Wireless tech makes health care security a 'major concern'

The use of wireless technology in the latest medical devices found in hospitals, health clinics and doctor offices has become a major concern of the U.S. Department of Homeland Security (DHS).

In a bulletin issued this month, the DHS warned that while new technology brings efficiency, lower cost and better patient care, it also carries security risks that the multi-trillion-dollar healthcare industry may not be prepared to tackle.

"The communications security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern," the report, entitled "Attack Surface: Healthcare and Public Health Sector," said.

Doctors, nurses and ambulance workers are using wireless medical devices for diagnosis and treatment and to monitor changes in patients' health. The devices can be handheld, wheeled in on a stand or implanted, such as in the case of heart-sustaining pacemakers and defibrillators.

While the Food and Drug Administration (FDA) regulates the manufacture of devices from design to sale, the agency does not have rules for how they should be connected and configured within a network. Therefore, it is up to medical facilities to make sure the devices, which often have access to patient medical information, are protected from hackers.

"Failure to implement a robust security program will impact the organization's ability to protect patients and their medical information from intentional and unintentional loss or damage," the DHS warned.

Even though security features are designed into the medical devices, they may not be used because of the complexity of the technology, or because of ignorance about the capabilities. "Because the technology is so new, there may not be an authoritative understanding of how to properly secure it, leaving open the possibilities for exploitation," the DHS said.

Tight budgets also contribute to the problem, since cash-strapped health facilities may choose to fund other priorities within their operations. But despite these hurdles security cannot be treated as only a nice-to-have feature.

"In a world in which communication networks and medical devices can dictate life or death, these systems, if compromised, pose a significant threat to the public and private sector," the DHS said.

Because many medical devices use commercial operating systems, they are as open to attack as many computers. Even devices with proprietary systems can be compromised, typically through their software update mechanism.

At the 2011 Black Hat security conference, a researcher demonstrated how he was able to hack into an insulin pump and change its settings without the user's knowledge. The same researcher also used an oscilloscope to eavesdrop on a glucose monitor's transmission.

In 2009, Kevin Fu, an assistant professor in computer science at the University of Massachusetts, Amherst, hacked into a defibrillator, a device that uses electricity to stabilize a person's heart beat. Fu was able to reprogram the device, so it would give a shock to a patient's heart, the DHS said. He was also able to disable the defibrillator's power-saving mode, causing the battery to run down in hours rather than years.

Roughly a quarter of hospitals do not perform annual evaluations to determine the risks to patient data within their organizations, according to a 2011 survey by the Healthcare Information and Management Systems Society, a nonprofit organization specializing in healthcare security issues. In addition, the majority of respondents reported spending 3 percent or less of their overall IT budget on security.

The DHS points out that hospitals can be held liable for the loss of patients' information. For example, a USB drive can hold as many as 25,000 patient records. Theft or loss of such a drive could cost a hospital $6 million in penalties, including legal fees, notification to affected patients and the cost of services to monitor the use of the victims' personal identities, the agency said.

Best practices recommended by the DHS to secure medical devices included buying only networkable devices that IT staff can configure. The agency also said healthcare facilities should purchase vendor support for firmware, patching and anti-virus updates.

Other recommendations included maintaining external-facing firewalls, deploying network monitoring and intrusion detection techniques and placing devices whenever possible on a separate segment of the network. The DHS also advised implementing strict access policies and using encryption and authentication at both ends of a communication channel.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place