes you, the American taxpayer, an explanation of how they screwed their recommendations up so badly.  If you are still using WEP in your environment, please contact me offline - we can help you work with your vendor to implement secure solutions.  We also have stopgap measures that can help provide detection for some attacks in a WEP environment, but bottom line: WEP isn't safe.

Jake Williams
Rendition Infosec

This was originally posted on Jake's personal blog.

No comments:

Post a Comment