"Researchers at the University of Washington have developed a cellphone app, called Second Chance, that uses sonar to monitor someone’s breathing rate and sense when an opioid overdose has occurred." - via Sarah McQuate, writing at the University of Washington's UW News
News, via Sean Gallagher - writing at Ars Technica, details at least five critical flaws in a multi-vender software package shipped under the moniker 'Natus Xltek NeuroWorks 8'. Give’s one pause, before hooking up to the machines at your local body shop, eh?
"While attacking an EEG system won't necessarily harm a patient directly, the vulnerabilities described by Talos could be used to create a persistent presence on hospital networks for a number of malicious purposes, or to execute code that could install malware if the Internet is reachable from the system." via Sean Gallagher writing at Ars Technica
via Zaid Shoorbajee - reporting for Cyberscoop, comes a story of security entropy, this time in medical imaging device system patching and an esteemed University's research targeting those systems. In this case, a research paper from Israel's Ben-Gurion University of the Negev Malware-Lab yielded good (but not-necessarily-acted-upon-advice) to Medical Professionals: Patch Your Flawed Imaging Systems...
'“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” said Tom Mahler, an author on the paper. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.” ' - Zaid Shoorbajee - reporting for Cyberscoop
The National Institute of Standards and Technology (NIST) National Center for Cybersecurity Excellence (NCCOE) has released it's latest draft medical device related security document, entitled 'NIST Special Publication 1800-8 Cybersecurity Special Publication 1800-8 Securing Wireless Infusion Pumps - In Healthcare Delivery Organizations'. Authored by Gavin O'Brien, Sallie Edwards, Kevin Littlefield, Neil McNab, Sue Wang and Kangmin Zheng - the document is available as either a PDF or web-based artifact. Enjoy.
"Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. With technological improvements designed to enhance patient care, these devices now connect wirelessly to a variety of systems, networks, and other tools within a healthcare delivery organization (HDO) – ultimately contributing to the Internet of Medical Things (IoMT)." - via the National Center for Cybersecurity Excellence (NCCOE)
Jim Finkle, writing at Reuters, shares a warning - via Johnson & Johnson (NasdaqGS: JNJ) - of an insulin pump security flaw that permits exploitation thereof. Kudos are in order for the diligent efforts brought to bear on this flaw by the researcher - Jay Radcliffe, of Rapid7 (see the 2016/09/28 notification at the Rapid7 Community blog). Outstanding work.
" Using industry standard encryption with a unique key pair would mitigate these issues. Affected users can avoid these issues entirely by disabling the radio (RF) functionality of the device. On the OneTouch Ping Insulin Pump, this is done through the Setup -> Advanced -> Meter/10 screen, and selecting "RF = OFF". In addition, the vendor has provided other mitigations for these issues, described on their website and in letters being sent to all patients using the pump and health care professionals. Patients should consult with their own endocrinologist about any aspect of their ongoing medical care.' via Rapid7