Hospitals patrolling their IT systems for security flaws have another group of assets to consider: medical devices that increasingly use wireless technology.
Concerns over medical device vulnerability have grown as machines such as infusion pumps land on hospital networks. Devices that communicate wirelessly add to worries that critical health systems could be breached. Consider the following:
- Barnaby Jack, a researcher at McAfee, told BBC earlier this year that he was able to compromise insulin pumps within a 300-foot range, noting that the wireless links used to update the devices opened them up to attack.
- The Department of Homeland Security in May issued a warning on medical device security. The DHS report noted that "the communications security of [medical devices] to protect against theft of medical information and malicious intrusion is now becoming a major concern."
- Last year, a joint Massachusetts Institute of Technology/University of Massachusetts-Amherst research paper stated that implantable medical devices (IMDs) such as pacemakers "can be exploited to compromise the confidentiality of the IMD's transmitted data or to send the IMD unauthorized commands -- even commands that cause the IMD to deliver an electric shock to the patient."
Risk mitigation approaches for medical devices are just coming into focus, although some observers contend that these efforts still are inadequate for the task at hand.
Benefits and Risks
Health care providers' interest in wireless medical devices stems from two main considerations. First is the ability to upgrade firmware and software within those devices without dispatching a technician to each machine, according to Jeff VanSickel, practice leader for compliance at SystemExperts, a security consulting firm based in Sudbury, Mass. Second, wireless technology lets clinicians remotely monitor devices and patients, receiving real-time status updates and alerts.
While acknowledging those benefits, VanSickel also pointed to some risks. He noted that two nurses calibrating an infusion pump will set the concentration and drip-feed level for certain critical drugs, one witnessing the other's actions. The device then is locked down. VanSickel, however, questions how that type of control will be maintained when devices are wirelessly connected to a central station or data center.
"If you start making those [devices] wirelessly connected to a centralized station where ... the dosage and concentration of drugs can be modified, you have to start worrying about things," he said.
The crux of the matter lies with medical device manufacturers that fail to build products with security in mind, according to Kevin Fu, an associate professor of computer science, and electrical and computer engineering at University of Massachusetts-Amherst.
"Health care professionals are flummoxed about how to address medical device security," he said. "I've spoken to countless IT staff who cannot implement reasonable security policies because vendors do not sell products with reasonable security built in."
Fu, who co-authored the MIT/University of Massachusetts paper, pointed to the example of one manufacturer that failed to approve any software updates for a Windows-based perinatal monitoring system in 2011.
"Windows had numerous security patches in 2011, and yet none of the patches were approved for installation by the vendor," Fu said.
A rootkit compromised the system, he added, because the vendor did not take effective steps to boost cybersecurity.
Bhavesh Patel -- director of clinical engineering at WakeMed Health & Hospitals, a private, not-for-profit health care system based in Raleigh, N.C. -- noted that medical device manufacturers tend to trail IT vendors when it comes to meeting the current standard for security protocols.
"Medical device manufacturers ... have to go through FDA to get approval for changes so they are not as quick," Patel said. "Sometimes they lag behind."
The lag may compel the hospital to take devices offline until an update becomes available.
"Sometimes we can't use a piece of equipment for months because it doesn't comply with security standards," Patel said.
Rick Kam -- president and co-founder of ID Experts, a data breach solutions provider based in Portland, Ore. -- agreed that many products designed to provide higher quality health care diagnosis and data for analytics weren't built to address security. These offerings, he said, "were not designed with the security and privacy requirements that we have or that are necessary now to engender patient trust."
Kam said that situation may hold true for a variety of devices ranging from infusion pumps to much simpler devices, such as printers and copiers, with static memory or hard drives that maintain patient data.
Remediation
Medical devices harbor different levels of vulnerability. For example, patient monitoring telemetry systems are very secure, Patel said. He said an intruder may be able to intercept data that a wireless EKG monitor transmits over an 802.11 network, but such an attack would yield no usable information.
"You can listen to the packets, but the packets don't mean anything unless you have the algorithm ... to interpret the waveform," Patel said.
For devices that pose greater concerns, some health care providers have adopted Virtual LANs, or VLANs. VLANs help isolate a network that carries sensitive information.
"We have a clinical network and that has only clinical devices on it," Patel said, noting that many business -- including hospitals -- have pursued the VLAN option.
For example, the Department of Veterans Affairs uses VLANs as part of its Medical Device Protection Program. According to a VA presentation, the department spent seven months isolating about 50,000 medical devices behind some 3,200 VLANs. VA created 3,270 access control lists (ACLs), which are used to permit or block traffic on a VLAN.
Fu called VA's isolation process sophisticated, noting that the department is a leader in medical device security. But he described network isolation as "a bear" to manage.
"Every eight seconds, the VA still finds usernames and passwords unprotected in networks because medical devices and [health] IT do a poor job at building in security," he explained.
Fu said VA deployed VLAN with ACLs to stop the bleeding of medical device insecurity. The sheer number of ACLs, however, makes for an administrative headache, he said.
"The manual maintenance of ACLs is extremely prone to human error," he said.
In general, the current crop of medical device security remediation strategies "are ad hoc and ineffective," Fu added.
Medical Device Security Resources
A few organizations are pursuing research and best practices in the field of medical device security. Those include: