DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 32, Issue 4

Full Contents Now Available!

Monday, 23 November 2015 06:00

Why Isn’t Hospital Device Security in the Spotlight?

Written by  Vicki Thomas

medjackingDo you think about the security of your hospital and medical records? Have you thought about what this data tells others about yourself? Your address, your phone number, your detailed medical records, and the ability to dig deeper into your personal and professional life. This is just a sample of what your medical records hold.

This past summer a few news organizations revealed that the hacking of medical devices such as EKGs, MRIs, and IV pumps is more common than we realize. This hacking is organized and strategic with the goal of acquiring our personal data. Because medical devices are now essentially “computers” and run on internal networks, they are extremely vulnerable to outside threats.

What is confusing is why this news about “medjacking” received so very little attention from major news organizations. Perhaps it can be attributed to the time of year - the summer months are challenging when it comes to capturing reader attention. Or maybe it’s because medjacking is still not taken seriously.

Consider this excerpt from a blog post written by John D. Halanka MD, MS (Chief Information Officer of Beth Israel Deaconess Medical Center, Chairman of the New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, a full Professor at Harvard Medical School, and a practicing Emergency Physician):

“In the short term, CIOs need to build zero day” defenses, creating an electronic fence around vulnerable devices. In the medium term, manufacturers must update their products.  In the long term, medical devices must be designed from the ground up with security as a foundational component.

Whenever I write about a topic, I avoid hyperbole. In this case, the threat is real, I have experienced it myself, and CIOs must act.

My advice, after securing your own perimeter - get the CTOs of your medical devices on the phone and ask them for their security roadmap. If they do not have one, plan to change your vendor. We’re already doing that with some devices because attention to this issue by some manufacturers has been insufficient.” (The Security of Medical Devices)

This is coming straight from an expert who is involved in the day-to-day operations of a hospital - both the technical and human sides. So why do you think medjacking is not getting the coverage it demands? Are we waiting for a massive disaster or incident? Well, this has already happened…

“The first one involved a blood gas analyzer that cybercriminals infected with malware. The device was used to steal passwords to access other hospital systems.

With the second attack, hackers gained access to a hospital’s main network via its radiology department’s image storage system. A third hospital experienced a security breach when criminals exploited a weakness in a drug pump to break into its network.” (Why medical device security should be top priority)

Events such as this should be attracting more attention and concern, from all parties involved: hospital administrators, hospital IT departments, medical device manufacturers, the FDA, and patients themselves.

Perhaps this will grab your attention:

“Attackers are infecting medical devices with malware and then moving laterally through hospital networks to steal confidential data, according to TrapX’s MEDJACK report.

Medical information can be worth 10 times as much as a credit card number,” reported Reuters.” (MEDJACK: Hackers hijacking medical devices to create backdoors in hospital backdoors in hospital networks)

There are no real conclusions that can be drawn from this lack of reporting and attention. If you work in healthcare (IT, device manufacturing, communications, security, medical team, etc.) - what are you going to do with this knowledge?

To learn more about medjcacking and hospital security read the following: