The U.S. Department of Homeland Security (DHS) released a bulletin on May 4 warning of the potential for expanding medical device attacks, based on the increased use of wireless technology in the space. The U.S. Food and Drug Administration (FDA) and other players in the medical device space have been concerned for some time over cyber security of wireless devices, but this is the first time the DHS has made a public statement on the issue.
“Smartphones and tablets are mini computers with instant access to the Internet or linked directly to a hospital’s network. The device or the network could be infected with malware designed to steal medical information if not upgraded with the latest anti-virus and spyware software,” The DHS bulletin read. “The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of MDs [medical devices] opens up both new opportunities and new vulnerabilities to patients and medical facilities. Since wireless MDs are now connected to medical information technology (IT) networks, IT networks are now remotely accessible through the MD. This may be a desirable development, but the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern. In addition, many [healthcare and public health] organizations are leveraging mobile technologies to enhance operations. The storage capacity, fast computing speeds, ease of use, and portability render mobile devices an optimal solution.”
According to the DHS bulletin, the U.S. Veterans Administration has faced resistance from medical device makers when asked to introduce software updates or security features, such as data encryption software, for fear of losing FDA accreditation.
DHS admitted that the issue of cyber security for medical devices does not have an easy solution, especially with a significant population of legacy medical devices already deployed. However, the agency did recommend that IT healthcare administrators take a number of steps to improve the security of their installation. Those include limiting purchases of networked medical devices to those with “well documented and fine-grained security features” that permit safe deployment on networks. Purchasing agreements should include vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy, DHS suggests. Other recommendations include standard security blocking and tackling, including the use of firewalls and endpoint security software, encryption of data at rest and during transmission, and rigorous access controls to healthcare networks.