The U.S. Department of Homeland Security (DHS) is investigating some two dozen suspected cybersecurity flaws in medical devices and hospital equipment, according to a report.
The investigation is part of the regular activities of the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to Reuters, the products under review include an infusion pump from Hospira Inc. and implantable heart devices from Medtronic Inc. and St. Jude Medical Inc.
In a statement, DHS spokesperson S.Y. Lee told SecurityWeek that DHS ICS-CERT works directly with the Food and Drug Administration (FDA), medical device manufacturers and healthcare professionals and facilities to investigate and address cyber-vulnerabilities.
“DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation’s critical cyber systems,” Lee said.
So far, no evidence has emerged that any of the devices have been attacked, according to Reuters.
Recently, the FDA released a set of recommendations for manufacturers for managing cyber-security risks and protecting patient health and information. The documented, titled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’, recommends that manufacturers consider cybersecurity risks as part of the design and development of medical devices and submit documentation to the FDA about those risks and the controls in place to mitigate them. The guidance also recommends manufacturers submit their plans for providing updates to operating systems and software.
“The Internet of Medical Things is where cybersecurity literally meets life and death, but the Federal Government is behind the curve on this topic,” said Tim Erlin, director of IT risk and security strategy at Tripwire. “Security researchers have been aware of the existing risks, and the increased risk coming with more connectedness of these devices, for years. The problems here are analogous in some ways to those faced by critical infrastructure. Medical devices, implantable and external, are embedded systems with long lifespans and integrated physical components.”
“The medical device industry should pay attention of the challenges with SCADA equipment running critical infrastructure, and build in security considerations for a networked world at the outset,” he continued. “This is a shift in mindset for developers, more than a technology challenge.”
Most medical devices were designed without a proper threat model being considered, said Tim Keanini, CTO of Lancope. Because of this, IT staff at hospitals have to partition and mitigate access to these devices, he said.
“2013 was a very bad year for retail and a prediction I have is that 2014 will be a bad year for healthcare as cybercriminals will find ways to monetize information stolen or held ransom in this industry,” he said.