Introductory paragraph from the Food and Drug Administration’s (FDA) Guidance on guidance for Management of Cybersecurity in Medical Devices (October 2nd, 2014):
"The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information".
Biomedical devices in contemporary hospitals and other care delivery environment are necessarily ubiquitous. They are instrumental for delivering excellent health care. While conducting a security risk assessment at a 400 bed hospital, we found over 5000 such devices, many of which required network connectivity to report results to a downstream piece of software, or for remote IT management. We also found a staggering variety of devices types ranging from cytometers, infusion pumps, to heart rate monitors and resuscitators.
For IT security practitioners, such devices are often a bane. For various reasons, including unclear regulatory direction, many biomedical devices use outdated operating systems that run applications built with inadequate software security. As a result these devices are ripe for attack by viruses, worms and other forms of malware. Perhaps most disturbingly, most of these connected devices in hospitals hang off the core IT network. We find in most hospitals we assess that rarely are these devices segregated into “Virtual LANS” that provide an added measure of safety. Instead in most hospitals, a virus infiltrating, say an old infusion pump running an unpatched version of Windows 2000 can propagate like wildfire, bringing the main hospital network to a crawl or even fully disabling it. Another example of a security hole is the use of an “unsecured” or poorly secured wireless connection that is easily exploitable by an attacker with rudimentary wireless hacking equipment.
Obviously the ramifications for a hospital are tremendous. Information is the lifeblood of modern hospitals – from admitting, to billing, to labs, and diagnostic machines to electronic medical record repositories, a modern hospital cannot function without reliable information.