Recently, a hack called Medjack has been used to compromise multiple devices in an effort to steal data from hospital networks.
Medjack “has been successful at exploiting the weakness in medical devices to allow an attacker to compromise the network,” McMillan said.
The federal government isn’t working fast enough to address the issue, McMillan said, partly because of the hodgepodge of agencies involved, including the Food and Drug Administration, the Federal Communications Commission, the Department of Homeland Security and HHS’ Office for Civil Rights, just to name a few.
The FDA has recommended that medical-device manufacturers submit documentation regarding cybersecurity issues during the pre-approval process, but McMillan said the industry otherwise lacks regulation on this issue.
Despite vulnerabilities in medical devices, patients are overwhelmingly safer using devices than not using them, said Kevin Fu, an associate engineering professor at the University of Michigan and chief scientist at Virta Laboratories, which is developing a malware detection device for hospital equipment.
Fu said the industry has a long way to go, but there are systems in place to ensure patients’ safety. Part of the problem is that most medical-device engineers aren’t taught IT security in school and have been somewhat unaware of the risk in the past, he said.
Though it’s unlikely patients would be harmed through their implantable devices, it wouldn’t be out of the question for a hacker to use garden-variety malware to infiltrate a hospital’s network and coincidentally break into a medical device running old, vulnerable operating systems, Fu said. Such an attack could prevent infusion pumps from working or cause patient monitors to display incorrect information.
Manufacturers need to make devices that are inherently secure and work directly with hospitals to implement their devices in a protected configuration, Fu said. Devicemakers can’t simply require that the device be installed on a “secure network,” because these days that’s much easier said than done.
“I think a manufacturer can no longer just assume that they’ll provide the device to the hospital, and say, ‘We’ve done our job,’ ” Fu said. “It needs to be much more interactive, because every network is different.”
Industrywide “security hygiene” standards are being formulated through groups like the Association for Advancement of Medical Instrumentation, Fu said, but those efforts are still in their early stages.
Some hospitals have found workarounds to protect the connected devices on their internal wired or wireless networks, but they shouldn’t have to accommodate devicemakers’ often-antiquated operating systems, McMillan said. Manufacturers likely aren’t jumping to work on security because it could force them to undergo the costly process of rewriting outdated code.
“Until someone says they need to address this, bottom line is they’re being driven by their bottom line,” McMillan said.
from Modern Healthcare