The US Department of Homeland security have issued a warning after an internet-connected drug infusion pump was found to be vulnerable to exploitation. The security researcher described the pump as “literally the least secure IP enabled device I’ve ever touched in my life.”
The warning received a rating of 10/10 for both severity and impact according to the vulnerability report.
The device in question (Hospira Lifecare PCA3) running software 412 allowed people to telnet to the device without authenticating, allowing any would-be attacker to gain root privileges. Furthermore, wireless encryption keys were stored in plain-text.
What this means is anyone with access to the device, and close proximity to the wireless network could subsequently access a “Life Critical Network”, where other medical devices could be connected! You can imagine the severity of such network access, and the impact this could have on the network infrastructure.
The vulnerability is well covered in the security press with websites such as scmagazine covering it in great detail.
One thing is apparent, it is fast becoming a challenge to keep up with biotech and advances in medical technology. Fortunately, there are various standards and industry best practices that advise on the best way to secure medical software, devices and networks.
ISO 80001 (“Application of risk management for IT-networks incorporating medical devices”) applies to medical device manufacturers and providers, governing the risk management of an IT network incorporating medical devices.
ISO 27799:2008 (“Health informatics, information security management in health using ISO 27002) applies to health information, and encompasses computer networks and electronic devices.
ISO 14971:2007 (“Application of risk management to medical devices”) covers the devices themselves.
Outside of ISO standards, you have working groups such as the EU Data Protection working party issuing guidance notes. Opinion 08/2014 covers the IoT (Internet of Things).
You also have HIPAA (“Health Insurance Portability and Accountability Act”). NIST 800-66 outlines the “Implementing the HIPAA Security Rule”.
It is plain to see that with shear growth of internet-connected medical devices, wearables and implantables – the likelihood of vulnerabilities and attack vectors can increase proportionally. For device manufacturers, operators and health authorities, it is critical a thorough risk assessment is undertaken and wherever possible, a security policy and architecture put in place to ensure risks are managed.
Patient data is one of the most crucial types of data, and one that cannot easily be replaced. Reputationally, a medical data breach can be fatal for an operator and embarassing for a health authority.