A bulletin published by the Department of Homeland Security has warned that the increasing use of wireless networking technology to enable medical devices expands the ways that those devices could be hacked.
The bulletin, published May 4 by DHS’ National Cybersecurity and Communications Integration Center, warns that advances in medical devices, including Internet connectivity and the use of smartphones, tablets and other mobile devices in patient care “expands the attack surface” of medical devices.
“Smartphones and tablets are mini computers with instant access to the internet or linked directly to a hospital’s network. The device or the network could be infected with malware designed to steal medical information if not upgraded with the latest anti-virus and spy-ware software,” DHS said.
Advances in medical device technology have already greatly improved medical care, especially in areas like medical health records and remote monitoring of patients with implantable medical devices. However, too little consideration has been given to the potential for the misuse of features like wireless networking connectivity to steal patient information or even change the operation of the medical device. Wireless medical devices could even be gateways to larger compromises of hospital and provider networks, DHS warns.
“The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of (medical devices) opens up both new opportunities and new vulnerabilities to patients and medical facilities,” DHS said. “Since wireless MDs are now connected to Medical information technology (IT) networks, IT networks are now remotely accessible through the MD. This may be a desirable development, but the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern.”
The DHS bulletin also notes Veterans Administration officials cited push back from medical device makers on calls to introduce software update or security features, such as data encryption software, for fear of losing FDA accreditation.
DHS says there’s no easy fix for the cyber security problem with medical devices, especially with an enormous population of legacy medical devices already deployed. However, the agency recommended that IT administrators in the healthcare field take a number of steps to improve the security of their installation. Those include limiting purchases of networked medical devices to those with “well documented and fine-grained security features” that permit safe deployment on networks. Purchasing agreements should include vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy, DHS. Other recommendations include standard security blocking and tackling, including the use of firewalls and endpoint security software, encryption of data at rest and during transmission and rigorous access controls to healthcare networks.