Dr. John Halamka has taken to his "Life as a Healthcare CIO" blog to sound the alarm on medical device threats in the wake of the FDA late last week issuing its first cybersecurity warning about a specific medical device.
The Food and Drug Administration urged healthcare facilities to stop using Hospira's Symbiq Infusion System, a common device for dispensing fluids/drugs to patients that the manufacturer says is being removed from the market. The warning spells out that the devices could be accessed via a hospital network and rejiggered to mess up a patient's dosage. The FDA said it's not aware of any hacking incidents involving the pumps, whose vulnerability was initially warned of on the US-CERT site in June and then the Industrial Control Systems CERT site in mid-July.
Halamka, who is CIO of Beth Israel Deaconess Medical Center, wrote on his blog: "My view is that this will be the first of many advisories" involving medical device vulnerabilities.
For now, hospitals need to isolate medical devices from the Internet and use firewalls to keep them doubly protected, Halamka says. BIDMC runs three wireless networks: one for guests, one for clinicians/staff; and one for medical devices.
Halamka writes: "Over the past few years, I’ve asked medical device manufacturers to give me a precise map of the network ports and protocols used by their devices so that I can build a 'pinpoint' firewall - only allowing the minimum necessary transactions from/to the device. Many manufacturers do not seem to know the minimum necessary communication requirements for their products."
Some medical device makers have balked at adding security out of fear that they'll need to re-certify them with the FDA. Halamka says that's hogwash, and that customers should get device makers' CTOs to commit to acceptable security roadmaps or start looking elsewhere for gear. The FDA and organizations involved in the medical field have issued guidelines and benchmarks designed to promote medical device security.
Healthcare outfits should also be aware that medical device vulnerabilities are not just about immediate threats. A study by TrapX Security that we wrote about in June stressed that beyond hackers potentially monkeying around with compromised devices, such equipment can also be used to harbor malware that can later do damage across networks (See "Hijacked medical devices can leave networks exposed").