Medjacking, Part 2

Written by :  Richard Sheinis, Esq.

Over the last several months I have written about the dangers of hacker’s compromising various types of internet connected medical devices used by hospitals, and other medical providers. TrapX Security has now issued Part 2 of their “Anatomy of Attack” series, addressing the hacking of medical devices (http://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_MEDJACK.2.pdf?aliId=1419599).

This is an excellent study, which highlights the continued vulnerability of Internet connected medical devices. One of the challenges in securing medical devices is that any security has to be built-in by the manufacturer. Medical providers cannot change or alter medical devices, which have gone through the FDA approval process.Therefore, the medical provider’s usual cyber defense software cannot be installed on the device. Unfortunately, hackers have been able to breach medical devices even when they are installed on the medical provider’s system, which is believed to be protected by the providers firewall.

Hackers are using medical devices to establish a “back door”, which cannot easily be detected. Once inside the medical device, the hacker can gain access to other areas within the medical providers network or system. In short, medical devices on a health care network present a high level of vulnerability.

Courtesy of TrapX Security, the following are some cyber defense best practices for securing medical devices:

1. Isolate medical devices inside a network which is not connected to the external internet.

2. Review medical devices currently on your network to determine if they are already infected.

3. Develop a strategy for medical device security going forward.

4. When purchasing new medical devices, address security with the vendor or manufacturer.

5. Review existing medical device contracts, and update to address security and remediation.

6. Purchase devices that allow your internal IT team to run security tests to discover vulnerabilities, which can be addressed with the manufacturer.

The use of internet connected medical devices will increase with time. Perhaps the most important “best practice” is to simply realize that medical device security is an issue which much must be addressed, rather than purchasing and implementing medical devices without considering security. The “stick your head in the sand” approach is never a good idea. Medical device security is also an important part of HIPAA compliance, which requires a risk analysis to identify vulnerabilities, and a risk management plan to address these vulnerabilities. Please let me know if you have any questions regarding how to implement a medical device security strategy at your facility.