On July 31, the FDA issued an alert advising healthcare facilities to stop using Hospira's Symbiq drug infusion pump due to a security vulnerability. Infusion pumps are used by medical facilities to automatically administer doses of medication to patients based on the amount specified by the caretaker. The vulnerability allows an attacker to change the doses of prescribed medicine and impact patient safety.
Multiple Hospira products have been in the hot seat this year due to similar security vulnerabilities. The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued four different alerts for Hospira products this year, including their Symbiq, MedNet, Lifecare PCA, Plum A+ devices.
According to Billy Rios, the security researcher who discovered the vulnerability in one of Hospira’s devices, the pumps connect to the hospital network to download drug libraries used to control the upper and lower limits that the machine can safely deliver. The design flaw is rooted in the fact that the pump does not authenticate communications sent to it. This means that anyone with access to the same hospital network could potentially change the libraries and change the effective doses of medicine administered to the patient.
The ICS-CERT team has advised facilities to perform a risk assessment to determine the impact, and then mitigate the issue by either unplugging the impacted devices or, if they are absolutely necessary, change the default passwords on the devices and use a firewall to selectively monitor and/or block access.
Discoveries like these raise the question of what other medical devices that connect to hospital networks -- and patients -- are vulnerable to similar attacks. Is the firmware on all those devices up to date? Often medical devices are delivered to hospitals with accompanying vendor-provided Windows machines. Are those all up to date with security patches? Who is managing them? Many hospitals have thousands of medical devices and are now realizing that no one is keeping them up to date.
C-level leadership at healthcare organizations should ask their teams to develop shorter-term tactical and longer-term strategic plans to address the cyber security risks that medical devices present. Strong patch management processes that include medical devices, and network segmentation are the two core elements to the solution. A network segment that is dedicated specifically to medical devices can mitigate the risk of vulnerabilities and zero-days that have not been discovered yet.
Healthcare providers should focus on the following steps to address the cybersecurity risks that medical devices present:
- Inventory all medical devices
- Build an inventory of all medical devices
- Determine which medical devices connect to the network (wired or wirelessly)
- Determine the business and IT owners for each medical device, and if they’re “unowned,” assign owners
- Determine the patch management plan for medical devices
- Decide which team is on point to update the medical devices (internal IT vs. a vendor)
- Assess network architecture for medical devices
- Create a dedicated medical device segment
- Ensure the medical device segment is configured to block both inbound and outbound connections (unless specifically allowed)
- Develop a plan to migrate medical devices to the medical device segment
This four-step plan could take months to execute, given the size and breadth of many healthcare organizations that have thousands of medical devices across many departments. But the most dangerous risks are those that we don’t yet know about or understand.
Healthcare providers: Assign some staff to wrap their heads around the security risks of medical devices in your environment and develop a plan to mitigate. Your patients will thank you.
Read more about how Palo Alto Networks can help protect healthcare organizations.