Risk Factor iconRisk Factor

This Week in Cybercrime: FDA Urges Tighter Cybersecurity for Medical Devices

First: Do No Harm. Second: Keep Others From Doing It.

In the wake of discoveries that some medical devices are vulnerable to remote tampering via the Internet, the U.S. Food and Drug Administration (FDA) issued new guidelines this week that are meant to direct medical device manufacturers in beefing up security. The hope is that we'll never have to read about—or worse, personally experience—death or injury because some malware-infected gadget didn't work the way it should.

The FDA recommendations call for device makers to review their cybersecurity practices and test their products with an eye toward ensuring that their authentication setups can limit access to authorized users only. The guidelines also urge health care facilities to be more vigilant in updating their antivirus software, to set stricter controls on who accesses their networks, and to cooperate with device makers to investigate and fix security breaches.

The FDA says that although no deaths or injuries associated with these vulnerabilities or malfunctions have been reported, the rise in cybercrime makes such an outcome “increasingly likely.” The guidelines, though not legally enforceable, put device makers and medical facilities on notice that they need to step up their efforts to keep diagnostic machines from being taken over by attackers, prevent pacemakers from being reset so that they deliver fatal shocks, and to keep insulin pumps from being tampered with.

The FDA action was prompted by the U.S. Government Accountability Office, which asked it to “develop and implement a plan expanding its focus on information security risks.” It’s about time. Just imagine someone undergoing a surgical procedure where an advanced robot is doing the cutting as proxy for a surgeon in another part of the world. Malware in the system that controls a mechanical arm—or a man-in-the-middle-attack—could be deadly. And even banal mash-ups of technology and medicine could put patients at risk. Computerized drug dispensaries, meant to keep people from receiving the wrong prescription or the wrong dose, could be targets.

Read More

BBC IT Project Fiasco Snares New York Times CEO

A few weeks ago, I wrote about the BBC blowing £98.4 million (about US $150 million at current exchange rates) on its failed Digital Media Initiative project meant to develop digital production technology that would fundamentally transform how the BBC operated internally. The story gets more and more interesting, and has now leaped across the Atlantic to snare the head of the New York Times in its net.

To quickly recap, the DMI project began in February 2008 with the expectation that the project’s contractor Siemens Information Solutions and Services (SIS) group would have the “transformational” technology ready for operation by May 2009. Siemens, however, consistently missed the project’s schedule from the beginning, and in September 2009, the BBC and Siemens cancelled the contract by mutual agreement.

The BBC then brought the DMI project in-house with a new date for the rollout of DMI’s production technology across the BBC during the summer of 2011. When the National Audit Office, an independent Parliamentary body, took a look at the project’s status in late 2010, BBC management told it that “delivery of the system has progressed well, and users have responded positively” to it. BBC management also convinced BBC Trust's Anthony Fry, a member of the governing body of the BBC, that the “delivery [of the DMI system] was progressing as planned.”

However, progress didn’t go as planned. Users thought it was “clunky” and needed a significant redesign, and by October of last year, the DMI project was suspended pending a review. Last month, the new BBC Director General Tony Hall decided to pull the plug on the project, as it had created, in Trustee Fry’s assessment, “little or no assets.” Lord Hall immediately suspended (with pay) the BBC’s Chief Technology Officer John Linwood, who oversaw the DMI effort, and MP Margaret Hodge, chair of the House of Commons Public Accounts Committee called the cancellation, “a terrible shock and clearly completely shambolic.”

Here's where it gets really interesting.

Read More

Voice-Activated Systems Make Driving Less Safe

A decade ago, I wrote an article about the efforts of automotive technologists to make up for the fact that “we get sleepy while driving at night, do dumb things like put on makeup or shave while creeping along in bumper-to-bumper traffic, or look away from the road to adjust our car radios.” Automakers were introducing safety systems such as adaptive cruise control, which maintains a safe distance between a car and the one ahead of it even if the driver is asleep at the wheel. Advancing just as rapidly along a parallel plane was technology aimed at keeping drivers connected to the world outside the passenger cabin. (To be sure, its unlikely that engineers back then were imagining drivers updating their social media profiles while traveling at highway speeds.)

Some of the innovations—routing mobile phone conversations through a car’s speakers to ensure that a driver could keep both hands on the steering wheel, for one—were specifically intended to combat the inattention to the road that results from looking down at a small screen. But even back then, researchers understood that these improvements, though laudable, were not enough to safely limit the cognitive demands that keep a driver from focusing on the main task—operating heavy machinery.

A new study released today by the AAA’s Foundation for Highway Safety reinforces that understanding. Most alarming is its conclusion that systems designed to allow drivers to dictate e-mail or text messages, or that translate text to speech then read the messages aloud—ostensibly meant to promote safety—actually worsen driver distraction.

This is a big deal when you consider that, according to electronics consulting firm IMS Research, more than half of all new cars will have voice recognition functionality.

Read More

IT Hiccups of the Week: Irish Rail to Riders: Pay Up for Software Screw Up

This past week saw an uptick in the number of IT-related malfunctions, mishaps and mayhem in comparison to the previous few weeks. We start off with a lesson from Irish Rail on how not to endear yourself with your passengers when fixing a software problem.

Irish Rail Gives Scant Warning to Passengers for Belated Billing on Uncharged Trips

Last Friday, Irish Rail announced in a press release on its website that a March 2013 software upgrade to its Ticket Vending Machines (TVMs) didn’t work as planned, resulting in tickets being issued and payments being authorized against payment cards. But unfortunately for the transit authority, the payments weren’t actually deducted from passenger accounts. Over 9000 individual payment cards were affected by the error,  nearly all attached to Maestro Debit cards, Irish Rail said. The incomplete transactions occurred for train tickets purchased between 28 March and 31 May 2013 and came to about €331 000 (US $438 000) in uncollected fares.

Irish Rail also announced in its press release that I am sure all of its riders read on a daily basis that, beginning today, it would begin to collect the monies owed it. There’s nothing like giving your customers a lot of advanced notice.

Naturally, Irish Rail’s decision did not sit well with many of those affected customers, with the spokesperson of Rail Users Ireland logically asking why Irish Rail couldn’t have waited a week at least to allow customers some time to hear about the news, and also let customers ensure that they had enough money in their bank accounts to cover the charges so that they wouldn't become inadvertently overdrawn.

Irish Rail said that it recognized “that processing cumulative payments at one time may cause difficulties for some customers,” and so it set up a somewhat convoluted payment scheme to reduce the pain. However, the railroad also admits that 60 to 70 percent of those owing money will see charges to their bank accounts beginning today.

Irish Rail added in its press release, “We apologies [sic] for any inconvenience this fault causes customers.”

Let’s hope that Irish Rail’s augmented reality app released today doesn’t have similar software issues.

Read More

U.S. States Selling Hospital Data that Puts Patients' Privacy at Risk

Given this week's revelations about the privacy—and the lack thereof—of our personal communications, maybe it's time to reconsider what former Principal Deputy Director of National Intelligence, Dr. Donald Kerr, meant when he said back in 2007 that,

Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture… We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment.”

And maybe we can even anticipate the next privacy crisis by taking a good look now at the ongoing assault on what I think most people agree remains an “essential privacy,” i.e., their private medical information.

Coincident with the NSA privacy flap, Bloomberg News ran a story this week on how many U.S. state health organizations are selling supposedly “anonymous” patient information to pharmaceutical companies, insurance companies and researchers that can, using other publicly available data and well-known analytical techniques, personally re-identify those patients. Bloomberg gave an example of a Washington State resident who went into diabetic shock and, as a result, had a motorcycle accident. The accident was covered in a local paper but only the most basic details were given of the person involved and the cause.

Read More

IT Hiccups of the Week: Rough Start for NYC's New 911 System

Yet another quiet week in the land of IT snafus. The most interesting story to crop up involved the problems plaguing the roll out of the New York City Police Department’s new emergency 911 dispatch system.  

New York City’s New Emergency Dispatch System Fails 4 Times in First 48 hours

The Big Apple’s long-troubled effort to modernize its 911 emergency call system ran into additional difficulties when its new, US $88 million NYPD emergency dispatch system suffered four outages within two days of its Wednesday debut.

The dispatch system first went out Wednesday afternoon for 16 minutes beginning at 4:21 pm, the New York Daily News reported. Emergency service operators had to revert to capturing the call information on slips of paper, which were then taken by runners to the separate NYPD and EMS radio rooms where the proper emergency units could be assigned to the call. The scene was described by one experienced operator as sheer “pandemonium.”

A City Hall spokesman down played the incident, saying that the manual back-up system worked and that no calls were missed.

Then, early Thursday morning, the dispatch system suffered a six minute outage, said Police Commissioner Ray Kelly in an interview with CBS News New York. Kelly also felt the need to note that the new system had been “tested for six months.”

I am not sure whether Kelly was trying to vouch for the dispatch system’s reliability, but if he was, his efforts were soon undone. Shortly after Kelley's morning interview, the dispatch system went out again, at 12:09 pm. That time, the outage went on intermittently for about an hour, the Daily News once more reported. Out came the paper, pens, and runners again.

Then at 7:00 Thursday evening, the dispatch system went out one last time—but only for two minutes.

Mayor Michael Bloomberg shrugged off all the outages, saying that, “There are a few bugs in the system. We'll fix them and there'll be more. Every computer system has bugs in it; there's none that does not.”

Those remarks probably didn’t go over well with the emergency system operators who were told that the “new system would never go down.

At least there have been no reported outages the past three days. But if another one happens, at least the emergency dispatch system operators have now had plenty of practice in how to deal with it.

Read More

This Week in Cybercrime: Report Details Stolen U.S. Defense Secrets

What U.S. Defense System Details Have Hackers Accessed?

In the past year, the U.S. government has gone from making thinly-veiled accusations about nation-state sponsored cyberattacks to pointing fingers directly at China as the entity behind a string of hacks in which intellectual property and other sensitive information has been stolen from private firms and government agencies. That was the tone of a report released earlier this month by the U.S. Department of Defense. The 92-page report says the stolen information is helping China build “a picture of U.S. defense networks, logistics and related military capabilities that could be exploited during a crisis.” And this week we learned, courtesy of the Washington Post, some of the elements in that picture. The Post says it obtained a copy of a previously undisclosed section of a report written by the Defense Science Board (DSB), a committee of experts that advises the U.S. Department of Defense on technical and scientific matters.

That report, which was released in January, provided the Pentagon and defense contractors details regarding the data to which cyberthieves gained access. It said that the “DoD and its contractor base have already sustained staggering losses of system design information incorporating decades of combat knowledge and experience that provide adversaries insight to technical designs and system use.” But the public version of the report did not list the weapons whose plans had been stolen. According to an article in the Washington Post, the pilfered information included plans and technical details on several missile defense systems such as the PAC-3 Patriot missile system, the Terminal High Altitude Area Defense (THAAD) system and the U.S. Navy's Aegis ballistic-missile defense system. The cyberthieves—who U.S. government officials say were working at China’s behest—also saw design plans for the F/A-18 fighter jet, the F-35 multirole combat aircraft, the V-22 Osprey aircraft, the Black Hawk helicopter and the Navy's Littoral Combat Ship (LCS) class of vessels.

Read More

BBC Blows £98 Million on Digital Media Initiative

The announcement last week that the BBC pulled the plug on its overly ambitious and admittedly poorly managed Digital Media Initiative (DMI), probably drew a smile from the folks who originally worked for Siemens Information Solutions and Services (SIS) group, now owned by ATOS. The BBC admitted that the project, which was said by BBC Trust's Anthony Fry to have created “little or no assets,” cost license fee holders £98.4 million (about US $150 million at current exchange rates).

To understand the former Siemen’s workers presumptive glee, you need to go back a few years.

In February 2008, the BBC directly awarded a £79 million, fix-priced contract to Siemens under an existing outsourcing contract to implement, roll out, and operate through March 2015 what the BBC called its Digital Media Initiative. According to a 2011 National Audit Office (NAO) review, “DMI is a technology transformation project designed to allow BBC staff to develop, create, share, and manage [all] video and audio content and programming on their desktop, and intended to improve production efficiency across the BBC,” anywhere the BBC operated. In other words, DMI was meant to radically change the way the BBC operated internally.

The BBC's business case put the total DMI project investment, including its management and other administrative costs, at £81.7 million, and claimed that the project would end up generating a total benefit of £99.6 million. The benefit, the NAO indicated, would come from reduced operating costs, the avoidance of some future production costs, and a “creative dividend” savings that would accrue from being able to reuse material instead of having to produce entirely new content.

Read More

IT Hiccups of the Week: RBS Antagonizes Two Million More Customers

Aside from the billion or so 17-year brood cicadas which all seem to be singing directly outside my office window, it was very quiet last week in regard to IT-related snafus, problems and outages. We start off this week with the Royal Bank of Scotland, which can always be counted on to liven up a slow week.

This Time, RBS Mobile Banking App Fails

Two million customers of the UK government nationalized Royal Bank of Scotland and its subsidiaries, NatWest and the Bank of Ulster, were frustrated yet again by an IT problem. According to the BBC, customers were unable to log into their accounts through their mobile phone app for about two and half hours last Friday just before the long bank holiday started. RBS customers reported that the problems began around 7:15 a.m. London time. When they tried to access their bank accounts through the app, they received various error messages telling them that the app couldn't find an Internet connection even though other apps were working fine. The problem was fully cleared up by 1:00 p.m., the BBC stated.

This was the second IT failure for RBS in two months, and follows the disastrous bank IT system meltdown of last year which the banking group is still trying hard to put behind it. Just two weeks ago, RBS announced that it was going to spend an extra £450 million to fix its problem-plagued IT systems. The Financial Times quoted bank chairman Sir Phillip Hampton as saying that, “As the IT incidents over the past year have shown, building and maintaining a top-class infrastructure is fundamental. Our customers deserve banking services that work 100 per cent of the time.”

Friday's failure was embarrassing not only because of Sir Phillip’s comments, but because about a week ago RBS announced that it was eliminating another 1400 jobs in its retail banking sector as part of its move to encourage its 17 million customers to move to online and mobile banking. The latest gaffe may instead encourage RBS customers to decide to move to a rival's online and mobile banking app.

RBS offered up an apology to its customers, who probably aren't listening anymore.

Read More

IT Hiccups of the Week: Lie Detector Lies?

There were a couple of interesting IT-related snafus, errors, and problems last week. We start off this week’s edition of IT Hiccups with a popular polygraph system that may well have incorrectly identified thousands of people as being economical with the truth when they actually weren’t.

Lafayette LX4000 Polygraph System Accused of Minimizing “Technical Glitch” for Years

The McClatchy publishing company ran a series of disturbing stories in its papers over the weekend about a polygraph system called the Lafayette Instrument LX4000, which is widely used by U.S. state, local and federal law enforcement agencies, as well as the military and intelligence agencies. The articles note that the polygraph has had a long-standing “technical glitch” that may have incorrectly shown people as being untruthful when they were not.

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More