Risk
9/30/2013
01:01 PM
50%
50%

Medical Device Security: A Work In Progress

Healthcare organizations vary widely in how prepared they are to handle breaches of medical devices, says Deloitte report.

Healthcare Robotics: Patently Incredible Inventions
Healthcare Robotics: Patently Incredible Inventions
(click image for larger view)
Healthcare organizations are in various stages of mitigating the cybersecurity risks of medical devices such as patient monitors, infusion pumps, ventilators, pacemakers and imaging devices, a new Deloitte report says. Overall, however, Deloitte's interviews with medical device security leaders at nine large hospital systems indicate that their organizations have a long way to go and that they'll need more cooperation from device manufacturers.

Last June, the Food and Drug Administration (FDA) released a guidance on the "content of premarket submissions for management of cybersecurity in medical devices." This guidance suggested that device makers incorporate security features into their products to limit access to only trusted users, determine trusted content, and use fail-safe and recovery devices. FDA called on the manufacturers to consider threats such as hacking, malware and other vulnerabilities of device software and to work with providers on use cases.

"The cybersecurity guidance has definitely gotten the attention of some of the manufacturers," said Russell Jones, a report author and a partner in Deloitte's life sciences and healthcare division, in an interview. "The FDA has made it clear, with the guidance and the additional communications they've published, that this is an area of importance."

However, he told InformationWeek Healthcare, many device makers are still not ready to include these security features in their purchasing agreements with healthcare providers. Although providers and manufacturers have begun collaborating on this issue, he said, they have a long way to go.

[ Are apps the answer to doctors' hectic schedules? Read Healthcare Apps Could Be Doctor's Best Friend. ]

Also, the Deloitte report noted, healthcare organizations have had difficulty in developing risk-mitigation strategies for devices that are more than five years old and run on proprietary operating systems. "These legacy devices are difficult to test for vulnerabilities because off-the-shelf security scanning tools do not exist," the paper said. In cases where hospitals lack spare devices of the same kind, these products can't even be taken offline for testing, Jones added.

Other devices that run on "well known commercial operating systems" have the same vulnerabilities as other types of systems connected to a network, the report said.

For both these and the legacy devices, the most extreme risk mitigation method is to quarantine the medical devices from the rest of the hospital IT system. But, partly because of the complexity of running multiple systems that aren't networked, Deloitte suggested that organizations do this only where it's appropriate.

"We recommend that organizations consider quarantining, and if it doesn't make sense, fall back to other types of controls, such as detection controls and sim systems," Jone said. "That may be the best you can do to see whether there has been activity that suggests hacking or unauthorized access to medical devices."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
100%
0%
MarciaNWC,
User Rank: Apprentice
11/17/2013 | 7:06:57 PM
re: medical device security
Even though the threat level is low right now, it's incumbent on medical device makers to step up on security, and for health care providers to require security in their purchasing agreements. It doesn't take long for attackers to exploit vulnerabilities.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.