netForensics today announced that nFX Cinxi One, its powerful SIEM and log management appliance, has earned five out of five stars in SC Magazine's August 2010 product review. In its group test of security information and event management (SIEM) solutions, SC Magazine assigned nFX Cinxi One a five star rating in each of the following categories: Features, Performance, Documentation, Support and Value for the Money. Read more>
August 2010 Archives
Jaren Doherty serves as both chief information officer and associate deputy assistant secretary for cybersecurity at the Department of Veterans Affairs. In his current position, Doherty led the certification and accreditation of 640 VA systems and tested more than 9,000 security controls at more than 200 locations. He also created a training program in which 182 professionals became certified in information systems security.
Doherty spoke today to the Information Security and Privacy Advisory Board on the risks involved with wireless network and wired network connected Embedded Medical Devices and the difficulties in mitigating those risks associated with their connectivity and vulnerabilities. There are currently 50,000 device types ranging from hand held scanners to MRI systems.
Medical Device Vendors are reluctant to patch or update devices because of the re-certification times and costs associated with getting FDA approved. Doherty mentioned that even vulnerability scans are not supported by the vendor against the devices so if there is a malfunction of the device because of a vulnerability the vendor would not support fixing the incident.
He reported that major concern recently has been the spread of malware. 50% of the malware attacks against medical devices has been conficker. This is because existing medical devices could not be patched or patched in time to avoid being infected.
Of those vendors that do allow updates, their remote access to updates for the devices are done through point 2 point vpns. There is a risk with the access to the device from the remote vendor with administrative access and the implementation of malware, although the vpns are not always online when they are, there is still a chance the download content could include malware.
The Veterans Administration does goes through very stringent C&A procedures before a new device is connected and makes sure that all of the controls in S800-53 are addressed or there are compensating controls put in place to address issues. This can often be a 6 month process before the new device is allowed online.
Doherty would like the vendors to be able to supply in-house updates via distribution centers located in-house rather then site - 2 - site vpns to the medical devices.
In my opinion, there is an equal concern not only of HIE access to Medical Records but what controls are in place that segregate access from the HIE to Medical Devices and internal IT services, VOIP, and environment equipment. I believe that there would be significant interests from attackers on the weaknesses involved in HIE access and Medical Device Systems. Medical Devices are sold all over the world, and their weaknesses would be well known -- certainly an interest to national security.
References:
http://csrc.nist.gov/groups/SMA/ispab/documents/JarenDoherty-Bio.pdf
http://csrc-nist.granicus.com/ViewPublisher.php?view_id=2
| Subscribe |
| Syndicate |
