DHS Investigates Dozens Of Medical Device Cybersecurity Flaws - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
09:06 AM
Connect Directly

DHS Investigates Dozens Of Medical Device Cybersecurity Flaws

Department of Homeland Security reportedly investigating two-dozen products from major medical device manufacturers for security holes.

10 Ways To Strengthen Healthcare Security
10 Ways To Strengthen Healthcare Security
(Click image for larger view and slideshow.)

The US Department of Homeland Security confirmed on Wednesday that it is investigating about two dozen cases of reported cyber security flaws in medical devices from various vendors.

Members of DHS's Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) are currently engaged with officials from the US Food and Drug Administration (FDA), medical device manufacturers, and healthcare professions to address the vulnerabilities, DHS spokesman S.Y. Lee said Wednesday.

Reuters earlier had broken news of the investigation and quoted unnamed sources as identifying Hospira Inc., St. Jude Medical Inc., and Medtronic Inc. as among the vendors whose products are being scrutinized by the DHS.

[Should the government have access to your prescription information? Read Prescription Database Privacy Case Heads For Legal Showdown.]

The investigations, which started quietly about two years ago, stem from growing fears of malicious hackers exploiting security flaws in modern network-connected medical devices to lethal effect, Reuters said.

Lee today confirmed the investigations, but did not identify any of the companies or devices that are being reviewed for flaws. "DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation's critical cyber systems," Lee said in an emailed statement. The investigation is part of the ICS-CERT's ongoing mission to coordinate vulnerability remediation efforts in critical infrastructure systems.

According to Reuters, the products being reviewed include an infusion pump from Hospira that is used to deliver drugs and implantable heart devices manufactured by Medtronic and St. Jude Medical. Also included in the review are medical imaging systems, hospital networking equipment, and a wide range of other technologies, Reuters said.

In each case, the DHS apparently is working with the manufacturers to identify and repair defective code in their products that would allow attackers to take control of them.

Officials from Medtronic, St. Jude Medical, and Hospira did not immediately respond to a request seeking comment.

News of the DHS investigation coincides with an FDA-sponsored public workshop on collaborative approaches to medical device and healthcare cybersecurity being held in Arlington, Va., this week.  The event is designed to bring together medical device manufactures, healthcare providers, IT and security administrators to discuss ways to identify and mitigate security threats in medical technologies.

(Image: Alden Chadwick, Flickr, Creative Commons)
(Image: Alden Chadwick,
Flickr, Creative Commons)

The DHS investigation is another manifestation of the growing concerns over security vulnerabilities in modern network-connected medical devices and equipment. So far, there have been no publicly reported instances where an attacker has actually compromised a medical device or equipment to either steal data from it or to sabotage it.

Even so, many believe that such attacks are both feasible and not very far away from happening. Security researchers such as the late Barnaby Jack and Jay Radcliffe have already demonstrated how hackers can take control of wireless-enabled medical devices to create all sorts of havoc.

Barnaby, who died in 2013 just days before a scheduled BlackHat presentation on lethal insecurities in medical implants, showed how a wireless-enabled insulin pump could be tricked into delivering a lethal dose of insulin to anyone wearing the pump. In another demonstration, he showed how an attacker could potentially take control of a wireless-enabled pacemaker from a leading vendor and get it to deliver a deadly shock.

Concerns over such attacks prompted former vice president Dick Cheney's doctors to disable the wireless functionality of his pacemaker last year.

The FDA, which has been shepherding efforts to improve cyber security in the medical equipment market, released a new set of recommendations earlier this month for protecting network-enabled devices. The recommendations call on equipment manufacturers and device makers to implement steps to identify and reduce vulnerabilities that affect device functionality and security. But many security researchers believe that more action is needed to spur real change.

The FDA "could also do something like GSA did for cloud services -- require devices to actually be tested for security vulnerabilities by third-party assessors that are licensed and certified to do the testing," said John Pescatore, director of emerging security threats at the SANS Institute.

"Many medical devices and equipment are sort of like Windows was before the worms of 2001 and 2003 caused so much havoc that Bill Gates got security religion and forced Microsoft to change," he noted. The big difference in the health industry is the sheer number of vendors. "There is no one vendor here that has 90% market share. [So] the problems when they hit will be too spread out."

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/3/2014 | 10:27:00 AM
3rd Party Security Certification
I think the point made in the article near the end is a promising solution:

"The FDA "could also do something like GSA did for cloud services -- require devices to actually be tested for security vulnerabilities by third-party assessors that are licensed and certified to do the testing," said John Pescatore, director of emerging security threats at the SANS Institute.

One caution is to design the approach carefully. We don`t want a repeat of the financial crisis where the credibility of the major credit agencies was seriously questioned.
User Rank: Strategist
10/27/2014 | 7:06:45 AM
Re: Functionality over Security?
The investigation of medical device and equipment is a must for the DHS, cybercriminals and state sponsored hackers are focusing their effort to hack these component for both financial motivated operations and sabotage.
User Rank: Ninja
10/26/2014 | 4:31:24 PM
The really amusing thing about the DHS investigating cybersecurity flaws is the simple fact that the government has been gunning for backdoors in consumer software since the 90s.  These same security flaws/backdoors that government wants are the very things that can be just as easily exploited by the alleged "bad" guys.  
User Rank: Ninja
10/24/2014 | 2:10:00 PM
Functionality over Security?
Great insight into the real issues when it comes to these medical devices.  While it's incredible how technology is able to deliver these types of healthcare solutions, the fact that security isn't part of the overall design shows that functionality and push to market is the key factor here, not necessarily ensuring the device meets privacy and security requirements.  Like the IoT, there's a need to go back to these manufacturers and push the need for proper controls to secure these devices.  Moving forward, I hope that manufacturers have better controls embedded into these devices, but sadly until there is concrete proof that there is a need, we might not see as much interest in developing these standards as there should be.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll