The U.S. Department of Homeland Security (DHS) has emphasized to hospitals and health clinics about the risks surrounding electronic medical devices commonly in-use at such facilities. This is in relation to vulnerabilities around cybersecurity attacks. The types of devices of concern include surgical and anesthesia devices, ventilators, drug infusion pumps, and external defibrillators. Also vulnerable are patient monitors, laboratory and analysis equipment, and other digital systems.
The U.S. agency issued an alert via the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). It appears that many electronic medical devices have been designed with hard-coded passwords that can enable hackers to modify their settings or install onto systems rogue firmware. Similar concerns have been expressed by the U.S. Food and Drug Administration (FDA).
The warning extends to equipment manufactured by some high profile health technology companies, such as wireless electrocardiogram products from Silex Technologies and GE Healthcare; plus, vulnerabilities in certain computed tomography systems from Philips.
Commenting on the new DHS warning, Dr. May Wang Co-Founder and CTO of Zingbox, an IoT security company for medical devices, tells Digital Journal that digital health providers should have been better prepared. She states: “Unfortunately, hackers targeting connected medical devices is nothing new. These devices have vulnerabilities not unlike laptops and PCs.”
She adds: “In some cases, even more so. 2 years ago, we identified a vulnerability in IV pumps that can allow hackers to change the dosage of medications with life threatening results. Back then, we collaborated closely with DHS and the device manufacturers to identify and offer a solution to the healthcare community.”
However, meeting the cyber onslaught is challenging, Dr. Wang says: “While its fashionable to point figures at the device manufacturers, expecting devices primarily built for accuracy and reliability to be secure against the latest cyber threat is a tough order. We struggle to secure our laptops and PCs from the latest threats.”
In terms of what can be done, Dr. Wang notes: “Security leaders can do more to collaborate with DHS and other agencies such as HHS and NIST who have focused their efforts to secure these critical medical devices. For example, HHS in collaboration with vendors like Zingbox released Cybersecurity Best Practice Resources to secure connected medical devices.”
