Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

DHS Investigating Cybersecurity Flaws in Medical Devices

The U.S. Department of Homeland Security (DHS) is investigating some two dozen suspected cybersecurity flaws in medical devices and hospital equipment, according to a report.

The U.S. Department of Homeland Security (DHS) is investigating some two dozen suspected cybersecurity flaws in medical devices and hospital equipment, according to a report.

The investigation is part of the regular activities of the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to Reuters, the products under review include an infusion pump from Hospira Inc. and implantable heart devices from Medtronic Inc. and St. Jude Medical Inc.

In a statement, DHS spokesperson S.Y. Lee told SecurityWeek that DHS ICS-CERT works directly with the Food and Drug Administration (FDA), medical device manufacturers and healthcare professionals and facilities to investigate and address cyber-vulnerabilities.

“DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation’s critical cyber systems,” Lee said.

So far, no evidence has emerged that any of the devices have been attacked, according to Reuters.

Recently, the FDA released a set of recommendations for manufacturers for managing cyber-security risks and protecting patient health and information.  The documented, titled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’, recommends that manufacturers consider cybersecurity risks as part of the design and development of medical devices and submit documentation to the FDA about those risks and the controls in place to mitigate them. The guidance also recommends manufacturers submit their plans for providing updates to operating systems and software.

“The Internet of Medical Things is where cybersecurity literally meets life and death, but the Federal Government is behind the curve on this topic,” said Tim Erlin, director of IT risk and security strategy at Tripwire. “Security researchers have been aware of the existing risks, and the increased risk coming with more connectedness of these devices, for years. The problems here are analogous in some ways to those faced by critical infrastructure. Medical devices, implantable and external, are embedded systems with long lifespans and integrated physical components.”

“The medical device industry should pay attention of the challenges with SCADA equipment running critical infrastructure, and build in security considerations for a networked world at the outset,” he continued. “This is a shift in mindset for developers, more than a technology challenge.”

Most medical devices were designed without a proper threat model being considered, said Tim Keanini, CTO of Lancope. Because of this, IT staff at hospitals have to partition and mitigate access to these devices, he said.

“2013 was a very bad year for retail and a prediction I have is that 2014 will be a bad year for healthcare as cybercriminals will find ways to monetize information stolen or held ransom in this industry,” he said.

Written By

Click to comment

Expert Insights

Related Content

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

ICS/OT

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

Data Protection

Artificial intelligence is more artificial than intelligent.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...