DHS Issues Warning on Medical Device Security
The Department of Homeland Security says the combination of medical devices and wireless connectivity presents a security risk.
The U.S. Department of Homeland Security has issued an unclassified bulletin, entitled "Attack Surface: Healthcare and Public Health Sector" [PDF file], which warns that wireless medical devices (MDs) present a significant security risk. "The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of MDs opens up both new opportunities and new vulnerabilities to patients and medical facilities," the bulletin states. "Since wireless MDs are now connected to Medical information technology (IT) networks, IT networks are now remotely accessible through the MD."
"The center explained that the Food and Drug Administration does not regulate how medical devices are connected to the network of the healthcare facility," Infosecurity reports. "So it is up to the organization itself to implement a 'robust security program' to protect patient information and access to networks from insecure wireless medical and communication devices."
"Best practices recommended by the DHS to secure medical devices included buying only networkable devices that IT staff can configure," writes CSO Online's Antone Gonsalves. "The agency also said healthcare facilities should purchase vendor support for firmware, patching and anti-virus updates. Other recommendations included maintaining external-facing firewalls, deploying network monitoring and intrusion detection techniques and placing devices whenever possible on a separate segment of the network."
"The warning from DHS is just the latest evidence that the security of the medical system in the U.S. is becoming a concern for the government and security researchers alike," writes Threatpost's Paul Roberts. "At the Hacker Halted Security Conference in October, researcher Barnaby Jack demonstrated how a kit created using off the shelf technology could be used to launch a wireless attack on an implantable insulin pump made by Medtronic. A successful attack could release a fatal dose of insulin to a diabetic, Jack showed."