Medical Devices at Clinical Facilities: A Hacker’s Playground

A recent Wired article on the vulnerabilities of hospital equipment should be a wake up call to the health care industry.

What may be completely obvious to an information security professional may simultaneously stun healthcare executives. The number of new medical devices at clinical facilities connected to or accessible from the clinical network is exploding.  Many aren’t designed to be secure; some were actually designed under the assumption they would never be accessible from the Internet.  However, networks to which these devices are attached often turn out to have one (or more) Internet gateways, rendering design assumptions about perimeter security moot.

All of this to say, it’s not enough to survey the landscape to identify data risks after systems and devices are put in place in a healthcare facility. The time to identify potential vulnerabilities and mitigate them is before they become part of the landscape! When the dust settles after a new device purchase, the IT and security teams are left with an inventory of problems to fix.

So, how do we empower clinical and executive leadership to reduce the number of vulnerable systems introduced into the environment? Here are some possible considerations:

  • Ensure your IT team is involved in the evaluation and acquisition of ANY connected medical device.  Any device requiring an IP address needs to be assessed for security and IT must be involved.
  • Security flaws such as hard-coded credentials, weak or proprietary encryption and difficult or impossible firmware updates should be grounds for downgrading or eliminating the device from the candidate pool.  Vote with your pocket book!
  • Manage medical devices like the rest of your IT infrastructure.  These connected devices should be captured as configuration items in the enterprise configuration management database.  Even if your CMDB is an excel spreadsheet, you can’t manage what you can’t find.
  • Ensure your network architecture allows for isolation of less secure devices.  If the device is needed to treat patients, but cannot be fully secured, at least isolate it from other systems.  Most importantly, restrict the device’s access to the Internet.
  • Educate your medical staff.  Raise awareness about the potential danger to patient care if a medical device is hacked so the clinical team can be part of the solution instead of unwitting accomplices.

There are a lot of new and exciting tools coming out which can dramatically improve patient care.  However, you do not want these devices to expose ePHI.  If the device cannot be adequately secured or isolated, it may be better to wait until it is more fully developed.

After all, primum non nocere applies to technical innovation and medical procurement as much as it applies to medical care.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.