The U.S. Department of Homeland Security has issued a warning about the role of medical devices in compromising IT networks and patient data.
In its alert “Attack Surface: Healthcare and Public Health Sector,” issued on May 4, DHS says medical devices that connect to IT networks may pose a threat to security.
Network-attached medical devices and mobile devices such as smartphones and tablets could bring cyber-security threats that result in the spread of malware and the loss of data, according to the bulletin.
The U.S. Federal Drug Administration regulates the sale of medical devices, but not their use, which could lead to breaches, DHS reported.
“The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of MDs opens up both new opportunities and new vulnerabilities to patients and medical facilities,” the bulletin from the DHS’ National Cybersecurity and Communications Integration Center stated.
“Smartphones with poorly designed security protections are frequently connected to medical IT networks and provide a new vector for malware transmission,” DHS reported.
Even some medical devices implanted inside patients could hold sensitive information and lead to theft of medical data and intrusion onto corporate networks. These devices could also cause Denial of Service (DoS) attacks due to their sensitivity to battery life, the report stated.
“Implantable devices can present a real danger to patients through interruption of their function, tampering with their communications or by causing them to act or perform in a manner that is harmful to the person they are attached to,” Mac McMillan, CEO of health care security firm CynergisTek and chair of the HIMSS (Healthcare Information and Management Systems Society)Privacy and Security Policy Task Force, told eWEEK in an email.
The fact that the DHS has issued an alert on medical devices shows that a real cause for concern exists, said McMillan.
“I think it is a very big issue, and health care entities need to take it very seriously,” McMillan said. “The fact that we have well-publicized security conferences like Black Hat, Defcon and RSA giving stage time to researchers and hackers who demonstrate and discuss the vulnerability in medical devices and systems ought to serve as a wake-up call.”
The DHS report mentioned a demonstration at the 2011 Black Hat conference in which security researcher Jay Radcliffe, who is a diabetic, was able to shut down or change the settings on an insulin pump without the patient’s knowledge. He also discussed how someone can use an oscilloscope, an instrument that displays waveforms, to eavesdrop on a glucose monitor’s transmission, the DHS reported.
In another demonstration, a researcher at the 2011 RSA conference showed how he could intercept an insulin pump signal and direct it to give a lethal dose to a patient, McMillan noted.
Health Care Organizations Need to Set Device Management Policies
“Imagine a blood pressure monitor, or heart monitor, that transmits the wrong message or simply ceases to function, or a medical decision support system that receives the wrong informationthe result could be very bad,” said McMillan.
Implantable devices control tasks such as the release of drugs or monitor the vital signs of patients, said Joe Gottlieb, president and CEO of Sensage, a company whose software tracks the presence of mobile devices on networks and uses data mining to monitor data on devices.
“As more of these devices come on line and are digitally controlled, the likelihood of them becoming a key attack vector is great,” Gottlieb wrote in an email to eWEEK.
When networks are misconfigured and companies have lax security practices, the risk of compromised medical devices increases, according to DHS.
“Misconfigured systems or network controls can provide inappropriate access to medical devices and make it possible for someone to interfere with their operation, tamper with their settings, etc.,” McMillan said. “An insecure network segment such as a wireless LAN not encrypted, or encrypted with a less-than-optimal solution (less than WPA2) can create an avenue for someone to access a device and tamper with its operation.”
Organizations need to establish acceptable ranges for different device use cases, according to Gottlieb.
In a patient’s room, doctors may be using a personal tablet or laptop, but at a main workstation, laptops are shared, he noted.
“Log-in details can track that someone is using the device outside their approved range,” said Gottlieb.
Legacy medical devices from before 1976 are a particular concern, DHS noted, while referring to comments from HHS.
As employees increasingly bring their own mobile devices onto networks, companies need to be more proactive with their security policies, according to an April 11 report from HIMSS Analytics and Kroll Advisory Solutions, a provider of IT security. Of 250 health care industry professionals interviewed, 31 percent believed mobile devices were a top threat for health care data breaches.
To respond to the warning, health care organizations must educate employees about the risks of mobile devices and what constitutes unauthorized usage, said Gottlieb.
“Suspicious behaviors should be easy to spot if you have a good understanding of what you consider ‘acceptable’ mobile activity,” Gottlieb explained.
Health care organizations must set up mobile-management systems to handle remote provisioning and tracking as well as remote wiping, said Gottlieb. IT departments in hospitals also must have baseline settings for the mobile devices, such as user locations, log-in times and level of activities, he said.
“Log events from these devices and ensure that as thresholds are exceeded, you are alerted,” Gottlieb advised.
Health care organizations must also monitor mobile device activities and adjust security practices based on these activity logs, he said.
To address the threat from medical devices, health care organizations should conduct risk analyses, perform policy testing of networks and systems to ensure their integrity, and make sure that security criteria is part of system selection, said McMillan.
Companies should also “maintain strict accountability of medical devices,” said McMillan.