The Noggin Tales: Flaws of EEG →

News, via Sean Gallagher - writing at Ars Technica, details at least five critical flaws in a multi-vender software package shipped under the moniker 'Natus Xltek NeuroWorks 8'. Give’s one pause, before hooking up to the machines at your local body shop, eh?

"While attacking an EEG system won't necessarily harm a patient directly, the vulnerabilities described by Talos could be used to create a persistent presence on hospital networks for a number of malicious purposes, or to execute code that could install malware if the Internet is reachable from the system." via Sean Gallagher writing at Ars Technica

BGU Security Researchers Urge Physicians to Patch Their Systems →

February 14, 2018 by Marc Handelman in Medical Device Security, Medicine, Healthcare Infrastrucutre, Hardware Security

via Zaid Shoorbajee - reporting for Cyberscoop, comes a story of security entropy, this time in medical imaging device system patching and an esteemed University's research targeting those systems. In this case, a research paper from Israel's Ben-Gurion University of the Negev Malware-Lab yielded good (but not-necessarily-acted-upon-advice) to Medical Professionals: Patch Your Flawed Imaging Systems...

'“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” said Tom Mahler, an author on the paper. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.” ' - Zaid Shoorbajee - reporting for Cyberscoop

USENIX Enigma 2017, Tamara Bonaci's "Brains Can Be Hacked. Why Should You Care?" →

September 26, 2017 by Marc Handelman in Conferences, Education, Information Security, Medicine, Medical Device Security

Low Skill Attack, The Siemens Method →

August 09, 2017 by Marc Handelman in Blatant Stupidity, Information Security, Medical Device Security, Low Skill Attacks, No Skill Attacks

Apparently, systemic - and therefore - fundamental - security incompetence 'reigns' supreme' at Siemens... Witness the reported 'low skill' (aka 'no skill') vectored attacks targeting the company's Computed Tomography (CT) and Positron Emission Tomography (PET) Medical Scanners. Shameful.

Joy of Tech's Revenge of the Medical Machines →

May 17, 2017 by Marc Handelman in Medical Device Security, Joy of Tech®

via the awesome grey matter of Nitrozac and Snaggy at The Joy of Tech®!

NCCOE Heralds Release of NIST SP 1800-8 Securing Wireless Infusion Pumps

May 09, 2017 by Marc Handelman in All is Information, Control Systems, Defensive Infosec, Demise of Privacy, Hardware Security, Health Care Security, Health, Information Security, Medical Device Security, NIST NCCoE, NIST

The National Institute of Standards and Technology (NIST) National Center for Cybersecurity Excellence (NCCOE) has released it's latest draft medical device related security document, entitled 'NIST Special Publication 1800-8 Cybersecurity Special Publication 1800-8 Securing Wireless Infusion Pumps - In Healthcare Delivery Organizations'. Authored by Gavin O'Brien, Sallie Edwards, Kevin Littlefield, Neil McNab, Sue Wang and Kangmin Zheng - the document is available as either a PDF or web-based artifact. Enjoy.

"Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. With technological improvements designed to enhance patient care, these devices now connect wirelessly to a variety of systems, networks, and other tools within a healthcare delivery organization (HDO) – ultimately contributing to the Internet of Medical Things (IoMT)." - via the National Center for Cybersecurity Excellence (NCCOE)

Credit: Johnson & Johnson

Johnson & Johnson, The Warning

October 05, 2016 by Marc Handelman in Accountability, All is Information, Information Security, Medical Device Security

Jim Finkle, writing at Reuters, shares a warning - via Johnson & Johnson (NasdaqGS: JNJ) - of an insulin pump security flaw that permits exploitation thereof. Kudos are in order for the diligent efforts brought to bear on this flaw by the researcher - Jay Radcliffe, of Rapid7 (see the 2016/09/28 notification at the Rapid7 Community blog). Outstanding work.

" Using industry standard encryption with a unique key pair would mitigate these issues. Affected users can avoid these issues entirely by disabling the radio (RF) functionality of the device. On the OneTouch Ping Insulin Pump, this is done through the Setup -> Advanced -> Meter/10 screen, and selecting "RF = OFF". In addition, the vendor has provided other mitigations for these issues, described on their website and in letters being sent to all patients using the pump and health care professionals. Patients should consult with their own endocrinologist about any aspect of their ongoing medical care.' via Rapid7

Brainjacking, The Study →

August 30, 2016 by Marc Handelman in Medical Device Security, Physical Security, Operating Systems

Luckily, we all know he has nothing to fear...