Vulnerabilities in Medical Devices

By   ISBuzz Team
Writer , Information Security Buzz | Feb 24, 2016 10:00 pm PST

According to a new report, “the healthcare sector is a good 10 to 15 years behind the retail sector when it comes to security.” “We can’t accept what we have now. If we assume a loss of life scenario, the consequence of failure is too high.” Said Scott Erven, a medical device security advocate who spoke at last week’s Security Analyst Summit.

Following this news, security experts from AlienVault and Lieberman Software discuss whether there genuinely is a possibility of death due to vulnerabilities in medical devices, as well as what should be done to protect them.

[su_note note_color=”#ffffcc” text_color=”#00000″]Javvad Malik, Security Advocate at AlienVault:

  • Do you agree that these vulnerabilities can actually lead to death?

“Whenever you’re dealing with medicine at large, the consequences can be huge. Considering even an overdose of a non-prescription drug such as Paracetamol can lead to death. The biggest challenge comes from where medical devices are remotely accessible.

You can break these devices down into two parts:

  1. Those devices which administer treatment or medication of some sort.
  2. Those devices which doctors rely on to make decisions.

For the first type, causing a system to increase or decrease medication can have a direct impact on someone’s life.

While the second type of device may not directly impact someone, it can cause a doctor to make an incorrect diagnosis. In both scenarios there exists the potential to impact life – albeit in different ways.

There’s been a ton of independent research conducted from a variety of different professionals demonstrating the vulnerabilities that exist. A lot of the flaws tie back to the wider IoT issues – old systems, getting updated with internet connectivity for the sake of convenience with little or no thought given to security. Just because you can automate a device or make it remotely accessible, doesn’t mean that you should.”

  • What needs to be done?

“Security is often a tough sell. The vulnerabilities exist somewhat due to budget constraints and others due to technological constraints. For example, some medical devices are said to have weak or unchangeable passwords. Or doesn’t include encryption or authentication controls.

Hospitals themselves need to evaluate their internal networks and how systems are connected and authenticated. This will vary in different hospitals, but creating secure trusted zones for medical devices, continually monitoring for unusual activity and other best practises are a must.”

“Secure development and system hardening should be implemented when a device is first manufactured and shipped.

But perhaps more importantly, the vendors should keep researching the latest threats as they develop and issue patches and fixes where appropriate. If these are not possible, they should at the very least be issuing advisories with recommendations of mitigating controls.

Building in manual override or recovery options to continue using machinery even if offline.

Having integrity and other assurance processes and technologies in place to ensure systems are operating as designed.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software:

  • Do you agree that these vulnerabilities can actually lead to death?

“The security vulnerabilities found in medical devices could lead to someone’s death in the same way that walking on the sidewalk could lead to your death if a driver decided to mount the curb and aim for you. Most breaches and exploits happen for some reason. Bad guys infect your machine with Cryptowall in order to blackmail you, but if they kill you with a faulty medical device who would pay them. Of course, maybe someone is paying them to kill you or they are just a psychopath entertaining themselves. These are hardly likely, but not impossible.

One example of the type of flaw found in these devices is hard coded, default passwords. If you’ve ever had to set up a device like a wireless router in your home and had to use a password that was written in the device’s instructions, then you’ve encountered this. A good manual will tell you to change that default password immediately, but many do not instruct that and most people don’t listen when they do. Medical devices also often come with a password that ought to be changed but isn’t. That means any bad guy with the instructions for the device can do real harm quite easily if they wish.”

  • What needs to be done?

“No effort is without cost. Mitigating the security flaws would cost money and time many medical facilities don’t think they have. The real question is if the risk is more expensive than the solution.”[/su_note]