Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Yes, medical device security is lousy - so what?

Taylor Armerding | Aug. 14, 2014
The security of medical devices against online attacks is barely an afterthought. But at least a few experts say that is not a serious problem - rather, the risks pale in comparison to the benefits of connected devices

medical device
Credit: Shutterstock

There is no debate among security experts that the security of Internet-enabled medical devices is woefully inadequate.

But there is considerable disagreement about how risky that is for patients. Some say the benefits of connected devices far outweigh what they consider minute risks of a catastrophic attack; while others say even a relatively low likelihood of an attack is too much. Life and health are, after all, much more significant than a credit card number being stolen.

And it is clear that medical devices are made with just one kind of security built in —- to function flawlessly, possibly for years at a time, so as not to jeopardize the life or health of the patients they serve.

The other kind — security from malicious online attacks not so much.

Until recently, that was largely irrelevant. Medical devices weren't Internet enabled. But that has all changed, with an explosive increase in medical devices connected to the Web plus Electronic Health Records (EHR), driven by incentives in the Affordable Care Act (ACA — commonly known as Obamacare) to improve health care while controlling costs.

And that has led to reports from people like Scott Erven, head of information security at Essentia Health, which operates about 100 clinics, hospitals and pharmacies in Minnesota, North Dakota, Wisconsin and Idaho. Erven recently completed a two-year audit of the chain's equipment, and said the security problems he found were even worse than he expected.

He told Wired magazine that many of the devices had, "common security holes, including lack of authentication ...; weak passwords or default and hardcoded vendor passwords like 'admin' or '1234'; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network."

He listed a number of examples of what could happen. Among them: Bluetooth-enabled defibrillators that an attacker could control to deliver random shocks to a patient's heart or prevent a medically needed shock; or the possibility that an attacker could "take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings."

There is also general agreement that there are multiple reasons for those vulnerabilities, starting with both a skill and culture gap. Developers of medical device software are very skilled at making it reliable but not in securing it for use with networked applications.

As Carl Wright, general manager of North America for TrapX Security, puts it, "IT is not their core competency. There are a lot of vertical industries where that's the case. It's almost like operating in the previous decade."


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.