Some time ago, we carried out an evaluation of the Digital Health Applications Ordinance (Digitale-Gesundheitsanwendungen-Verordnung, DiGAV) for the Federal Chamber of Psychotherapists in Germany (Bundespsychotherapeutenkammer, BPtK) focusing on the security of digital health applications, often referred to as apps on prescription.
The audit was intended to determine to which extent security guidelines, security objectives, and best practices are adhered to by the requirements formulated by the ordinance, thus enabling the foundations to securely operate digital health applications. The main subject of the examination is whether requirements, including procedural requirements defined in the ordinance are sufficient to ensure security of digital health applications. The examination has shown that the requirements can be seen as positive. However, in order to be able to make reliable statements about the IT security of digital healthcare applications, further details and mechanisms should be clarified within the ordinance, which I would like to present in the following.
With this blog post I am pleased to announce the publication of a new ERNW White Paper . The paper is about severe vulnerabilities in an insulin pump we assessed during project ManiMed and we are proud to publish this subset of the results today.
The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can also be seen in criminal proceedings, as there exist more and more cases where these devices provide evidence.
Which useful evidential information fitness trackers collect and how to analyze them forensically was part of a paper that we presented at WACCO 2020 this year . The goal was to develop an open source program to support investigators analyzing data that fitness trackers provide and to give a general approach on how to analyze fitness trackers.
Digital networking is already widespread in many areas of life. In the healthcare industry, a clear trend towards networked devices is noticeable, so that the number of high-tech medical devices in hospitals is steadily increasing.
In this blog post, we want to elucidate a vulnerability we identified during the security assessment of a patient monitor. The device sends HL7 v2.x messages, such as observation results to HL7 v2.x capable electronic medical record (EMR) systems. A user with malicious intent can tamper these messages. As HL7 v2.x is a common medical communication standard, we also want to present how this kind of vulnerability may be mitigated. The assessment was part of the BSI project ManiMed, which we would like to present in the following section.
This year’s MRMCD16 had a topic that immediately let me submit a talk about medical device security: “diagnosis:critical”. Or to quote the official website:
Security issues in soft- and hardware have a low chance of healing, especially in medical IT.
Despite years of therapy using code reviews and programming guidelines, we still face huge amounts of vulnerable software that probably is in need of palliative treatment.
Security vulnerabilities caused by the invasion of IT in the medical sector are becoming real threats. From insulin pumps over analgesic pumps through to pace makers, more and more medical devices have been hacked already. This year's motto "mrmcd2016 - diagnosis:critical" stands summarizing for the current state of the whole IT sector.
TL;DR: Marie Moe talked about security issues of medical devices, especially implantable devices like pacemakers, but not in overwhelming technological depth. She wanted to point out the necessity of intensified security research in the field of medical devices as vendors and medical personnel seem to be lacking necessary awareness of security of devices, interfaces, services, and even data privacy.”Get involved, join the cavalry” was her core message. Continue reading “Unpatchable – Living with a vulnerable implanted device”
That was the opener for my presentation on the Security in Medical Devices at CodeBlue 2015 last week in Tokyo, Japan. A Code Blue often describes a patient in a critical condition, mostly needing resuscitation. That just seemed to be a perfect match, also in the sense that the condition of some medical devices out there are still pretty critical concerning security. If you follow our current research on this you know what I am talking about. I hope that we are not talking about this topic anymore three years from now. That would mean that we have made the world a safer place, although it took some time … 😉
Speaking at Code Blue really was a blast! “Arigato” for having me! The conference was organized very well and the staff was extremely caring. You could really feel the community vibe in this event. Considering that the conference is only around a few years that is really remarkable. The talks I enjoyed most obviously were both keynotes: Takuya Matsuda – The Singularity is Near and Richard Thieme’s thoughtprovoking speech at the end of the conference. I also enjoyed Bhavna Soman’s high quality talk about using metrics to correlate APT binaries. The overall quality of the talks on Code Blue was pretty good but what I enjoyed the most were the discussions and the exchange with other researcher from all over the planet.