Medical Devices Are The Weak Link

Uploaded on 2016-12-01 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

For many users of Johnson & Johnson’s OneTouch Ping insulin pump, the benefit of ease of use has been outweighed by the fear of hacking.

In early October, the company sent letters to patients using the devices, alerting them to the fact that the OneTouch contained a cybersecurity flaw that could allow a hacker to reprogram the device to administer additional doses of the diabetes drug, which could be life-threatening.

In its letter to patients, Johnson & Johnson portrayed the risk as minimal. “The probability of unauthorized access to the OneTouch Ping System is extremely low,” it noted. “It would require technical expertise, sophisticated equipment and proximity to the pump.”

A spokesman for the company says it’s working to eliminate the vulnerability; it has laid out a series of steps patients can take to reduce the risk, such as turning off the pump’s wireless connection to a blood-sugar meter, or setting a limit on the amount of insulin that can be delivered.

The announcement is yet another stark reminder of known security issues that exist with medical devices, widely used by both providers and patients. Indeed, this is not the first time concerns have surfaced about the ease of hacking medical devices.

In mid-2015, the Food and Drug Administration took the unprecedented step of alerting users about cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The agency strongly encouraged healthcare facilities to discontinue use of the pumps.

And the FDA is not the only federal agency shining a spotlight on the vulnerabilities of medical devices. In 2014, the Federal Bureau of Investigation issued a report that predicted hackers could assail medical devices, and followed that up with an alert last year warning companies and the public about cybersecurity risks to networked medical devices and wearable sensors.

The threat to patient safety carries the biggest shock value, and healthcare organizations are widely concerned about those risks.

But the devices also pose risks to the networks of healthcare organizations, because they typically have weak defenses against malware and a medical device could serve as an easy entry point to providers’ internal data networks.

Security experts and federal officials say the devices could become the focal point of a perfect storm for compromising healthcare data security and placing patient safety at risk. That’s because the vulnerability of devices to cyber-attacks is well known, and hackers are becoming emboldened to find new ways to attack healthcare organizations.

Most security professionals are worried about the vulnerability of a myriad of networked medical devices that have Internet connectivity, from infusion pumps and X-ray scanners to picture archiving and communications systems, blood gas analyzers, medical imaging devices, medical lasers, life support equipment and many more.

These devices are expensive and last a long time, and providers may have them in place for five, 10 or 15 years or more, says Axel Wirth, healthcare solutions architect for Symantec. Software running the devices may be years old as well, and typically not easily protected by cyber defense software. 

What’s more, in many cases the devices are managed just by the manufacturer’s technicians, not a provider’s IT security staff.

Information Management:                  Medical Devices Vulnerable to Hackers:
 

« UK National Cyber Security College Locates To Bletchley Park
War In The Information Age »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Plixer

Plixer

Plixer delivers a network traffic analytics system used for monitoring, visualization, and reporting of network and security incidents.

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute is an independent non-governmental organization that focuses on research and analysis of security challenges including defence and cyber security.

Irdeto

Irdeto

Irdeto is the world leader in digital platform security, protecting platforms and applications for media & entertainment, gaming, connected transport and IoT connected industries.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

Slice

Slice

Slice offer subscription based Cyber Insurance for small businesses.

ACET Solutions

ACET Solutions

ACET Solutions delivers a wide range of Automation, Cyber Security and Enterprise IT/OT Integration Solutions to industrial clients.

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance is a global, non-profit industry association which is working to enable a secure connected future.

Sylint

Sylint

Sylint is an internationally recognized cyber security and digital data forensics firm with extensive experience discretely addressing some of today’s biggest cyber breaches.

Progress Partners

Progress Partners

Progress Partners is a corporate advisory firm that works with buyers and sellers of emerging growth companies to complete M&A or private placement transactions. Our sectors include cybersecurity.

Tenet3

Tenet3

Tenet3's vision is to make optimal cyber strategy development tractable, data driven, with concrete success metrics. The result is cost effective cyber resilience for our customers.

Zyston

Zyston

Zyston's solutions provide end-to-end management of your cybersecurity needs. Our range of services help protect your business where it needs it the most.

TOTM Technologies

TOTM Technologies

TOTM Technologies provides end-to-end identity management and biometrics products, powering Digital identity and Digital onboarding solutions.

Avanade

Avanade

Avanade is a leading provider of innovative digital, cloud and advisory services, industry solutions and design-led experiences across the Microsoft ecosystem.

StealthMole

StealthMole

StealthMole is a deep and dark web threat intelligence company that delivers a cloud-based, unified platform for digital investigation, risk assessment, and threat monitoring.

Cloudaeris

Cloudaeris

Cloudaeris is a trusted Microsoft Partner, and we've got what it takes to make your business more efficient and agile.