Homeland Security zeroes in on medical device vulnerabilities

By Tom Sullivan
10:29 AM

Even as they promise better health and easier care delivery, wireless medical devices (MDs) carry significant security risks. And the situation is only getting trickier as more and more devices come with commercial operating systems that are both Internet-connected and susceptible to attack.

That’s according to a bulletin circulated by the U.S. Department of Homeland Security (DHS) this week, which explains that part of the problem is that the FDA cannot regulate who uses medical devices or how they are used – including, most notably, how they're connected to networks.

Devices include implantable medical devices, external medical devices, portable computers such as iPads, tablets, and smartphones – all of which are creating what DHS referred to as an “expanding attack surface.”

[See also: Breaches epidemic despite efforts at compliance, says Kroll.]

“Instant connectivity of these devices to the Internet or a Health Information System (HIS) that could be compromised if not protected with the latest anti-virus and spyware,” the DHS bulletin explained. “MDs like smartphones and tablets are mini-computers with instant access to the Internet or linked directly to a hospital’s network. The device or the network could be infected with malware designed to steal medical information.”

To that end, DHS breaks out five main points of entry for wireless mobile devices:

  1. Insider: The most common ways employees steal data involved network transfer, be that email, remote access, or file transfer.
  2. Malware: These include keystroke loggers and Trojans, tailored to harvest easily accessible data once inside the network.
  3. Spearphishing: This highly-customized technique involves an email-based attack carrying malicious attack disguised as coming from a legitimate source, and seeking specific information.
  4. Web: DHS lists silent redirection, obfuscated JavaScript and search engine optimization poisoning among ways to penetrate a network then, ultimately, access an organization’s data.
  5. Lost equipment: A significant problem because it happens so frequently, even a smartphone in the wrong hands can be a gateway into a health entity’s network and records. And the more that patient information is stored electronically, the greater the number of people potentially affected when equipment is lost or stolen.

[See also: The Challenge of Encrypting BYOD Devices.]

DHS described a presentation at last year’s Black Hat conference in which a security researcher, himself diabetic, demonstrated how to disrupt and jam an implanted insulin pump without the user being any the wiser. What’s more, some medical devices contain personal information that could be stolen and sold for illegal uses – as do electronic medical records when stored on unencrypted devices.

In the bulletin, DHS holds up the Department of Veterans Affairs as an example of how to mitigate wireless MD risk – one that federal agencies as well as private health entities could learn from.The VA, of course, has been blazing a mobile devices trail.

After more than 180 cyber attacks on VA MDs, the agency isolated such devices from its main network by creating a Virtual Local Area Network (VLAN) replete with access control lists that enable only authorized users to access the main network, thereby protecting clinical data because those same devices are effectively disconnected from other areas of VA’s network.

“Healthcare and Public Health Sector IT Administrators need to address the gap between security and mobile device use,” wrote DHS officials. “Areas of concern include unmanaged mobile device access, authentication of users requesting access to a hospital’s web server, how to secure mobile devices with health information, unsecured wireless connectivity or cellular networks and protection against unauthorized breach of lost and/or stolen devices."