Prominent healthcare CIO: FDA medical device security warning "will be the first of many"

Dr. John Halamka has taken to his "Life as a Healthcare CIO" blog to sound the alarm on medical device threats in the wake of the FDA last week issuing its first cybersecurity warning about a specific medical device.

Dr. John Halamka has taken to his "Life as a Healthcare CIO" blog to sound the alarm on medical device threats in the wake of the FDA late last week issuing its first cybersecurity warning about a specific medical device.

The Food and Drug Administration urged healthcare facilities to stop using Hospira's Symbiq Infusion System, a common device for dispensing fluids/drugs to patients that the manufacturer says is being removed from the market. The warning spells out that the devices could be accessed via a hospital network and rejiggered to mess up a patient's dosage. The FDA said it's not aware of any hacking incidents involving the pumps, whose vulnerability was initially warned of on the US-CERT site in June and then the Industrial Control Systems CERT site in mid-July.

MORE:Beware the ticking Internet of Things security timebomb

Halamka, who is CIO of Beth Israel Deaconess Medical Center, wrote on his blog: "My view is that this will be the first of many advisories" involving medical device vulnerabilities.

For now, hospitals need to isolate medical devices from the Internet and use firewalls to keep them doubly protected, Halamka says. BIDMC runs three wireless networks: one for guests, one for clinicians/staff; and one for medical devices.

Halamka writes: "Over the past few years, I've asked medical device manufacturers to give me a precise map of the network ports and protocols used by their devices so that I can build a 'pinpoint' firewall - only allowing the minimum necessary transactions from/to the device.  Many manufacturers do not seem to know the minimum necessary communication requirements for their products."Some medical device makers have balked at adding security out of fear that they'll need to re-certify them with the FDA. Halamka says that's hogwash, and that customers should get device makers' CTOs to commit to acceptable security roadmaps or start looking elsewhere for gear. The FDA and organizations involved in the medical field have issued guidelines and benchmarks designed to promote medical device security.

Healthcare outfits should also be aware that medical device vulnerabilities are not just about immediate threats. A study by TrapX Security that we wrote about in June stressed that beyond hackers potentially monkeying around with compromised devices, such equipment can also be used to harbor malware that can later do damage across networks (See "Hijacked medical devices can leave networks exposed").

Join the CSO newsletter!

Error: Please check your email address.

Tags securityICS21health careindustry verticalsBeth Israel Deaconess Medical Center

More about HospiraICSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Brown

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place