Hospitals: Does your CISO look at your medical supplies?
InfoSec risk will make your security pro’s heart skip a beat
From pacemakers to insulin pumps to defibrillators, more and more medical devices have adopted Internet of Things functionality, and it raises a question: Should your CISO have responsibility to review medical device technology implanted in patients?
In 2016 Congress authorized security researchers to conduct a controlled evaluation of consumer healthcare devices. From this authorization, a team of information security professionals went on to specifically look at pacemakers.
What they found was as scary as you might think it would be: Pacemakers (including implantable cardioverter defibrillators (ICDs), pulse generators, and cardiac rhythm management (CRM) devices) and pacemaker programmers (devices used to program, reprogram or make adjustments to a patient’s pacemaker) are at high risk for security attacks.
Former Vice President Dick Cheney ordered changes to his pacemaker, concerned a hacker could trigger a heart attack.
As a trusted entity, do you vet the devices before installing them in hospital patients?
How easy is it?
Many of today’s pacemakers can be reprogrammed easily. Pacemakers do not require a password for pacemaker programmers to make changes. An external monitoring device is all that’s needed to change the settings of a victim’s pacemaker.
The nefariousness can be easily outsourced. We found programmers on eBay offering the device that could nearly stop a heart! Although the distribution of pacemaker programmers is supposed to be carefully controlled by manufacturers, you can find them on the internet from $500 – $3,000.
Pacemaker systems house Protected Health Information like medical history, social security number, and contact information.
So an attack on pacemaker information doesn’t need to be homicide. Stolen health credentials ranges from $10 to $50 giving your local cybercriminal the chance to break even with 10 pacemakers!
Standard Third-Party Risk Issues
The research group also found that pacemaker manufacturers built their pacemakers with outdated third party components. 2,000+ components to be exact. It is unclear if of these vendors have gone through a comprehensive third party risk assessment or are even managed by the manufacturer. Thus, leaving your life in their hands.
IoT devices are flooding the healthcare industry and this is just the beginning. Personal items as little as your FitBit tracker you wear daily are even vulnerable to attack.
So, how can these vulnerabilities be avoided at the healthcare provider level?
- Control – Organizations must have the proper controls in place to ensure compliance with protecting the personally identifiable information and data (PII) of their employees, patients and partners. The security team may have a greater role than they do today in some hospitals.
- Evaluation – Ask yourself or your leadership, is my organization susceptible to a breach?
- Training – Educate your staff about what PHI is, where it can be found (in this case: in an IoT device) and how to treat it differently than other data.
ASMGi can help with information security evaluations, assessments and remediation. Contact us if you’d like to set up time to talk to our CISO and head of Security-Governance, Risk and Compliance