FDA, facing cybersecurity threats, tightens medical-device standards (1)
您知道醫療儀器的電腦也會遭駭客入侵? 面對電腦安全的威脅,美國食品藥物管理局(FDA) 加强限制醫療儀器的標準
An
examination of cybersecurity has found that health care is among the most vulnerable
industries.
一項電腦安全檢查已發現,醫療單位是最脆弱,最易於被侵入的行業之一
The
security analysts wanted to know how easy it would be to hack into medical
devices used in hospitals, knowing the danger if outsiders could gain control.
They found the answer when they managed to figure out hundreds of passwords for
equipment that included surgical and anesthesia devices, patient monitors and lab
analysis tools.
安全分析家們想知道,侵入醫院所使用的醫療儀器是如何容易,如果侵入者控制了儀器。他們也知道此危險性。為什麼會如此?
當他們成功揣測到好幾百組密碼,可以進人一些設備,包括外科手術、麻醉儀器、病人監視器與化驗室分析儀器時,他們找到了這項答案。
“We
stopped after we got to 300,” said Billy Rios, who found the passwords with his
colleague Terry McCorkle. University of Michigan researchers demonstrated that
they could forge an erratic heartbeat with
radio frequency electromagnetic waves.
「在獲得300組密碼之後,我們停下來」,與其同事Terry McCorkle發現這些密碼的Billy Rios說。密西根大學研究員指出,他們可以用無線電電磁波隨便偽造心跳記錄。
They
alerted the federal government about what they had done, contributing to the
Food and Drug Administration’s decision to tighten the standards for a wide
range of medical devices. The FDA’s move, announced Thursday, reflects growing
concerns that the gadgets — which include
everything from fetal monitors used in hospitals
to pacemakers implanted in people — are vulnerable to cybersecurity breaches
that could harm patients.
他們把做過的事向聯邦政府提出警告,並促成對食物藥品管理局,決定要管束大範圍的醫療儀器設施之標準。星期四該局的宣佈的動議,反應出逐漸關心到-這些小小的金屬儀器易受傷害電腦的入侵而傷害到病人,這些小儀器包括舉凡在醫院中的胎兒監視器,到裝在人體的心臟整流器。
Computer
viruses and other malware increasingly are infecting equipment
such as hospital computers used to view X-rays and CT scans and devices in
cardiac catheterization labs, agency officials said. The problems cause the
equipment to slow down or shut off, complicating patient care. As more devices
operate on computer systems that are connected to each other, a hospital
network and the Internet, the potential for problems rises dramatically, they
said.
醫院人員說,電腦病毒與其他不好的物質正逐漸感染醫療設備,如醫院用在X光檢查的電腦、掃描器、在心臟心導管室中所使用的儀器。這些問題使得儀器速度遲頓下來,或完全不能使用,並使患者的醫療變複雜也。由於更多儀器在電腦系統中運作,而系統又彼此之間相互連結,或連結到醫院網路與網際網路,所以一些困難的潛力戲劇性地增加。
“Over
the last year, we’ve seen an uptick that has increased our concern,” said
William H. Maisel, chief scientist at the FDA’s Center for Devices and Radiological
Health. “The type and breadth of incidents has
increased.” He said officials used to hear about problems only once or
twice a year, but “now we’re hearing about them weekly or monthly.”
在FDA儀器與放射線中心担任首席科學家,William H. Maisel說,『經過去年一年來,我們已察覺到已增加我們注意的一項事』,『這些偶發事件的形式與寬廣度已增加。他說FDA官員過去一年僅聽到一次或兩次而已,『現在每周或每個月就聽到一次』。
The
FDA, in an effort to reduce the risks, for the first time is directing device
manufacturers to explicitly spell out how they will address cybersecurity. The
agency Thursday issued draft
guidelines that, when finalized this year, will allow the
FDA to block approval of devices if manufacturers don’t provide adequate plans
for protecting them. The agency also issued a safety
communication to manufacturers and hospitals.
為努力減少這些風險,FDA首次要儀器製造商明白地標出,如何警告電腦安全。周四該局發出『指示原則草案』,該草案當本年定案時,若廠商無法提供保護儀器的適當計劃時,此等指示原則可准FDA,阻止儀器的使用同意。該局也發給廠商和醫院『安全須知』。
In
addition to viruses and malware, security risks include the uncontrolled
distribution of passwords for software that is supposed to be accessed only by
a few people and the failure by manufacturers to provide timely security
software updates.
除了病毒與不良軟體以外,危害安全的事項包括軟體密碼未加管制的傳佈,本來這些軟體密碼僅限少數人使用,也包括廠商未能提供及時的安全軟體之更新。
In
a public alert Thursday, the Department of Homeland Security, which is working
with the FDA, credited Rios and McCorkle — both of whom work for Cylance, a
cybersecurity firm — for their research on devices and passwords. Unauthorized
access to passwords could allow critical settings to be changed, affecting
how devices operate and what they do, the alert said.
與FDA合作的國土安全局,在周四公開發佈的警告中,讚揚Rios與McCorke两人,他們都在一家叫Cylance的電腦安全公司,從事儀器與密碼的研究。這份警告指出,非法入侵會使得重要的設定被變更,並影響到儀器的操作法與他們操作的事項。
The
two security experts created a spreadsheet listing the device passwords they
obtained and the 50 manufacturers that made the equipment. The DHS and FDA are
working with the manufacturers to verify whether the potential risks from the
passwords “are indeed actual vulnerabilities,” Maisel said.
這兩位安全專家創造了滿滿一張,列有他們獲得的儀器密碼和50家製造該儀器的廠商。國土安全局正與FDA正與廠商合作以證實是否這些來自密碼的潛在危機『的確是脆弱,易於被入侵』Maisel說There is no evidence, he said, that any hackers have deliberately targeted a hospital network or medical device for a malicious cyberattack. He cautioned that passwords alone may not be enough “to cause a security issue for a device.”
他說沒有證據顯示,駭客故意要以醫院網路或醫療儀器為目標,來做惡意的電腦攻擊。他警告僅僅密碼一項也許不足『引起儀器的安全問題』。
Government officials and patient safety advocates say they do not know of any cases in which patients have been directly injured because of a device compromised by a computer virus. And there is no evidence any implantable devices have been corrupted by viruses or other malware.
政府官員與主張病人安全者主張說,他們不知道有關任何案例,病人因儀器受電腦病毒連累,而直接受傷害。而且也沒有證據顯示,任何固定性的儀器曾被病毒或其他不好的軟體所腐蝕。
Still, experts say, hospitals and device manufacturers can’t be complacent. They need to use multiple defenses to guard against the threats posed by the Internet.
儘管如此,專家們說醫院與儀器廠商仍無法自我滿足。他們須使用多種防衛方法,來保護不受網際網路所帶來的威脅。
In addition to the wide array of hospital devices, implantable devices such as pacemakers, insulin pumps and defibrillators can be remotely monitored through wireless networks, making them susceptible to hacking. (待續)
Justin Lai, 06/22/2013
Jlai77168@gmail.com
沒有留言:
張貼留言