This year’s MRMCD16 had a topic that immediately let me submit a talk about medical device security: “diagnosis:critical”. Or to quote the official website:
Security issues in soft- and hardware have a low chance of healing, especially in medical IT.
Despite years of therapy using code reviews and programming guidelines, we still face huge amounts of vulnerable software that probably is in need of palliative treatment.
Security vulnerabilities caused by the invasion of IT in the medical sector are becoming real threats. From insulin pumps over analgesic pumps through to pace makers, more and more medical devices have been hacked already. This year's motto "mrmcd2016 - diagnosis:critical" stands summarizing for the current state of the whole IT sector.
They also put up a theme for this year’s topic: Everything was set up as a hospital! They had the staff dressed up like doctors, they had skeletons all over the place, medical posters on the walls and the give-aways for the speakers were awesome, as you can see on the next picture (the patient monitor was _not_ in the package 😉 !).
The whole setting was quite awesome and highly creative, but this is what you would expect from an event that is coming from the community of CCC, right? 😉
I had the chance to present on medical device security again. This time I took a different approach for my talk. I focused more on some interesting case studies that our research in the field of medical device security has created. So this time no moral finger pointing, but more of the findings that we had over the past years. My talk was more like a big rant this time, but that was indeed intended (and to be honest, I had a lot of fun). 😉
I also mentioned the “St. Jude Medical” case that has gone wild in the media in the last days. IMHO this is a pretty bad situation for all sides and there is plenty of collateral damage here. From my perspective we are actually creating some awareness at the vendors and their customers. It is not like all vendors still ignore security. Don’t get me wrong, the problem with medical device security being managed like in the 90s is still there, but we have a momentum here that we should use. And we could effectively use it by supporting the vendors and by building trust. Researchers are not the enemy. By going full disclosure (to me it even looks like St. Jude Medical never got all of the technical details) via a private held investment firm the only thing that you achieve is damaging this trust. Not only for the guys who did the research but for all of us. There might be more internal details that we don’t know and maybe there are good reasons why all sides reacted the way that they did, but looking at the facts that are out there I consider this move harmful to the process of making the world a safer place.
The conference is still running until Sunday, 4th of September 2016. So if you are near Darmstadt, Germany and want to get a glimpse into the community, make sure to pay them a visit.
Please consult your doctor or pharmacist after reading this blog post,