The use of wireless technology in the latest medical devices found in hospitals, health clinics and doctor offices has become a major concern of the U.S. Department of Homeland Security (DHS).
In a bulletin issued this month, the DHS warned that while new technology brings efficiency, lower cost and better patient care, it also carries security risks that the multi-trillion-dollar healthcare industry may not be prepared to tackle.
"The communications security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern," the report, entitled "Attack Surface: Healthcare and Public Health Sector," said.
Doctors, nurses and ambulance workers are using wireless medical devices for diagnosis and treatment and to monitor changes in patients' health. The devices can be handheld, wheeled in on a stand or implanted, such as in the case of heart-sustaining pacemakers and defibrillators.
While the Food and Drug Administration (FDA) regulates the manufacture of devices from design to sale, the agency does not have rules for how they should be connected and configured within a network. Therefore, it is up to medical facilities to make sure the devices, which often have access to patient medical information, are protected from hackers.
"Failure to implement a robust security program will impact the organization's ability to protect patients and their medical information from intentional and unintentional loss or damage," the DHS warned.
Even though security features are designed into the medical devices, they may not be used because of the complexity of the technology, or because of ignorance about the capabilities. "Because the technology is so new, there may not be an authoritative understanding of how to properly secure it, leaving open the possibilities for exploitation," the DHS said.
Tight budgets also contribute to the problem, since cash-strapped health facilities may choose to fund other priorities within their operations. But despite these hurdles security cannot be treated as only a nice-to-have feature.
"In a world in which communication networks and medical devices can dictate life or death, these systems, if compromised, pose a significant threat to the public and private sector," the DHS said.
Because many medical devices use commercial operating systems, they are as open to attack as many computers. Even devices with proprietary systems can be compromised, typically through their software update mechanism.
At the 2011 Black Hat security conference, a researcher demonstrated how he was able to hack into an insulin pump and change its settings without the user's knowledge. The same researcher also used an oscilloscope to eavesdrop on a glucose monitor's transmission.
In 2009, Kevin Fu, an assistant professor in computer science at the University of Massachusetts, Amherst, hacked into a defibrillator, a device that uses electricity to stabilize a person's heart beat. Fu was able to reprogram the device, so it would give a shock to a patient's heart, the DHS said. He was also able to disable the defibrillator's power-saving mode, causing the battery to run down in hours rather than years.
Roughly a quarter of hospitals do not perform annual evaluations to determine the risks to patient data within their organizations, according to a 2011 survey by the Healthcare Information and Management Systems Society, a nonprofit organization specializing in healthcare security issues. In addition, the majority of respondents reported spending 3 percent or less of their overall IT budget on security.
The DHS points out that hospitals can be held liable for the loss of patients' information. For example, a USB drive can hold as many as 25,000 patient records. Theft or loss of such a drive could cost a hospital $6 million in penalties, including legal fees, notification to affected patients and the cost of services to monitor the use of the victims' personal identities, the agency said.
Best practices recommended by the DHS to secure medical devices included buying only networkable devices that IT staff can configure. The agency also said healthcare facilities should purchase vendor support for firmware, patching and anti-virus updates.
Other recommendations included maintaining external-facing firewalls, deploying network monitoring and intrusion detection techniques and placing devices whenever possible on a separate segment of the network. The DHS also advised implementing strict access policies and using encryption and authentication at both ends of a communication channel.