Homeland Security zeroes in on medical device vulnerabilities
Even as they promise better health and easier care delivery, wireless medical devices (MDs) carry significant security risks. And the situation is only getting trickier as more and more devices come with commercial operating systems that are both Internet-connected and susceptible to attack.
That’s according to a bulletin circulated by the U.S. Department of Homeland Security (DHS) this week, which explains that part of the problem is that the FDA cannot regulate who uses medical devices or how they are used – including, most notably, how they're connected to networks.
Devices include implantable medical devices, external medical devices, portable computers such as iPads, tablets, and smartphones – all of which are creating what DHS referred to as an “expanding attack surface.”
“Instant connectivity of these devices to the Internet or a Health Information System (HIS) that could be compromised if not protected with the latest anti-virus and spyware,” the DHS bulletin explained. “MDs like smartphones and tablets are mini-computers with instant access to the Internet or linked directly to a hospital’s network. The device or the network could be infected with malware designed to steal medical information.”
To that end, DHS breaks out five main points of entry for wireless mobile devices:
- Insider: The most common ways employees steal data involved network transfer, be that email, remote access, or file transfer.
- Malware: These include keystroke loggers and Trojans, tailored to harvest easily accessible data once inside the network.
- Spearphishing: This highly-customized technique involves an email-based attack carrying malicious attack disguised as coming from a legitimate source, and seeking specific information.
- Lost equipment: A significant problem because it happens so frequently, even a smartphone in the wrong hands can be a gateway into a health entity’s network and records. And the more that patient information is stored electronically, the greater the number of people potentially affected when equipment is lost or stolen.
[See also: The Challenge of Encrypting BYOD Devices.]
DHS described a presentation at last year’s Black Hat conference in which a security researcher, himself diabetic, demonstrated how to disrupt and jam an implanted insulin pump without the user being any the wiser. What’s more, some medical devices contain personal information that could be stolen and sold for illegal uses – as do electronic medical records when stored on unencrypted devices.