The U.S. Department of Homeland Security has issued a warning about the role of medical devices in compromising IT networks and patient data.
In its alert "Attack Surface: Healthcare and Public Health Sector," issued on May 4, DHS says medical devices that connect to IT networks may pose a threat to security.
Network-attached medical devices and mobile devices such as smartphones and tablets could bring cyber-security threats that result in the spread of malware and the loss of data, according to the bulletin.
The U.S. Federal Drug Administration regulates the sale of medical devices, but not their use, which could lead to breaches, DHS reported.
"The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of MDs opens up both new opportunities and new vulnerabilities to patients and medical facilities," the bulletin from the DHS' National Cybersecurity and Communications Integration Center stated.
"Smartphones with poorly designed security protections are frequently connected to medical IT networks and provide a new vector for malware transmission," DHS reported.
Even some medical devices implanted inside patients could hold sensitive information and lead to theft of medical data and intrusion onto corporate networks. These devices could also cause Denial of Service (DoS) attacks due to their sensitivity to battery life, the report stated.
"Implantable devices can present a real danger to patients through interruption of their function, tampering with their communications or by causing them to act or perform in a manner that is harmful to the person they are attached to," Mac McMillan, CEO of health care security firm CynergisTek and chair of the HIMSS (Healthcare Information and Management Systems Society)Privacy and Security Policy Task Force, told eWEEK in an email.
The fact that the DHS has issued an alert on medical devices shows that a real cause for concern exists, said McMillan.
"I think it is a very big issue, and health care entities need to take it very seriously," McMillan said. "The fact that we have well-publicized security conferences like Black Hat, Defcon and RSA giving stage time to researchers and hackers who demonstrate and discuss the vulnerability in medical devices and systems ought to serve as a wake-up call."
The DHS report mentioned a demonstration at the 2011 Black Hat conference in which security researcher Jay Radcliffe, who is a diabetic, was able to shut down or change the settings on an insulin pump without the patient's knowledge. He also discussed how someone can use an oscilloscope, an instrument that displays waveforms, to eavesdrop on a glucose monitor's transmission, the DHS reported.
In another demonstration, a researcher at the 2011 RSA conference showed how he could intercept an insulin pump signal and direct it to give a lethal dose to a patient, McMillan noted.