A bulletin circulated by the U.S. Department of Homeland Security (DHS) this week explained that wireless medical devices (MDs) carry significant security risks. Part of the problem is that the Food and Drug Administration cannot regulate who uses MDs or how they are used – including, most notably, how they're connected to networks.
Such MDs include implantable medical devices, external medical devices, portable computers such as iPads, tablets and smartphones – all of which are creating what DHS referred to as an “expanding attack surface.”
“Instant connectivity of these devices to the Internet or a health information system (HIS) could be compromised if not protected with the latest anti-virus and spyware,” the DHS bulletin explained. “MDs, like smartphones and tablets, are mini-computers with instant access to the Internet or linked directly to a hospital’s network. The device or the network could be infected with malware designed to steal medical information.”
To that end, DHS summarized five main points of entry for wireless mobile devices:
- Insider: The most common ways employees steal data involve network transfer, be that e-mail, remote access or file transfer.
- Malware: These include keystroke loggers and Trojans, tailored to harvest easily accessible data once inside the network.
- Spearphishing: This highly customized technique involves an email-based attack carrying malicious intentions -- disguised as coming from a legitimate source, and seeking specific information.
- Lost equipment: A significant problem because it happens so frequently, even a smartphone in the wrong hands can be a gateway into a health entity’s network and records. And the more that patient information is stored electronically, the greater the number of people potentially affected when equipment is lost or stolen.
DHS described a presentation at last year’s Black Hat conference in which a security researcher, himself diabetic, demonstrated how to disrupt and jam an implanted insulin pump without the user being any the wiser. What’s more, some medical devices contain personal information that could be stolen and sold for illegal uses – as do electronic medical records when stored on unencrypted devices.
In the bulletin, DHS referred to the Department of Veterans Affairs as an example of how to mitigate wireless MD risk – one that federal agencies as well as private health entities could learn from. The VA has been blazing a mobile devices trail.
After more than 180 cyber attacks on VA MDs, the agency isolated such devices from its main network by creating a Virtual Local Area Network (VLAN) replete with access control lists that enable only authorized users to access the main network, thereby protecting clinical data because those same devices are effectively disconnected from other areas of VA’s network.“Healthcare and Public Health Sector IT Administrators need to address the gap between security and mobile device use,” wrote DHS officials. “Areas of concern include unmanaged mobile device access, authentication of users requesting access to a hospital’s web server, how to secure mobile devices with health information, unsecured wireless connectivity or cellular networks, and protection against unauthorized breach of lost and/or stolen devices."