As more medical devices—like diagnostic imaging machines and wireless infusion pumps—provide internet connectivity, attackers are increasingly targeting them as a means to gain access to hospital and provider networks. Device manufacturers have been slow to issue patches and provide support for these devices, leaving their security network unsecure. Most organizations do not have policies and procedures in place to maintain the devices, leaving critical vulnerabilities open for months to years after a security patch is issued. These weaknesses impact not only the entire organization, but also the safety of patients who use these devices. In short, medical device security is more important than ever.
The Food and Drug Administration (FDA) recently published a warning detailing the emergence of a new medical device risk referred to as “Urgent/11.” The vulnerability exists in IPnet, a legacy third-party software found in multiple operating systems used for communication across a network and between computers. IPnet is still found in a number of medical and networking devices in use today. The FDA has stated that URGENT/11 may allow a remote attacker to exploit this flaw and take over the device. This could result in a medical device breach of electronically protected health information (ePHI), a denial of service, a device malfunction, or a complete shut down the device.
Security of medical devices is a topic that has gained a lot of attention in the past few years, due to vulnerabilities such as URGENT/11 appearing in the industry. There has been a paradigm shift by manufacturers as they focus not only on how the device functions, but also on whether the security and support is present and robust enough to protect the device and its data.
At DEF CON this year, medical device manufacturers and the FDA illustrated how hackers could intercept secure data by providing real-time demonstrations with medical devices. Attendees engaged in hands-on research by attempting to exploit these systems and gain access to their data.
Various organizations, such as the FDA, H-ISAC, and MedISAO, are providing guidance on medical device security best practices and hardening procedures. Additionally, the FDA has provided a resource to assist organizations in performing a risk assessment of their medical devices called “Postmarket Management of Cybersecurity in Medical Devices.” This is the first step in the creation of a medical device maintenance and security program.
Reaching the gold-standard in security regulations for medical devices will require a joint effort between manufacturers and prescribers, whether hospital or provider. Not only must security be built into the devices and support provided once they are in use, hospitals and providers need to implement a process to patch and secure them frequently and in a timely manner, as they would any server or workstation.
