Experts: Devices Prone to Malicious Attacks

Register now

Digitally networked medical devices are now part of the health care infrastructure at many hospitals and that’s putting data on the devices--and the hospital network--at risk, says Dale Nordenberg, M.D., founder of the Medical Device Innovation, Safety and Security Consortium, which focuses on the safety and security of devices and electronic health records.

“Medical devices are operating on networks to a degree that no one planned,” Nordenberg told attendees at the federally sponsored Safeguarding Health Information Conference in Washington. Consequently, threats to the integrity of data or programs, causing a lack of operational effectiveness, can directly harm patients. And tens of millions of patients each year have treatment that includes a variety of devices.
Medical devices also can expose a provider’s network to further breaches, notes Nordenberg, principal at consulting firm Novasano Health and Science.  The MDISS Consortium, founded in recent months, is working to define the scope of medical device security and safety issues, such as the rate of problems with implantable defibrillators and linear accelerators.

Just because a device may have appropriate data security features employed doesn’t mean it is immune from safety issues, says Steve Abrahamson, program manager for product security at GE Healthcare. Devices used in emergency and critical care, for instance, shouldn’t have screens that lock after a period of inactivity, and certainly shouldn’t lock out a user after three unsuccessful login attempts.

Device innovation continues and the industry could see diverse interoperable devices that can talk to each other, like a patient monitor telling an infusion pump that a particular setting is too high. As the devices become more advanced and linked to networks, having two data processing cores in the devices will become common, predicts Michael Taborn, platform solutions architect at Intel Corp.

Hospitals have to assume there will be malicious attacks that could affect devices, Taborn contends. With a multi-core approach, one core operates as the firewall and the other handles the data, but each is able to handle the other task if necessary. “You need to make sure if a ventilator has a service attack at 2:00 a.m. that it keeps working.”

--Joseph Goedert


For reprint and licensing requests for this article, click here.