Share this article on:
In May, a top official at the Veteran’s administration said that the risk of medical devices being hacked to give patients’ overdoses or otherwise cause them to come to harm is relatively unlikely; however, VA deputy director of health information security Lynette Sherrill did point out that medical devices could be a weak link that cyberattackers attempt to exploit.
One of the problems is medical devices are not always patched promptly. The devices connect to networks via traditional operating systems such as Windows. When patches are released by Microsoft, medical devices are often the last devices to have the updates applied.
The Information Security Monthly Activity Report sent by the VA to congress often shows that medical devices have been infected with malware. In January, the VA discovered three medical devices had been infected, with a further case in February and two more in April. Since malware infections started to be tracked by the VA in 2009, 181 medical device infections have been discovered.
These infections have all been contained and are not believed to have resulted in patients coming to harm, although they have caused significant disruption as a result of the devices being taken out of service. There is also a very real danger of malware being used to steal sensitive patient data or as a launchpad for attacks on other computer systems.
VA Introduces New Risk Management Controls
The VA has recently announced it has taken further steps to improve security and reduce the potential for harm caused by hacked medical devices. The VA has recently finished rolling out its new Medical Device Isolation Architecture as part of its ongoing risk management efforts. The new architecture will make it harder for attackers to infect medical devices with malware, while simultaneously reducing the impact of a malware infection should one occur.
The new architecture uses virtual local networks – 3,270 of them – which help to keep medical devices isolated from the VA network. The VA is also using access control lists to restrict permissions, which include blocking Internet access to reduce the attack surface. Many of the infections discovered by the VA have occurred as a result of the devices being connected to the Internet.
The VA has also developed a centralized patch management system that ensures medical devices are updated rapidly. Devices such as drug infusion pumps and heart monitors will be patched promptly to address known security vulnerabilities before they can be exploited.
This week, the VA also announced it has entered into a Cooperative Research and Development Agreement Program (CRADA) with Underwriters Laboratories (UL) and will be adopting a new set of standards developed by UL to ensure that all networked medical devices meet the appropriate security requirements.
The VA will be using the UL’s Cybersecurity Assurance Program (CAP) – known as UL 2900 – to test cybersecurity of its technology, data systems, and networked medical devices. The CAP was launched earlier this year and is intended to help organizations assess networked devices for malware infections, vulnerabilities, and other security issues. The program is expected to be completed by the end of the year.
UL Principal Engineer for Medical Software & Systems Interoperability Anura Fernando said in a statement released late last week, “Working together with the VA, we will contribute to industry-wide situational awareness of both medical device vulnerabilities and threats.”