2013年6月23日 星期日

您的醫療儀器電腦,遭遇駭客入侵? (2)


您的醫療儀器電腦,遭遇駭客入侵? (2)

“There’s almost no medical device that doesn’t have a network jack on the back,” said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston. “To fight the evils of the Internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows.”

John Halamka說,『幾乎沒有醫療儀器,背後沒有網路的插入器』。他是位波士頓Berth以色列醫學中心的首席資訊官員。『要對抗來自網路邪惡的攻擊,你們不但須具備有一個護城河,而且還要一座活動式的橋樑(可收放),和滾燙的油來潑灑在駭客身上,和那些帶有弓箭的壞傢伙』。

Kevin Fu, who heads the Archimedes Center for Medical Device Security at the University of Michigan, said that several hospitals in 2010 and 2011 were forced to temporarily close their cardiac catheterization labs, which typically perform procedures to widen blocked arteries, because critical devices were infected. At least one patient had to be moved to another hospital.

在密西根大學,擔任醫療儀器安全的阿基米德中心主任的Kevin傅先生說,在20102011年中,有若干家醫院被迫暫時關閉,他們做典型擴張動脈阻塞的心導管室,因為重要的儀器受到感染。至少一位患者不得不轉診到另一家醫院。

At Beth Israel some years ago, fetal monitors for women with high-risk pregnancies were infected with malware that slowed the devices’ response time. Patients were not harmed and the problem was eventually fixed, Halamka said. Now the hospital is one of the most aggressive in the country in countering cybersecurity risks.

Halamka說,若干年前在波士頓以色列醫學中心,為具高度風險的孕婦而裝置的嬰兒監測器,受到不好軟體感染,而使得監測器的反應時間遲緩下來。患者未受到傷害,問題也終於解決。在對抗電腦安全的風險上,醫院現在已成為本國最積極的角色之一。

The FDA has a database for reports of adverse events, but quantifying cybersecurity incidents involving medical devices is nearly impossible. People reporting problems are usually not trained to identify malware as a cause.

FDA有一資料庫,儲存不利事件的報告,可是幾乎不可能,把牽連醫療設施儀器的電腦安全的偶發事件,加以多量化。報告發生問題的人們,通常未具專業訓練,能將壞軟體辨別出是一種原因。

Device manufacturers can solve the problems most easily but have the least incentive, because doing so is expensive, experts said. Hospitals, which buy the devices, want improved security but often lack the resources or technical expertise to make the software fixes. Experts say manufacturers typically refuse to apply software patches, claiming the FDA does not allow updates to regulated devices, but FDA officials say that is not the case.

專家們說,儀器製造廠商可以更容易解决這些問題,但總是完全沒有一點誘因與鼓勵,因為費用昂貴。購買儀器的醫院要求改良過的安全措施,但常缺少資源或專業來弄好儀器的軟體。專家們說,廠商一般拒絕應用一些軟體片段附上,並且聲稱FDA並不允許已控制好的儀器加以更新改良,但FDA官員否認情形如此。

At Beth Israel, about 15,000 devices run on the hospital’s network on a typical day. About 500 of them are using older operating systems most susceptible to malware infection, most often medical devices outside the direct control of the hospital, Halamka said.

Halamka說在Berth醫院中每天約有15,000件儀器,依醫院的網路在運作。其中有500件正使用較舊的運作系統,這些系統最易於受不良軟體的感染。尢其是醫院無法直接控制醫療儀器。

The hospital isolates these devices from the Internet and scans its entire network monthly to find new risks. It is doubling its information technology budget next year.

醫院將這些儀器與網路隔離,並且每個月定期把全部聯網加以掃描,來找出新的危險。可是如此一來第二年的資訊科技的預算就要加倍了。

The Veterans Health Administration created a protection program several years ago to eliminate malware and viruses. The federal agency scans flash drives and other portable media for viruses and limits the number of devices connected to the Internet.

若干年前退伍軍人健康局創造一項保護計劃,來消滅壞軟體與病毒。這個聯邦單位掃描了,瞬間驅動式和其他手提媒體,以找尋病毒,並限制了與網際網路連接的儀器數目。

The ultimate answer, many experts said, is for manufacturers to build their systems in a way that supports the use of anti-virus software and permits fixes.

許多專家說,最終的答案是要廠商建立他們的系統,可以支援使用對抗病毒的軟體,並允許可以調整修復。

Mark B. Leahey, president of the Medical Device Manufacturers Association, said the industry wants to work with “all the stakeholders” to fix weaknesses.

Mark B. Leahey, 醫療儀器製造商協會主席說,他們要與所有『有利害關係者』合作來整復這個缺點。

Bernie Liebler, director of technology and regulatory affairs for the Advanced Medical Technology Association, another trade group, said patient safety is industry’s biggest priority.

Bernie Liebler, 高級醫學科技會-另一商業團體的科技與管制會主任說,病人安全是他們這個行業的最優先考量

Academic researchers, government officials and industry experts have ratcheted up warnings in recent years. A public-private federal advisory committee noted last year that no agency had primary responsibility for medical device security. Also last year, the DHS and the Government Accountability Office issued reports about potential problems.

最近幾年學術研究者、政府官員與廠商行業專家們已加速警告。一個公私立聯邦顧問委員會,去年就注意到,但沒有一個機構對醫療儀器的安全負起主要的責任。還有去年國土安全局政府責任辦公處,發佈了有關潛在問題的報告。

Several years ago, Fu and other researchers demonstrated in a lab how a combination heart defibrillator and pacemaker was vulnerable to computer hacking. The researchers gained wireless access to the device and reprogrammed it to deliver jolts of electricity that would have potentially been fatal if the device had been in a person.

若干年前,傅先生與其他研究員指出在實驗室中,心臟去纖顫動器心臟整流器兩項組合,是易於受到駭客侵襲。這些研究員由網路進入儀器並加以重新設定,使其不會傳送電力的激烈搖動,要不然此項搖動早會有潛在致命的危險,如果儀器已裝在人體內。

Fu said he believes that the manufacturer fixed the problem, but not before a producer for the television series “Homeland” used it in the plot line for an episode in which the U.S. vice president dies after a terrorist hacks into his pacemaker and generates lethal jolts of electricity.

傅先生說,他相信廠商已經解決了這項問題。但之前在電視系列節目(國土安全)製作人,卻使用此情節在某一集的劇情中。在此集中,美國副總統被一位恐怖分子,侵入他的心臟整流器,並產生致命的電力搖動,而使他喪命。(可惜廠商如能在影集播出之前,解決此問題)


Jun 14, 2013  

【個人看法】:

這是駭人聽聞的新聞揭發,在醫療人員繁忙的時代,所有檢查數據、醫護與研究全都仰賴精密的醫療儀器(medical devices) 這些不靠電腦無法操作。而電腦對hackers又防不勝防。尤其電腦一用久virus全來

如果您是很有名的公眾人物(a big shot) 難免有些潛在敵人(potential enemy) 不論是政敵、情敵或神經不正常者(lunatic) 或純為無辜的患者(innocent patients),只要身體不適去醫院接受醫療的話,侵入你使用的儀器電腦,來謀害您的生命,似乎不無可能,這可以稱作是Assassination Online網路刺殺看來要鬆綁隱私資料收集的規定(to ease secrecy rules on data collection) 似乎尚有待考慮

Justin Lai 譯評

06/22/2013


 

 

 

沒有留言:

張貼留言