1. You are here:
  2. Homepage
  3. News & Insights Search
  4. Security Agency Warns About Medical Device Vulnerabilities

rf-fullcolor.png

 

Regulatory News
May 17, 2012
by Alexander Gaffney, RAC

Security Agency Warns About Medical Device Vulnerabilities

The US Department of Homeland Security (DHS) issued a warning on 4 May regarding the potential for medical devices to be compromised by hackers, saying "health care entities need to take [the threat] very seriously."

The report, "Attack Surface: healthcare and Public Health Sector," put out by DHS's National Cybersecurity and Communications Integration Center (NCCIC), says the US Food and Drug Administration (FDA) currently "cannot regulate medical device use or users, which includes how they are linked to or configured within networks."

This creates issues, explains NCCIC, as the security of each individual network largely dictates how secure each individual device is.

"Typically, modern medical devices are not designed to be accessed remotely; instead they are intended to be networked at their point of use," wrote NCCIC in its report. "However, the flexibility and scalability of wireless networking makes wireless access a convenient option for organizations deploying medical devices within their facilities."

The increased use of wireless medical devices in networked settings is creating new vulnerabilities and potential for the loss for protected health information or malicious intrusion, explains NCCIC.

The report identifies four factors exacerbating medical device vulnerabilities:

  • Many devices are "legacy" medical devices approved before the adoption of the 1976 Medical Device Amendments, and are thus not subject to premarket approval testing by FDA.
  • Some devices now come equipped with advanced networking capabilities which may be confusing to end-users. This complicates efforts to properly secure the devices from network intrusion.
  • Network security functions may be the first to be cut if a healthcare facility is looking to cut its budget because it is the least obvious to patients.
  • Because many medical devices contain protected health information, some healthcare facilities may not wish to expose the devices to security upgrades released by the manufacturer.

While many manufacturers, facilities and organizations are required to conduct security assessments to comply with state and federal regulations, the report explains a large number of loopholes exist despite the best efforts of some agencies and companies.

Some medical devices, particularly Class III implantable medical devices, represent high levels of risk for patients, who may rely on such devices. Any of these implantable devices "are vulnerable to cyber attacks by a malicious actor who can take advantage of routine software update capabilities to gain access and, thereafter, manipulate the implant," said NCCIC.

Other medical devices types represent lesser, but potentially dangerous risks to patients, including external medical devices and portable devices like mobile medical applications on smartphones.

The report goes on to outline many of the common tactics, techniques and procedures used by hackers, and describe ways to reduce a device's vulnerability to hackers.


Read more:

DHS - Attack Surface: Healthcare and Public Health Sector

eWeek - Department of Homeland Security Issues Warning on Medical Device Threats

h/t Fierce Medical Devices - Department of Homeland Security issues device hacking warning

Return to listing
×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.