Unsecured medical devices are putting patients at risk and IT shops are playing catch-up to find ways to make them more secure. From hospitals to vendors, the devices are prolific in everyday healthcare yet research reports on IoT vulnerabilities are publishing faster than folks can keep up with it all.
We highlight some of the key issues with devices and ways to tackle testing and patching vulnerabilities.
Advance to the next slide to start the gallery.
Tech-savvy hospitals like Mayo, Kaiser and Christiana are always testing – recognizing cybersecurity threats could get scarier – and aiming to change mindsets to focus on infosec as a patient safety issue because there is a world overflowing with unsecured medical devices.
A recent report describes more than 8,600 flaws in pacemaker systems and the third-party libraries that power various components of the devices. The broad list of flaws includes a lack of encryption and authentication, simple bugs in the code and poor design that can put patient lives at risk. These vulnerabilities are associated with outdated libraries used in pacemaker programmer software.
Medical devices are incredibly challenging for providers to adequately secure them and all too easy for hackers to find them running a Google search. Patching won’t solve all security problems or plug every hole that ransomware such as WannaCry as well as other exploits might leverage – but this new attack calls to light just how important it is.
Little testing comes despite the overall lack of confidence that devices are secure, widespread recognition of the risks unsecured systems pose, and only about 30 percent of manufacturers and hospitals indicating that they encrypt data associated with internet-of-things devices. New research reports, “Only 9 percent of manufacturers and 5 percent of users say they test medical devices at least annually,”
Both private and public sectors are inconsistent in IoT adoption, which leaves steadily growing technology highly susceptible to attack. Hackers can use malware to compromise the device to steal patient data and use it as a platform to gain access to an entire network. The Government Accountability Office IoT technology assessment also found cybercriminals can also monitor and record data – without detection.
Cybercriminals are increasingly attacking medical devices with ransomware and other malware since they are both soft targets and, because they are often essential to patient’s lives, hackers have considerable leverage when demanding payment. That means hospital CIOs, CISOs and their staffs should be taking steps now to protect health data, like asking the right questions. What types of security have you built into the device? Have you conducted penetration testing on it and what were the results? What is your process for distributing security updates and patches?
Hospital IT shops and information security pros wondering how best to protect the dizzying array of medical devices attached to their networks got a reality check on May 18 from Kevin McDonald, director of clinical information security at the Mayo Clinic. Recommendations include having an inventory of devices and software, regularly patching operating systems, whitelisting, installing anti-virus software, and not allowing hard-coded, default or non-expiring passwords.
St. Jude Medical announced flaws in the Merlin @home Transmitter medical device. It has patched the vulnerabilities, which can allow a hacker to exploit the device to access or influence communication between the device and Merlin.net, according to the ICS-CERT advisory. St. Jude issued an update to fix the vulnerability.
Kevin Fu, associate professor of computer science and engineering at the University of Michigan, sees historic parallels with our current cybersecurity moment.
