Presentation Material
Abstract
This talk will take an educational approach to present our research on assessing medical devices from security standpoint. Based on output from security assessments performed against two medical devices that are widely deployed at various hospitals and medical institutions, we will present an in-depth analysis of the target medical devices, discovered vulnerabilities and our approach that led us to compromise them in order to gain access to plethora of medical records from all the medical institutions they were deployed at and not just the one where our target devices were hosted.
An IoT medical device is part of a complex ecosystem that may expose numerous threats. Some devices rely on proprietary hardware on licensed bands, which reduces the risk of interference from consumer connected devices but doesn’t provide security as implied in marketing materials. Others rely on standard WiFi security measures for confidentiality and are prone to MitM attacks. Healthcare devices that implement IrDA could yield interesting results when interfaced with cheap $ 10 hardware.
This presentation will focus on our assessment approach - test cases, pitfalls, success & failures. We will demonstrate the compromise of a prescription device to extract healthcare records and manipulating various sensitive settings of an infusion pump.
AI Generated Summarymay contain errors
Here is a summarized version of the content:
Vulnerabilities Found:
- Plain text username and password
- Access to medical records as different users (patient, manufacturer, administrator, doctor, pharmacist)
- Resident name, unit, home address, room number, and health card number in plain text
- Ability to retrieve prescriptions written by doctors for multiple patients
Challenges in Medical Devices:
- Ensuring sufficient bandwidth to support a growing number of devices
- Network segregation to prevent compromise of one device affecting others
- Interoperability between devices from different manufacturers with different protocols
- Authentication and authorization, especially with bring-your-own-device (BYOD) policies
- Prioritizing functionality over security in medical devices
Solutions and Concerns:
- FDA’s efforts to improve standards and regulations for device manufacturers
- Need for better network segmentation, such as per-bed or per-room segregation
- Difficulty in patching and securing older operating systems on medical devices
- Importance of learning from past mistakes in other domains (web, mobile, hardware) to avoid repeating them in medical devices
Overall, the speaker highlights the importance of addressing these challenges and vulnerabilities to ensure the security and privacy of patients’ data in the growing landscape of medical devices.