nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up

An always connected CGM would be very useful (just saying) . That’s why security is a 24/7 365 day thing.

Having a device transmit every 5min. (for example) sounds a bit like ‘security through obscurity’.

Absolutely agree IoT security is crap.

0
3
Silver badge

"Having a device transmit every 5min. (for example) sounds a bit like ‘security through obscurity’."

I think she's suggesting that many devices only need to connect once in a while, eg once per day, to send some data as well as having some proper security. If a device doesn't have a need for 24/7 connectivity, you are reducing the attack surface. Does an insulin pump or a heart pacemaker really need 24/7 connectivity? Or can they just report in every day while having enough smarts to connect if there are anomalies?

19
0
Silver badge

"Does an insulin pump or a heart pacemaker really need 24/7 connectivity?"
We've discussed my St Jude cardiac implant before when it was deemed insecure. While it's capable of transmitting 24/7, it can only be reprogrammed when a large magnet is placed over it. This happens at three-monthly intervals and the window of opportunity for putative hackers is less than half an hour. During that period, Miriam, the technologist I see, is monitoring the device and likely to notice anything unusual.

3
0

"While it's capable of transmitting 24/7, it can only be reprogrammed when a large magnet is placed over it. This happens at three-monthly intervals and the window of opportunity for putative hackers is less than half an hour."

And there is also the non-trivial fact that the cardiac implant is not a long range receiver so the would-be hacker should be very near to you or use a considerable amount of power.

0
0
Anonymous Coward

But then comes the big problem: the bill.

Who's going to PAY for this security overhaul when hospitals have tight budgets to work with (such that things don't get upgraded unless they BREAK; justifying emergency expenses)? Meanwhile, hospital staff have other things to worry about: like actually saving lives. Unless they can DIRECTLY attribute a security breath to deaths, their priorities won't change because their liability won't change.

4
2
Silver badge

Re: But then comes the big problem: the bill.

Other way round, please. Who's going to PAY for fixes when hospitals suffer attacks?

12
0
Silver badge

Re: But then comes the big problem: the bill.

Simple. It'll probably cost less to deal with the fallout than to actually do things right.

8
4
Silver badge

Re: But then comes the big problem: the bill.

She did say, as written in the article, that security should be built in from the ground up so the price of that security would be included in the purchase price.

Though it is unlikely that any security will be perfect for the life of a piece of kit so a firm protocol for security updating should also be built in.

13
0
Silver badge

***Alarm! Alarm!*** Sequencing Error..."

Unfortunately, the fallout comes AFTER people fail to "do things right", not BEFORE.

One sometimes comes across a sporty car upside down in a field with smoke coming out of it. Presumably they were driven by optimists who were quite sure of their ability to get around a given corner without slowing down beyond 65 mph.

One is tempted to think, "Well that'll teach him". But of course it won't, because he is dead and no longer capable of learning. And all the other optimists will be quite sure that he just wasn't as skilful as they are.

8
0
Silver badge

Re: But then comes the big problem: the bill.

"t'll probably cost less to deal with the fallout than to actually do things right."

Pay and cost, at least monetary cost, are two different things. It may cost the vendor money to do things right but if they don't you may pay - with your life.

Of course, there's always the other aspect of it: if the market is properly regulated you, as a vendor, don't get to sell your product if you're not doing things right so you don't get any money at all. And as it's the same for your competitors you're not at a disadvantage by doing things right. The only way to disadvantage yourself would be not to spend the money in the first place.

5
0
Silver badge

Re: But then comes the big problem: the bill.

But regulation introduces externalities. It can now cost less to bribe (or otherwise influence) the regulators to look the other way. If they're stubborn or have an Untouchable streak, go OVER them. And when you have that situation, nice guys finish last because by the time the fallout hits, the cumulative price disadvantage becomes too great for the nice guys to keep going.

0
1
Gold badge
Unhappy

"It can now cost less to bribe (or otherwise influence) the regulators to look the other way."

You wouldn't be an American, by any chance?

That would be the American model of health "care."

0
0

From the article it looks like she's been a security professional for the past three years - how long until the headline is no longer "paediatric nurse" but her actual current occupation?

6
2

And why does her view need validating against restaurateur Bruce Schneier's opinions?

1
5
Silver badge

"From the article it looks like she's been a security professional for the past three years"

Given that IoT vendors seem to place children in charge of security maybe a paediatric nurse has exactly the qualifications for dealing with them.

10
0
Silver badge

Are we sneering at pediatric nurses? If we are doing that, then why?

2
0
Silver badge
Terminator

IoT vendors bad for health care?

'For one thing there is no medical need for such devices to be connected to the net 24/7'

So, don't connect the medical devices to the Internet. For each hospital create a VPN network, each node running on embedded hardware and connect your devices through this network. I can hear the response, what about the latest innovation, the answer being: TCP/IP hasn't changed since 1983.

"IoT vendors have a reputation for being slow to both acknowledge and remediate security problems."

Well then, the obvious solution is to ban IoT devices from hospitals :)

ref: Consequences of bad security in health care

2
1
Silver badge

Re: IoT vendors bad for health care?

" the obvious solution is to ban IoT devices from hospitals :)"
After receiving my cardiac implant, I was given a portable EKG that reported my heart status to the nurse workstation via WiFi. Being ambulatory, it meant when I awoke in the night I could go take a piss. The old way I would have been wired to a device and need to ask for a bottle to piss in. I have never during previous hospitalisations been given a bottle in less than 20-30 minutes. Until I was recently prescribed Duodart, I had 10 minutes or less after awaking to get to a toilet to relieve my bladder. Frankly, I don't think changing bedclothes in the middle of the night is a good use of nurses' time.

FWIW the portable EKG was a bit of an antique; the workstation was running XP. Yes, things need to change, but not by reverting to how things were done in the distant past.

7
0

Re: IoT vendors bad for health care?

FWIW, this is a perfect example of doing the right thing the wrong way, and why Milosevic's take is where we need to be going with this.

6
0

Re: IoT vendors bad for health care?

"Not connected to the Internet" but connected to a VPN means two things:

1. there's only one more layer of security to get through to attack such devices

2. there's likely zero security on the device itself because the VPN is seen as sufficient

and for a bonus

3. you can scratch the first two letters of IoT

I would tend to believe a former healthcare professional which she speaks in the context of cybersecurity that these devices don't need to be connected.

8
0
Silver badge
Terminator

Re: IoT vendors bad for health care?

"After receiving my cardiac implant, I was given a portable EKG that reported my heart status to the nurse workstation via WiFi."

As long as someone couldn't remotely reset your heart when the license expires,a WiFi connection that reports your heart status is acceptable. (clippy: it looks like your having a heart attack)

@cream wobbly: "there's likely zero security on the device itself because the VPN is seen as sufficient"

The device wouldn't use generic WiFi, but a highly customized version where each workstation/device pair uses a unique encryption key, the software running on embedded read/only hardware, rendering them immune to standard hacking techniques.

1
1
Silver badge
Terminator

Re: IoT vendors bad for health care?

"there's only one more layer of security to get through to attack such devices"

Don't use the same hardware running on top of the same software in all the hospitals on the planet. As in nature you end up with a monoculture. And yes it is technically possible to provide the same functionality using a mix of different hardware/software. This only became a problem when we were stuck with the current duopoly.

0
1
Silver badge

Re: IoT vendors bad for health care?

"Don't use the same hardware running on top of the same software in all the hospitals on the planet. As in nature you end up with a monoculture. And yes it is technically possible to provide the same functionality using a mix of different hardware/software. This only became a problem when we were stuck with the current duopoly."

But now you've raised the maintenance costs since now you have to cater to multiple different configurations, which means (1) budget strains and (2) more openings for Murphy. IOW, diversification just ran smack into KISS.

0
0
Silver badge

Re: IoT vendors bad for health care?

"The device wouldn't use generic WiFi, but a highly customized version where each workstation/device pair uses a unique encryption key, the software running on embedded read/only hardware, rendering them immune to standard hacking techniques."

Then what happens WHEN (not IF) an exploit is found on that immutable hardware that enables stealing the keys or even bypassing the system altogether? Since you have immutable hardware, you can't just upload new code (if you can, the update mechanism itself can be exploited); now you gotta roll out new hardware at additional cost: another strain on the budgets.

0
0
Silver badge

Re: IoT vendors bad for health care?

"As long as someone couldn't remotely reset your heart when the license expires,a WiFi connection that reports your heart status is acceptable."
The earlier reported vuln means a miscreant can reset the device. However, it requires the device to be set into receive mode by placing a powerful magnet very close (in contact with the skin). It also requires a dedicated machine to do the controlling and that has to be no further than 3 metres away. It resembles a conventional laptop except it doesn't have a keyboard or mouse. The software is dedicated, not generic and runs on Linux. You would also need considerable training to use it. The technician I see told me it took 12 months to train her assistant who was already trained in more general medicinal care.

0
0

This post has been deleted by its author

IoT - Talk about 'The blind leading the blind'....

From the related Reg IoT Mattel story / Bloomberg link:

Mattel: "But a lot of it, is new territory. “Honestly speaking, we just don’t know,” Fujioka says. “If we’re successful, kids will form some emotional ties to this. Hopefully, it will be the right types of emotional ties.”...

3
0
Silver badge

Re: IoT - Talk about 'The blind leading the blind'....

It turns out that the blind actually CAN lead the blind, if the smell of money is strong enough to guide them.

3
0
Silver badge
Thumb Up

Re: IoT - Talk about 'The blind leading the blind'....

"It turns out that the blind actually CAN lead the blind, if the smell of money is strong enough to guide them."

QOTW right there!

1
0

I wonder a little if the generic IoT label is a good idea here.

Some sort of IP connection should be reliable tech, and save a lot of trouble. Being able to connect to a remote device for making reports is an advantage. But an Internet of Medical Devices is not the same as an Internet of Lightbulbs.

And that is why I think it matters that the lady has had a long nursing career. Useful security depends on knowing the business you're securing, and too often the whole internet is plagued by the bright ideas of geeks who don't know the business they're having ideas about.

7
0
Silver badge
Pint

"an Internet of Medical Devices is not the same as an Internet of Lightbulbs."
Precisely. You're obviously not a ding-dong...

0
0
Silver badge

I think we all know Wanncry had nothing to do with IoT , ( or XP ) , and more to do with inertia on the part of various people responsible for keeping MS OSs up to date.

1
0

Happened to me in the last month

Well, I recently made an appointment with a local hospital clinic. 2 days later I received and invoice so not being that gullible I contact the hospital and reported it. 1 week later my appointment was re-arranged, you guessed it, another invoice. Which I also reported. 1 week later I got a thank you call from the hospital IT, they had found and deleted the virus.

Imagine this was a nasty virus in some sort of cardiac machine that was needlessly connected 24/7 that wasn't used for a few days and then................... Most machines would only need to connect to the network at certain times, i.e. when actually in use, or to download/upload results.

1
0
Anonymous Coward

Re: Happened to me in the last month

The trouble with your proposed scenario is that a cardiac monitor actually IS one type of device that WOULD need a 24/7 connection, for the simple reason that it has to operate on a panic trigger. If things hit the fan, time is of the essence, and if you DO suffer a heart attack, you're probably not going to be in any condition to trigger any kind of panic button. Same would be true of any other kind of emergency monitor because they'd essentially ALWAYS be in use.

0
0
Silver badge

Re: Happened to me in the last month

"The trouble with your proposed scenario is that a cardiac monitor actually IS one type of device that WOULD need a 24/7 connection, for the simple reason that it has to operate on a panic trigger."
You're obviously not familiar with the devices. The transmitter that sends info from the device to the cardiology team via the telephone lines sits on the head of my bed. It has a range of ~ 3 metres. The messages the receiving system sends to the cardiologist are SMS and/or emails.

Built into the device is a defibrillator that resets the heart if it goes into fibrillation. No need for any other defibrillator + person trained in defib use required.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing