Rep Mark Sloan (R,CA) introduced the Liability for Known Vulnerabilities Act today. The bill would make manufacturers of computer controlled equipment used in hospitals and schools financially liable for deaths and serious injuries that resulted from cyberattacks on those institutions using vulnerabilities that had been reported to the vendor more than six months before the attack. Sloan’s Los Angeles office says that the bill is a direct response to the attack on the Angels Memorial Hospital earlier this week that killed four people.
The four deaths in the hospital’s intensive care ward occurred when power back up systems failed to restore power to critical medical monitoring systems and medical devices during a power outage caused by local storms. The uninterruptable power system’s (UPS) control system had been breached by an unidentified hacker using vulnerabilities in the SotoPower HMI. Those vulnerabilities had been publicly reported to SotoPower last June by Israeli researchers. SotoPower reported Tuesday that they were still working on fixes for the reported vulnerabilities.
Sloan told reporters that an independent review of the Israeli research confirmed that the three reported vulnerabilities, including a path traversal vulnerability and a hard-coded credential vulnerability, were relatively easy to fix. “Security researchers looking at this week’s attack reported that those vulnerabilities were used to gain access to the system at Angels Memorial,” the Congressman explained, “Those basic vulnerabilities should not take six months to correct.”
Sloan’s bill would establish a prima facie case for product liability in any case where a cyber attack at a school or hospital resulted in deaths or serious injuries and the attack was facilitated by vulnerabilities that had been identified more than six months earlier.
No comments:
Post a Comment