Networked Medical Devices at Risk

June 8th, 2016 by Kurt Roemer, | 0 Comments

Networked medical devices are becoming steadily more common, and they are making things easier for both patients and healthcare providers. However, there is an accompanying risk of attack from malicious hackers – especially since most of these devices are not designed with security aforethought. The Cipher Brief asked Kurt Roemer, Chief Security Strategist for Citrix Systems, about the nature of the threat to networked medical devices. According to Roemer, better standards and instruction need to be developed in order to protect both patients and their data.

The Cipher Brief: A 2015 report from Forrester indicated that insecure, networked medical devices would be a major threat in the near term, with ransomware forming a key aspect of the threat itself. How do you assess the cyber-vulnerability of networked medical devices?

Kurt Roemer: Many networked medical devices were designed only for internal or personal networks – not for the rigors of security necessary to be exposed to the internet. The criticality of these devices in indicating health parameters and medical conditions, their use to control or direct therapies, and the sensitivity of private health data, indicates medical devices must be configured as secured internet citizens. The use of simple security measures such as passwords, the inability to update key embedded security components (i.e. OpenSSL), and poorly documented security controls cause risk to the confidentiality, integrity, and availability of medical data – and are potentially a direct risk to the patient. Ransomware can keep critical lifesaving data from being available when needed and keep facilities from being able to correctly account for and bill for services performed.

For assessment of networked medical devices, practices similar to those on PC networks should be performed (vulnerability assessment, penetration testing, interoperability testing). The one main difference with medical devices is the focus on the patient – what sensitive patient data does the attack disclose? What is the impact to the patient if data is manipulated?

TCB: Why might a hacker target medical devices, as opposed to other potential targets in other sectors? What factors are likely to affect the desirability of targeting a medical device, and how do you expect those factors will change in the next 10 years?

KR: Hacking medical devices yields power to the attacker that ranges from obtaining data that can be used for identity theft and extortion to directly attacking the physical world – recording false readings, increasing dosages, disabling therapies – and therefore directly affecting the health (and life) of the patient. Factors affecting the targeting of medical devices are the richness and value of the data that can be obtained. There are many parallels here to the financial world, where basic credit card terminals enable theft of cardholder data, and more advanced terminals have authentication built in via chip-and-PIN, along with end-to-end encryption of data. As the value of protecting medical data receives the attention, as it should, regulations, standards, and products will evolve to meet requirements for protection, as cardholder environments have with the PCI DSS.

TCB: How has the healthcare industry responded to the growing cyber-threat in this area? What more still needs to be done?

KR: Medical institutions have struggled to further isolate vulnerable devices and are also pushing vendors to increase the security of devices and services to acceptable levels. Consumers are rating products lower that expose their data and cannot be securely patched and updated. Standards need to be developed, instituted, and adopted to secure these devices and services while providing clear indication to medical professionals and consumers that protections are enabled. Devices that are beyond their end-of-support date for security review and updates must be taken out of service, and applications that can no longer appropriately secure healthcare data must securely dispose of that data. Easier said than done, but there are many innovators working on the problems of adaptive healthcare security.

TCB: What is the role of the government in combating this type of threat? How can government and industry better work together to make medical devices more secure?

KR: For a great example of the government’s role in securing healthcare, visit http://healthcare.nist.gov. NIST (National Institute of Standards and Technology) is addressing many complex issues in healthcare security, including medical devices and data quality.

Tagged with:Cybersecurity

Featured Piece

Warning Signs of a More Dangerous Global Conflict

BOTTOM LINE UP FRONT — If President Joe Biden’s recent remarks in Poland and President Vladimir Putin’s in Moscow just a day later are any indication of the path forward, the February 24 anniversary of the Russian invasion of Ukraine may represent the beginning of a new and potentially much more dangerous phase of the conflict, which is increasingly looking like a conflict between NATO and the Russian Federation.

FEB 22, 2023, BY ROB DANNENBERG

What the Experts Say

The Cipher Brief’s Open Source Report is an extraordinary product and an important daily read for situational awareness on national security issues.

General John R. Allen (Ret.) Former Commander of the NATO International Security Assistance Force in Afghanistan

I’m proud to be part of the network of experts at The Cipher Brief, which provides superb geopolitical advice and intelligence insights.

Admiral James Stavridis Former Supreme Allied Commander, NATO

The in-depth analysis The Cipher Brief provides, on all issues affecting our national security, written by some of the most senior and knowledgeable public and private sector experts, is truly unique and invaluable. It’s a must read for anyone interested in world affairs.

Ambassador Joseph R. Detrani Former Director, National Counter Proliferation Center

Congratulations to The Cipher Brief for actively promoting a national conversation – through conferences, analysis, and webinars at the highest level – on our country’s national security, intelligence capabilities, and challenges in confronting adversaries and competitors alike.

Emile Nakhleh Former Member, CIA's Senior Intelligence Service

The Cipher Brief has become required reading for national security decision-makers and practitioners. You can be certain that Cipher Brief articles are substantive in content and provide thoughtful analysis from expert professionals.

John Sipher Former Member, CIA's Senior Intelligence Service

The Cipher Brief is far from just another website pontificating about the subjects of the day without any credibility. With The Cipher Brief, you can always be sure that the authors actually know what they are writing about.

Kevin Hulbert Former CIA Chief Of Station

The Cipher Daily Brief

Sign up for the Free Newsletter

Get a daily rundown of the top security stories delivered to your inbox Monday through Friday with exclusive briefs and columns on what matters most to you and your organization.

Networked Medical Devices at Risk

Leave a Reply

The New Breathtaking ‘Red London’

The Cipher Daily Brief

Search