Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

DHS Investigating Cybersecurity Flaws in Medical Devices

The U.S. Department of Homeland Security (DHS) is investigating some two dozen suspected cybersecurity flaws in medical devices and hospital equipment, according to a report.

The U.S. Department of Homeland Security (DHS) is investigating some two dozen suspected cybersecurity flaws in medical devices and hospital equipment, according to a report.

The investigation is part of the regular activities of the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to Reuters, the products under review include an infusion pump from Hospira Inc. and implantable heart devices from Medtronic Inc. and St. Jude Medical Inc.

In a statement, DHS spokesperson S.Y. Lee told SecurityWeek that DHS ICS-CERT works directly with the Food and Drug Administration (FDA), medical device manufacturers and healthcare professionals and facilities to investigate and address cyber-vulnerabilities.

“DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation’s critical cyber systems,” Lee said.

Advertisement. Scroll to continue reading.

So far, no evidence has emerged that any of the devices have been attacked, according to Reuters.

Recently, the FDA released a set of recommendations for manufacturers for managing cyber-security risks and protecting patient health and information.  The documented, titled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’, recommends that manufacturers consider cybersecurity risks as part of the design and development of medical devices and submit documentation to the FDA about those risks and the controls in place to mitigate them. The guidance also recommends manufacturers submit their plans for providing updates to operating systems and software.

“The Internet of Medical Things is where cybersecurity literally meets life and death, but the Federal Government is behind the curve on this topic,” said Tim Erlin, director of IT risk and security strategy at Tripwire. “Security researchers have been aware of the existing risks, and the increased risk coming with more connectedness of these devices, for years. The problems here are analogous in some ways to those faced by critical infrastructure. Medical devices, implantable and external, are embedded systems with long lifespans and integrated physical components.”

“The medical device industry should pay attention of the challenges with SCADA equipment running critical infrastructure, and build in security considerations for a networked world at the outset,” he continued. “This is a shift in mindset for developers, more than a technology challenge.”

Most medical devices were designed without a proper threat model being considered, said Tim Keanini, CTO of Lancope. Because of this, IT staff at hospitals have to partition and mitigate access to these devices, he said.

“2013 was a very bad year for retail and a prediction I have is that 2014 will be a bad year for healthcare as cybercriminals will find ways to monetize information stolen or held ransom in this industry,” he said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture