Posts

Medical devices growing concern in healthcare IT security

Practically every hospital and healthcare institution invariably depend upon medical devices.  These devices produce a sizable amount of data and despite the fact that very little of this data is retained for any longitudinal patient benefit, the data must be safeguarded per federal requirements.  Proficio’s security engineers have worked with a number of healthcare IT security teams and have on several occasions discovered malicious software within medical devices exposing the network to international threats.

Medical devices are driving significant advances in medical research, clinical diagnostics and operational efficiencies, however, they remain particularly vulnerable because of the unique hardware and software systems they depend on.  Medical devices cannot simply be individually firewalled or easily monitored yet they remain vital components in our healthcare system.

A recent security risk assessments of a mid-size research hospital discovered  more than 5,000  devices, most of which required network connectivity to transmit imaging and diagnostic results to a downstream piece of software.  Proficio has found an incredible variety of device types, most of which are susceptible to malware.  Most concerning are the life-support devices not simply monitoring patient health but actually providing vital respiratory, circulatory and pulmonary  life support.

For IT security practitioners, medical devices can be a challenge. Unclear regulatory governance and unique technological requirements have led to the use of outdated operating systems that run applications with little or no software security which has made them easy targets for malware or even proxies for advanced threats. Clearly these devices are connected to the hospital’s network and core IT infrastructure yet most hospitals we have assessed do not believe they are a threat.  In reality, these devices can and do contain malware capable of crippling a hospitals network. Security holes such as poorly secured wireless access points, unprotected staff consoles or publicly available network ports could all be easily exploited by an amateur attacker with simple rudimentary pen testing tools.  Considering the ramifications of even a minor breach, hospitals cannot continue to ignore the threats posed by outdated or unpatched medical devices.  Information has always been the backbone of the medical industry and the sad truth is that it is only a matter of time before a cyber-attack leads directly to human casualties.

In our next blog, well discuss some key steps hospitals can take to protect themselves and their patients from malicious actors.