Wireless tech makes health care security a 'major concern'
Because many medical devices use commercial operating systems, they are as open to attacks as many computers, says DHS
By Antone Gonsalves
May 18, 2012 — CSO — The use of wireless technology in the latest medical devices found in hospitals, health clinics and doctor offices has become a major concern of the U.S. Department of Homeland Security (DHS).
In a bulletin issued this month, the DHS warned that while new technology brings efficiency, lower cost and better patient care, it also carries security risks that the multi-trillion-dollar healthcare industry may not be prepared to tackle.
"The communications security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern," the report, entitled "Attack Surface: Healthcare and Public Health Sector," said.
Doctors, nurses and ambulance workers are using wireless medical devices for diagnosis and treatment and to monitor changes in patients' health. The devices can be handheld, wheeled in on a stand or implanted, such as in the case of heart-sustaining pacemakers and defibrillators.
While the Food and Drug Administration (FDA) regulates the manufacture of devices from design to sale, the agency does not have rules for how they should be connected and configured within a network. Therefore, it is up to medical facilities to make sure the devices, which often have access to patient medical information, are protected from hackers.
"Failure to implement a robust security program will impact the organization's ability to protect patients and their medical information from intentional and unintentional loss or damage," the DHS warned.
Even though security features are designed into the medical devices, they may not be used because of the complexity of the technology, or because of ignorance about the capabilities. "Because the technology is so new, there may not be an authoritative understanding of how to properly secure it, leaving open the possibilities for exploitation," the DHS said.
Tight budgets also contribute to the problem, since cash-strapped health facilities may choose to fund other priorities within their operations. But despite these hurdles security cannot be treated as only a nice-to-have feature.
"In a world in which communication networks and medical devices can dictate life or death, these systems, if compromised, pose a significant threat to the public and private sector," the DHS said.
Because many medical devices use commercial operating systems, they are as open to attack as many computers. Even devices with proprietary systems can be compromised, typically through their software update mechanism.
At the 2011 Black Hat security conference, a researcher demonstrated how he was able to hack into an insulin pump and change its settings without the user's knowledge. The same researcher also used an oscilloscope to eavesdrop on a glucose monitor's transmission.