In a bulletin, the Department of Homeland Security (DHS) is warning healthcare organizations about the threat posed by insecure, network attached medical devices and the proliferation of smart phones, tablet PCs and other mobile devices in medical settings.
DHS’s National Cybersecurity and Communications Integration Center (NCCIC) issued the unclassfied bulletin, “Attack Surface: Healthcare and Public Health Sector” on May 4. In it, DHS warns of a wide range of security risks, including that could expose patient data to malicious attackers, or make hospital networks and first responders subject to disruptive cyber attack. DHS recommends hospitals and health care organizations establish policies to manage the security of mobile devices within their organization.
The growing use of mobile devices like smart phones, tablets and USB devices in the health care sector brings improvements in productivity and delivery of health care, DHS said. However, they also introduce a slew of security vulnerabilities that health care organizations are often slow to recognize. Among them are the loss or theft of patient data, the spread of malware from infected mobile- or portable devices and the exposure of supposedly isolated medical systems to the Internet via an Internet connected mobile devices, DHS said.
As the nation’s hospitals and private practices shift to using Electronic Health Records (with significant government incentives to do so), patients records will be increasingly exposed to electronic compromises stemming from loose access control, poorly managed user privileges and so on.
In addition, the agency warned about threats to medical devices, such as implanted defibrillators and insulin pumps. Citing research by the University of Massachusetts, DHS, showing that implantable medical devices offer little in the way of security against remote attacks and tampering. “Design concepts for medical device immunity from cyber attack must include all phases of the medical device life cycle,” DHS said. Furthermore, security through the obscurity of proprietary operating systems “provide(s) little external visibility to design flaws (that) might enable external unauthorized access.” Medical device makers should implement encryption and strong authentication to make their devices resistant to tampering, DHS said.
The warning from DHS is just the latest evidence that the security of the medical system in the U.S. is becoming a concern for the government and security researchers alike. At the Hacker Halted Security Conference in October, researcher Barnaby Jack demonstrated how a kit created using off the shelf technology could be used to launch a wireless attack on an implantable insulin pump made by Medtronic. A successful attack could release a fatal dose of insulin to a diabetic, Jack showed.
Other researchers, including Kevin Fu of the University of Massachusetts at Amherst have, likewise, lamented a culture of lax security among medical device makers, who have introduced remote monitoring and management features for the benefit of physicians and patients without considering how such features might be exploited by a malicious actor.