[BreachExchange] Organizations Lack Adequate Budget for Medical Device Security

[Audrey McNeil]

https://healthitsecurity.com/news/organizations-lack-
adequate-budget-for-medical-device-security

Despite recognizing medical device security as a priority, only 37 percent
of more than 100 healthcare practitioners had budgets to implement their
device security strategy, according to a HIMSS survey.

Most respondents (85%) said they used firewalls and network access controls
at their organization, while around half (52%) said they used segregated
networks for their medical devices.

"It is extremely disconcerting that even though most healthcare providers
agree that device security is a top priority, only a few have put budget in
place to support it," said Global Senior Director for Unisys Life Sciences
and Healthcare Bill Parkinson.

“While most life sciences and healthcare organizations understand the need
to strengthen device security, many are struggling with legacy devices that
were never designed to be internet-accessible — and with the explosion of
ransomware and sophisticated cyberattacks like WannaCry, that can put both
the provider and the patient at risk," he added.

The survey also asked respondents how their organization captures and
manages the data gathered by medical devices. Only around one-third said
they were capturing device data on a real-time basis, and a similar
percentage used analytics captured from device data for medical device
purchases.

“The importance of having access to real-time data cannot be
underestimated. Not only can data analytics help life sciences and
healthcare organizations reduce device downtime by ensuring devices are
operational, it can significantly improve audit readiness and better inform
future purchasing decisions,” Parkinson concluded.

The survey found that a majority of large hospitals and healthcare systems
manage their medical devices internally, compared with 39 percent for small
to mid-sized hospitals and healthcare systems.

Six out of ten providers reported that the IT and clinical engineering
teams are both responsible for medical device security. Two-thirds of
providers make medical device purchases based on recommendations from the
facilities team or clinical staff, according to the survey.

Highlighting the importance of medical device security, ICS-CERT issued a
June 5 advisorywarning about security vulnerabilities in Philips’
IntelliVue patient and Avalon fetal monitors that could result in a delay
of diagnosis and treatment of patients.

The vulnerabilities — improper authentication, information exposure, and
stack-based buffer overflow — could enable an attacker to read/write memory
and induce a denial of service through a system restart, the advisory
warned.

The Philips devices affected by the vulnerabilities are IntelliVue patient
monitors MP series (including MP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev
B-M, IntelliVue patient monitors MX (MX400-550) Rev J-M and (X3/MX100 for
Rev M only), and Avalon fetal/maternal monitors FM20/FM30/FM40/FM50 with
software Revisions F.0, G.0, and J.3.

Oran Avraham of Medigate reported the Philips device vulnerabilities to the
National Cybersecurity and Communications Integration Center (NCCIC).

NCCIC recommended that device users take the following defensive measures:

• Minimize network exposure for all control system devices and/or systems
and ensure that they are not accessible from the Internet

• Locate all medical devices and remote devices behind firewalls and
isolate them from the business network

• Use secure remote access methods, such as virtual private networks
(VPNs), recognizing that VPNs may have vulnerabilities and should be
updated to the most current version available and that they are only as
secure as the connected devices

NCCIC said organizations should perform an impact analysis and risk
assessment prior to deploying defensive measures.

Philips said it will provide a remediation patch for supported versions of
the devices, as well as an upgrade path for all versions. The company said
it will communicate service options to all affected install-base users.

In its product security advisory, Philips said that the vulnerabilities
cannot be exploited without an attacker first attaining local area network
(LAN) access to the medical device.

The device maker has received no reports of exploitation of these
vulnerabilities or incidents from clinical use and is not aware of public
exploits that specifically target these vulnerabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180613/d97f8565/attachment.html>