• United States




Securing connected medical devices: Will categorizing them as ICS help?

Oct 04, 20184 mins
Critical InfrastructureInternet of ThingsSecurity

Now that they’re no longer protected by an “air gap,” let’s consider what’s needed to protect connected medical devices from security threats.

medical network h/ ealthcare IoT / hospital connections and communications
Credit: MetamorWorks / Getty Images

Since April of this year, the Department of Homeland Security (DHS) Industrial Control Systems Emergency Response Team has issued several alerts advising healthcare entities of cyber vulnerabilities in equipment ranging from medical imaging systems to patient monitoring gear. In addition, medical device manufacturers have reported their own security vulnerabilities via ICS-CERT alerts, including Philips, Abbott and BD.

In reviewing the ICS-CERT notices, it’s interesting to note that within the United States, medical devices are categorized as Industrial Control Systems (ICS). For many in IT security, ICS or SCADA (Supervisory Control And Data Acquisition) security only gained notoriety with the advent of the Stuxnet malware that was used to compromise Iran’s nuclear facilities in 2010. Who could imagine that medical devices would be grouped with SCADA technologies in terms of the magnitude and criticality of their security?

When viewed as previously isolated and discrete hardware that has since been connected to a network, medical devices are no different from ICS or SCADA systems. While these devices have been networked and interconnected for some time now, only recently has the industry begun to implement physical and logical security controls to protect them.

Fortunately, several initiatives are underway to improve the security of medical devices, including the FDA’s recently published “Medical Device Safety Action Plan.” There’s also an interesting proposal for a Hypocratic Oath for Connected Medical Devicesthat has been proposed by I Am The Cavalrya cybersecurity volunteer association focused on public safety concerns. Their Oath identifies measures to preserve patient safety and trust in the healthcare system as a response to the increasing reliance placed on connected devices.

Now that they’re longer protected by an “air gap,” let’s consider what’s needed to protect connected medical devices from security threats.

Protecting connected medical devices

Just as in IT, the foundation for medical device security begins with asset management, namely the discovery, assessment and inventory of all medical IoT devices in an environment. Understanding their security configurations and vulnerabilities is critical. Especially since many of the devices use outdated and end of life operating systems, and provide limited capabilities for updating device configurations or applying patches.

Step two involves log management, which provides visibility into activity on these devices. However, making sense of log data and turning it into actionable intelligence is more challenging than with IT devices, since medical systems are not designed with built-in security and management functionality.   There is some good news though. Advances in data science and machine learning can provide insights  that were previously unattainable and even predict impending problems.

Hackers have already demonstrated the ability to compromise and disrupt healthcare networks with ransomware or to “medjack” devices to infect other interconnected devices or IT systems.

Analytics can help protect medical devices in several ways. By taking the first step to discover what devices are present on the network, entity-based analytics enable organizations to detect unexpected changes in device configurations, broken or malfunctioning equipment and even devices that have gone rogue due to the introduction of malware or ransomware.

One important new capability provided by analytics is the ability to test for the veracity of the authorization model configured on the medical device. Most medical devices are set with a default username and password applied during manufacturing, which provide access to perform firmware updates or periodic preventative maintenance. Since these default credentials are present in similar devices all over the world, if left unchanged, they pose a massive security vulnerability. Using analytics to monitor medical devices can play a central role in reducing many of the inherent risks built into their standard configurations.

In addition, analytics can monitor the location of medical devices, especially since many of them are highly portable or mobile and are often being moved to different patients or locations. For example, analytics can provide information about whether a medical device is in use or how long ago it was used, and help manage inventory and “lost” devices.

Clearly, the pace of implementation of medical IoT devices has far outstripped both automated and manual management capabilities and update processes. While newer generations of medical devices will undoubtedly move beyond the current rudimentary functionality provided and become true smart devices, we need to find ways to manage and mitigate risk in current infrastructures. Analytics can provide the intelligence needed to mind the security gaps that are present in today’s medical devices, regardless of whether we call them ICS or IoT.


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.