Lax medical device security needs urgent action

The risks are real, and they expose also weaknesses of other connected medical devices, believes Mac McMillan. He believes it’s time for the government to step up regulatory pressure.


Mac McMillan doesn’t hold back in discussing his concerns about security vulnerabilities in healthcare, and wireless infusion pumps are on his list as a risk factor for providers.

McMillan is co-founder and CEO of CynergisTek, an information security and privacy consulting firm and has long been at the head of industry security efforts. He is a member of CHIME’s AEHIS Advisory Board, Chair of the HIMSS Privacy and Security Policy Task Force and brings nearly 40 years of combined intelligence, security countermeasures and consulting experience from positions within the government and private sector.

Recently, Health Data Management editor Fred Bazzoli discussed rising industry concerns about the security vulnerability posed by wireless infusion pumps, and potential ways to deal with the risks.

There’s been a long-standing concern in the industry that wireless infusion pumps can be hacked, that they could be manipulated to adjust drug delivery to patients or used to gain access to a hospital’s networks. From your perspective, is this a real threat?

The threat is very real and has been substantiated by researchers.

Would hackers need physical access to a pump to do this [say, through an Ethernet port on the pump] or could access the pump wirelessly?

Physical access is not needed. There are attacks that can be accomplished remotely over the Internet. These devices are on the hospital’s network and/or communicating wirelessly. The same pathways that may be used to access these devices legitimately can be exploited by attackers.

These capabilities have been done in demonstrations, and frankly, they have a lot of shock value. Do these demos overhype the risk to a wireless pump that is operating on a reasonably protected hospital network [in a reasonably secure working environment]?

Possibly, but not completely. Meaning there are steps that healthcare entities can take to isolate or protect the devices on the network. There are steps they can take to protect the rest of the enterprise from them. But, if the device communicates remotely or over the Internet and has flaws in its own software/firmware, then it is going to be at risk.

What other networked devices are at risk in healthcare facilities, or are infusion pumps the most susceptible? What should providers be doing, at a basic level, to protect them from hackers?

There are many medical devices that are at risk, and they’re placing networks and patients at risk. This is well known and documented within the industry and government. Two years ago, the Department of Homeland Security ran its own research project that discovered 300 insecure devices from 40 different vendors. These pumps, most notably the latest vulnerability with certain Hospira pumps, have just gotten a lot of attention lately.

The underlying reason for this state of affairs is the total lack of governing controls and standards for designing, developing and implementing biomedical devices, and this is what leaves the consumer at risk. The market has failed to respond to providers who have been asking for better engineered devices. Regulatory pressure to produce improvement in this area may be the only thing that will work. We need the government to be the change agent here, and the FTC and FDA should lead within their respective areas of responsibility.

More for you

Loading data for hdm_tax_topic #care-team-experience...