Medical Device Security

A cyber-criminal thwarting your medical device security defenses.

About

Medical device security is the risk of security vulnerabilities in a networked medical device or the stand-alone medical device itself that may expose patients to life threatening cyber-attack scenarios such as loss of availability or equipment shutdown. In the event, where a life threatening cyber-attack is not possible, personally identifiable information or patient data exposure and Health Insurance Portability and Accountability Act of 1996 or privacy violations exist.

MDS2

Manufacturer Disclosure Statement for Medical Device Security (MDS2) is a form^[1] that provides information about the security controls that are implemented in a medical device in order to protect the protected health information (PHI) transmitted or stored by the medical device. Clinicians may use the MDS2 form during the risk analysis of their organization. The MDS2 is a joint effort of Healthcare Information and Management Systems Society (HIMSS) and The Association of Electrical and Medical Imaging Equipment Manufacturers (NEMA). The OEM should provide its MDS2 information about security controls implemented in its healthcare products and solutions IAW IEC 80001-1 “Application of Risk Management for IT-Networks Incorporating Medical Devices^[2].”

Risk Assessment

Clinicians have hundreds of applications that can make a healthcare organization vulnerable to a security breach or medical device cyber-attacks. A number of medical devices such as monitors, infusion pumps, and PACs devices must now be connected to the organization's IT network. These devices often run on commercial off-the-shelf (COST) operating systems and must be patched to protect them against malicious software and unauthorized access. In addition, these applications are typically managed by the clinical engineering department, not the IT department, so coordination is critical to ensure that roles and responsibilities are clearly defined as well as risks are mitigated and minimized.

Audit

The role of Internal Audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively with respect to the compromise to the patients integrity, availability, and confidentiality of patient data maintained by medical device technologies. The best auditors are external who show no favoritism and can deal with issues that are fundamentally important to the survival and prosperity of a healthcare organisation. These types of security audit challenges include but are not limited to:

• Penetration test^[3]
• Application change and engineering controls.
• Routine backup and recovery processes.
• Disaster recovery planning efforts and plans.
• Infrastructure configuration management activities.
• Outdated passwords, operating systems, antivirus, encyption, malware, firewall protection and other known security exploits.
• Network infrastructure, security administration, and server infrastructure activities.
• System development and medical device acquisition life cycle initiatives.
• Third-party security services.

Reference

1. HIMSS. Manufacturer Disclosure Statement for Medical Device Security (MDS2). Accessdate 1/12/14. http://www.himss.org/resourcelibrary/MDS2?navItemNumber=21740
2. AAMI. ANSI/AAMI/IEC 80001-1:2010, Application of risk management for IT Networks incorporating medical devices - Part 1: Roles, responsibilities and activities. http://www.aami.org/publications/standards/80001.html
3. Hunt, Edward (2012). "US Government Computer Penetration Programs and the Implications for Cyberwar", IEEE Annals of the History of Computing 34(3)

Links

• HIMSS Manufacturer Disclosure Statement for Medical Device Security (MDS2)

• Manufacturer Disclosure Statement for Medical Device Security (MDS2)

• IEC80001-Security-HDO-20110920

• Top 10 Notorious Black Hat Hackers

See also

• BackBox
• BackTrack
• Kali Linux
• Pentoo