Regulatory Focus™ > News Articles > Security Agency Warns About Medical Device Vulnerabilities

Security Agency Warns About Medical Device Vulnerabilities

Posted 17 May 2012 | By Alexander Gaffney, RAC 

The US Department of Homeland Security (DHS) issued a warning on 4 May regarding the potential for medical devices to be compromised by hackers, saying "health care entities need to take [the threat] very seriously."

The report, "Attack Surface: healthcare and Public Health Sector," put out by DHS's National Cybersecurity and Communications Integration Center (NCCIC), says the US Food and Drug Administration (FDA) currently "cannot regulate medical device use or users, which includes how they are linked to or configured within networks."

This creates issues, explains NCCIC, as the security of each individual network largely dictates how secure each individual device is.

"Typically, modern medical devices are not designed to be accessed remotely; instead they are intended to be networked at their point of use," wrote NCCIC in its report. "However, the flexibility and scalability of wireless networking makes wireless access a convenient option for organizations deploying medical devices within their facilities."

The increased use of wireless medical devices in networked settings is creating new vulnerabilities and potential for the loss for protected health information or malicious intrusion, explains NCCIC.

The report identifies four factors exacerbating medical device vulnerabilities:

  • Many devices are "legacy" medical devices approved before the adoption of the 1976 Medical Device Amendments, and are thus not subject to premarket approval testing by FDA.
  • Some devices now come equipped with advanced networking capabilities which may be confusing to end-users. This complicates efforts to properly secure the devices from network intrusion.
  • Network security functions may be the first to be cut if a healthcare facility is looking to cut its budget because it is the least obvious to patients.
  • Because many medical devices contain protected health information, some healthcare facilities may not wish to expose the devices to security upgrades released by the manufacturer.

While many manufacturers, facilities and organizations are required to conduct security assessments to comply with state and federal regulations, the report explains a large number of loopholes exist despite the best efforts of some agencies and companies.

Some medical devices, particularly Class III implantable medical devices, represent high levels of risk for patients, who may rely on such devices. Any of these implantable devices "are vulnerable to cyber attacks by a malicious actor who can take advantage of routine software update capabilities to gain access and, thereafter, manipulate the implant," said NCCIC.

Other medical devices types represent lesser, but potentially dangerous risks to patients, including external medical devices and portable devices like mobile medical applications on smartphones.

The report goes on to outline many of the common tactics, techniques and procedures used by hackers, and describe ways to reduce a device's vulnerability to hackers.

Read more:

DHS - Attack Surface: Healthcare and Public Health Sector

eWeek - Department of Homeland Security Issues Warning on Medical Device Threats

h/t Fierce Medical Devices - Department of Homeland Security issues device hacking warning

Regulatory Focus newsletters

All the biggest regulatory news and happenings.