mHealth13: Preventable vulnerabilities often threaten med device security

Several vulnerabilities--some entirely preventable--continue to plague medical devices when it comes to security, according to panelists speaking Wednesday at the mHealth Summit in Washington, D.C. For instance, said Kurt Finke, director of the Office of Healthcare Technology Management for the U.S. Department of Veterans Affairs, many hospitals today tend to attach such tools to their IT networks. That, he said, can create more trouble than it seems.

"More and more, devices are 'network attached,' that previously would not have been," Finke said. "For example, diagnostic imaging equipment or ICU bedside monitors... Decades ago, they were never attached to a network. Maybe they were [attached] to an inner connection network amongst themselves so, for instance, a bedside monitor could be seen at a nurses' station, but not to a hospital or enterprise-wide network."

Another vulnerability, according to Finke, is the continued use of removable media, such as thumb drives, to save and transport sensitive data.

"Most of our infections of medical devices in the VA, the source of those infections has been removable media," Finke said. "When you put a thumb drive into a medical device, that introduces risk."

Despite the obvious benefits of encryption, Daniel Silverstein, a security consultant specialist with Kaiser Permanente, said that devices at many facilities remain unencrypted.

"Also, many times, devices come with no or limited antivirus protection, or the antivirus protection is disabled," Silverstein said. "What's more, many devices are not all tolerant to industry standard vulnerability scanning tools."

Finke added that employee actions--whether accidental or with intent--must not be overlooked as sources of vulnerability.

"It's amazing what medical staff will do when they've got off time in the middle of the night," Finke said. "They'll check their home email or surf the Internet via a medical workstation."

Last month, the National Institute of Standards and Technology launched a formal review of its encryption processes. NIST data encryption standards currently are used in electronic healthcare data security and exchange.

In October, former U.S. Vice President Dick Cheney told CNN's Sanjay Gupta that when he was in office, his doctors turned off the wireless function of his implanted cardiac defibrillator "in case a terrorist tried to send his heart a fatal shock."

In September 2012, the Government Accountability office released a report stating that the Food and Drug Administration needs to pay more attention to the information security risks for implantable medical devices--such as heart defibrillators and insulin pumps--including the threat of hacking and sabotage.