Wednesday, October 31, 2012

VA Computers Still Unencrypted After Six Years

Six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops following a breach.  In 2006, an unencrypted external hard drive containing personal information on 26 million veterans was stolen from the home of an employee. The situation resulted in a $20 million remediation when the VA was forced to notify veterans and provide credit monitoring.  The VA secretary ordered that all of the VA's computers be protected by encryption software.

Unfortunately, now an investigation by the VA's inspector general found that the encryption software has been installed on only 16% of the VA's  computers.  This came from an anonymous tip received 12 months months ago on the VA's complaint hotline, claiming that the encryption software was not being widely deployed.   According to the IG's report the VA's Office of IT was at fault for inadequate planning and management of the project.  Today, 335,000 licenses remain inactive, leaving those computers unprotected. "Veterans' data remained at risk due to unencrypted computers," the report states.

Friday, October 19, 2012

Pacemakers Can Be Hacked... Shocking (literally)

Hackers may be able to control pacemakers from several manufacturers, making them capable of delivering a deadly, 830-volt shock.  All the hacker needs is a laptop up to 50 feet away.  This is all due to bad programming.  The new research comes from Barnaby Jack of security vendor IOActive, known for his analysis of other medical equipment such as insulin-delivering devices. 

Jack spoke at the Breakpoint security conference in Melbourne on Wednesday, saying that the flaw lies with the programming of the wireless transmitters used to give instructions to pacemakers and implantable cardioverter-defibrillators (ICDs), which detect irregular heart contractions and deliver an electric shock to avert a heart attack.  A successful attack using the flaw "could definitely result in fatalities," said Jack. 

Jack was able to send a series of 830-volt shocks (enough to cause death) to a pacemaker and use a "secret function" to activate other pacemakers within a 30-foot radius. With the function activated, the devices would give up their serial numbers, allowing hackers to upload malware that could spread like a virus to other pacemakers. Jack said that the devices, if infected, could release personal and manufacturer data.

"The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and… the compromised programmer would then infect the next pacemaker or [defibrillator] and then each would subsequently infect all others in range,” he said.

Wednesday, October 17, 2012

Computer viruses and malware in medical technology

Today's piece of troubling news: High-risk medical technology has been found to be infected by computer viruses and malware.  Virus infections (and we are not even referring to the ones in the patients' bodies, but to the ones in the systems used to support the patient's lives) could become so severe that a patient may end up getting harmed.   At least one hospital in the United States claims to be deleting viruses from up to two machines a week.

The warnings were given as part of a panel discussion in Washington DC, by Technology Review from the Massachusetts Institute of Technology.  Mark Olsen, chief information security officer at Beth Israel Deaconess Medical Center in Boston, said the hospital had 664 pieces of medical equipment running on old versions of Windows.  The explanation given was that the machines were not updated to newer versions of Windows where the vulnerabilities are patched because of fears that doing so would mean they were in breach of regulations put in place by the US Food and Drug Administration (FDA).  It seems like the FDA is busy regulating the treatment of human viruses but unprepared to handle cyber infections.