Department of Homeland Security Issues Warning on Medical Device Threats

The U.S. Department of Homeland Security has issued a warning (UNCLASSIFIED/ FOR OFFICIAL USE ONLY) about the role of medical devices in compromising IT networks and patient data. 

In its alert "Attack Surface: Healthcare and Public Health Sector," DHS says medical devices that connect to IT networks may pose a threat to security.  Find the entire PDF here (download and read it).
http://info.publicintelligence.net/NCCIC-MedicalDevices.pdf

Some Highlights:

According to Health and Human Services (HHS), a major concern to the Healthcare and Public Health (HPH) Sector is exploitation of potential vulnerabilities of medical devices on Medical IT networks (public, private and domestic)

The protection of networked MDs can best be implemented in a layered security approach using the suggested following best practices:


• Purchasing only those networkable medical devices which have well documented and fine-grained security features available, and which the Medical IT network engineers can configure safely on their networks.

• Including in purchasing vehicles vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy.

• Operating well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical.

• Configuring access control lists (ACL) on these network segments so only positively authorized accounts can access them.

• (U) Establishing strict policies for the connection of any networked devices, particularly wireless devices, to Health Information Network (HIN) including; laptops, tablets, USB devices, PDAs, smartphones, etc. such that no access to networked resources is provided to unsecured and/or unrecognized devices.

• Establishing policies to maintain, review, and audit network configurations as routine activities when the Medical IT network is changed.

• Using the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network.

• (U) Implementing safe and effective, but legal patch and software upgrade policies for Medical IT networks which contain regulated medical devices.

• (U) Securing communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel.


• (U) Having and enforcing password policies to protect patient information.