back to article Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up

A children's nurse told delegates at the Virus Bulletin conference in Madrid on Thursday to get a grip on Internet of Things security. Jelena Milosevic, who developed an interest in cybersecurity over the last three years, told attendees that the healthcare sector needs to work with infosec experts and manufacturers to sort …

  1. Anonymous Coward
    Anonymous Coward

    An always connected CGM would be very useful (just saying) . That’s why security is a 24/7 365 day thing.

    Having a device transmit every 5min. (for example) sounds a bit like ‘security through obscurity’.

    Absolutely agree IoT security is crap.

    1. John Brown (no body) Silver badge

      "Having a device transmit every 5min. (for example) sounds a bit like ‘security through obscurity’."

      I think she's suggesting that many devices only need to connect once in a while, eg once per day, to send some data as well as having some proper security. If a device doesn't have a need for 24/7 connectivity, you are reducing the attack surface. Does an insulin pump or a heart pacemaker really need 24/7 connectivity? Or can they just report in every day while having enough smarts to connect if there are anomalies?

      1. Pompous Git Silver badge

        "Does an insulin pump or a heart pacemaker really need 24/7 connectivity?"
        We've discussed my St Jude cardiac implant before when it was deemed insecure. While it's capable of transmitting 24/7, it can only be reprogrammed when a large magnet is placed over it. This happens at three-monthly intervals and the window of opportunity for putative hackers is less than half an hour. During that period, Miriam, the technologist I see, is monitoring the device and likely to notice anything unusual.

        1. Eltonga

          "While it's capable of transmitting 24/7, it can only be reprogrammed when a large magnet is placed over it. This happens at three-monthly intervals and the window of opportunity for putative hackers is less than half an hour."

          And there is also the non-trivial fact that the cardiac implant is not a long range receiver so the would-be hacker should be very near to you or use a considerable amount of power.

  2. Anonymous Coward
    Anonymous Coward

    But then comes the big problem: the bill.

    Who's going to PAY for this security overhaul when hospitals have tight budgets to work with (such that things don't get upgraded unless they BREAK; justifying emergency expenses)? Meanwhile, hospital staff have other things to worry about: like actually saving lives. Unless they can DIRECTLY attribute a security breath to deaths, their priorities won't change because their liability won't change.

    1. Inventor of the Marmite Laser Silver badge

      Re: But then comes the big problem: the bill.

      Other way round, please. Who's going to PAY for fixes when hospitals suffer attacks?

      1. Charles 9

        Re: But then comes the big problem: the bill.

        Simple. It'll probably cost less to deal with the fallout than to actually do things right.

        1. Anonymous Coward
          Anonymous Coward

          ***Alarm! Alarm!*** Sequencing Error..."

          Unfortunately, the fallout comes AFTER people fail to "do things right", not BEFORE.

          One sometimes comes across a sporty car upside down in a field with smoke coming out of it. Presumably they were driven by optimists who were quite sure of their ability to get around a given corner without slowing down beyond 65 mph.

          One is tempted to think, "Well that'll teach him". But of course it won't, because he is dead and no longer capable of learning. And all the other optimists will be quite sure that he just wasn't as skilful as they are.

        2. Doctor Syntax Silver badge

          Re: But then comes the big problem: the bill.

          "t'll probably cost less to deal with the fallout than to actually do things right."

          Pay and cost, at least monetary cost, are two different things. It may cost the vendor money to do things right but if they don't you may pay - with your life.

          Of course, there's always the other aspect of it: if the market is properly regulated you, as a vendor, don't get to sell your product if you're not doing things right so you don't get any money at all. And as it's the same for your competitors you're not at a disadvantage by doing things right. The only way to disadvantage yourself would be not to spend the money in the first place.

          1. Charles 9

            Re: But then comes the big problem: the bill.

            But regulation introduces externalities. It can now cost less to bribe (or otherwise influence) the regulators to look the other way. If they're stubborn or have an Untouchable streak, go OVER them. And when you have that situation, nice guys finish last because by the time the fallout hits, the cumulative price disadvantage becomes too great for the nice guys to keep going.

            1. John Smith 19 Gold badge
              Unhappy

              "It can now cost less to bribe (or otherwise influence) the regulators to look the other way."

              You wouldn't be an American, by any chance?

              That would be the American model of health "care."

    2. Chris G

      Re: But then comes the big problem: the bill.

      She did say, as written in the article, that security should be built in from the ground up so the price of that security would be included in the purchase price.

      Though it is unlikely that any security will be perfect for the life of a piece of kit so a firm protocol for security updating should also be built in.

  3. Scoured Frisbee

    From the article it looks like she's been a security professional for the past three years - how long until the headline is no longer "paediatric nurse" but her actual current occupation?

    1. cream wobbly

      And why does her view need validating against restaurateur Bruce Schneier's opinions?

    2. Doctor Syntax Silver badge

      "From the article it looks like she's been a security professional for the past three years"

      Given that IoT vendors seem to place children in charge of security maybe a paediatric nurse has exactly the qualifications for dealing with them.

      1. Robert Carnegie Silver badge

        Are we sneering at pediatric nurses? If we are doing that, then why?

  4. Anonymous Coward
    Terminator

    IoT vendors bad for health care?

    'For one thing there is no medical need for such devices to be connected to the net 24/7'

    So, don't connect the medical devices to the Internet. For each hospital create a VPN network, each node running on embedded hardware and connect your devices through this network. I can hear the response, what about the latest innovation, the answer being: TCP/IP hasn't changed since 1983.

    "IoT vendors have a reputation for being slow to both acknowledge and remediate security problems."

    Well then, the obvious solution is to ban IoT devices from hospitals :)

    ref: Consequences of bad security in health care

    1. Pompous Git Silver badge

      Re: IoT vendors bad for health care?

      " the obvious solution is to ban IoT devices from hospitals :)"
      After receiving my cardiac implant, I was given a portable EKG that reported my heart status to the nurse workstation via WiFi. Being ambulatory, it meant when I awoke in the night I could go take a piss. The old way I would have been wired to a device and need to ask for a bottle to piss in. I have never during previous hospitalisations been given a bottle in less than 20-30 minutes. Until I was recently prescribed Duodart, I had 10 minutes or less after awaking to get to a toilet to relieve my bladder. Frankly, I don't think changing bedclothes in the middle of the night is a good use of nurses' time.

      FWIW the portable EKG was a bit of an antique; the workstation was running XP. Yes, things need to change, but not by reverting to how things were done in the distant past.

      1. cream wobbly

        Re: IoT vendors bad for health care?

        FWIW, this is a perfect example of doing the right thing the wrong way, and why Milosevic's take is where we need to be going with this.

      2. Anonymous Coward
        Terminator

        Re: IoT vendors bad for health care?

        "After receiving my cardiac implant, I was given a portable EKG that reported my heart status to the nurse workstation via WiFi."

        As long as someone couldn't remotely reset your heart when the license expires,a WiFi connection that reports your heart status is acceptable. (clippy: it looks like your having a heart attack)

        @cream wobbly: "there's likely zero security on the device itself because the VPN is seen as sufficient"

        The device wouldn't use generic WiFi, but a highly customized version where each workstation/device pair uses a unique encryption key, the software running on embedded read/only hardware, rendering them immune to standard hacking techniques.

        1. Charles 9

          Re: IoT vendors bad for health care?

          "The device wouldn't use generic WiFi, but a highly customized version where each workstation/device pair uses a unique encryption key, the software running on embedded read/only hardware, rendering them immune to standard hacking techniques."

          Then what happens WHEN (not IF) an exploit is found on that immutable hardware that enables stealing the keys or even bypassing the system altogether? Since you have immutable hardware, you can't just upload new code (if you can, the update mechanism itself can be exploited); now you gotta roll out new hardware at additional cost: another strain on the budgets.

        2. Pompous Git Silver badge

          Re: IoT vendors bad for health care?

          "As long as someone couldn't remotely reset your heart when the license expires,a WiFi connection that reports your heart status is acceptable."
          The earlier reported vuln means a miscreant can reset the device. However, it requires the device to be set into receive mode by placing a powerful magnet very close (in contact with the skin). It also requires a dedicated machine to do the controlling and that has to be no further than 3 metres away. It resembles a conventional laptop except it doesn't have a keyboard or mouse. The software is dedicated, not generic and runs on Linux. You would also need considerable training to use it. The technician I see told me it took 12 months to train her assistant who was already trained in more general medicinal care.

    2. cream wobbly

      Re: IoT vendors bad for health care?

      "Not connected to the Internet" but connected to a VPN means two things:

      1. there's only one more layer of security to get through to attack such devices

      2. there's likely zero security on the device itself because the VPN is seen as sufficient

      and for a bonus

      3. you can scratch the first two letters of IoT

      I would tend to believe a former healthcare professional which she speaks in the context of cybersecurity that these devices don't need to be connected.

      1. Anonymous Coward
        Terminator

        Re: IoT vendors bad for health care?

        "there's only one more layer of security to get through to attack such devices"

        Don't use the same hardware running on top of the same software in all the hospitals on the planet. As in nature you end up with a monoculture. And yes it is technically possible to provide the same functionality using a mix of different hardware/software. This only became a problem when we were stuck with the current duopoly.

        1. Charles 9

          Re: IoT vendors bad for health care?

          "Don't use the same hardware running on top of the same software in all the hospitals on the planet. As in nature you end up with a monoculture. And yes it is technically possible to provide the same functionality using a mix of different hardware/software. This only became a problem when we were stuck with the current duopoly."

          But now you've raised the maintenance costs since now you have to cater to multiple different configurations, which means (1) budget strains and (2) more openings for Murphy. IOW, diversification just ran smack into KISS.

  5. This post has been deleted by its author

  6. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: IoT - Talk about 'The blind leading the blind'....

      It turns out that the blind actually CAN lead the blind, if the smell of money is strong enough to guide them.

      1. hplasm
        Thumb Up

        Re: IoT - Talk about 'The blind leading the blind'....

        "It turns out that the blind actually CAN lead the blind, if the smell of money is strong enough to guide them."

        QOTW right there!

  7. Dave Bell

    I wonder a little if the generic IoT label is a good idea here.

    Some sort of IP connection should be reliable tech, and save a lot of trouble. Being able to connect to a remote device for making reports is an advantage. But an Internet of Medical Devices is not the same as an Internet of Lightbulbs.

    And that is why I think it matters that the lady has had a long nursing career. Useful security depends on knowing the business you're securing, and too often the whole internet is plagued by the bright ideas of geeks who don't know the business they're having ideas about.

    1. Pompous Git Silver badge
      Pint

      "an Internet of Medical Devices is not the same as an Internet of Lightbulbs."
      Precisely. You're obviously not a ding-dong...

  8. Prst. V.Jeltz Silver badge

    I think we all know Wanncry had nothing to do with IoT , ( or XP ) , and more to do with inertia on the part of various people responsible for keeping MS OSs up to date.

  9. what-where-when

    Happened to me in the last month

    Well, I recently made an appointment with a local hospital clinic. 2 days later I received and invoice so not being that gullible I contact the hospital and reported it. 1 week later my appointment was re-arranged, you guessed it, another invoice. Which I also reported. 1 week later I got a thank you call from the hospital IT, they had found and deleted the virus.

    Imagine this was a nasty virus in some sort of cardiac machine that was needlessly connected 24/7 that wasn't used for a few days and then................... Most machines would only need to connect to the network at certain times, i.e. when actually in use, or to download/upload results.

    1. Anonymous Coward
      Anonymous Coward

      Re: Happened to me in the last month

      The trouble with your proposed scenario is that a cardiac monitor actually IS one type of device that WOULD need a 24/7 connection, for the simple reason that it has to operate on a panic trigger. If things hit the fan, time is of the essence, and if you DO suffer a heart attack, you're probably not going to be in any condition to trigger any kind of panic button. Same would be true of any other kind of emergency monitor because they'd essentially ALWAYS be in use.

      1. Pompous Git Silver badge

        Re: Happened to me in the last month

        "The trouble with your proposed scenario is that a cardiac monitor actually IS one type of device that WOULD need a 24/7 connection, for the simple reason that it has to operate on a panic trigger."
        You're obviously not familiar with the devices. The transmitter that sends info from the device to the cardiology team via the telephone lines sits on the head of my bed. It has a range of ~ 3 metres. The messages the receiving system sends to the cardiologist are SMS and/or emails.

        Built into the device is a defibrillator that resets the heart if it goes into fibrillation. No need for any other defibrillator + person trained in defib use required.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like