DHS Launches Initiative to Improve Medical Device Security

Posted in Information technology by Bob Michaels on January 17, 2013

Researchers discovered serious vulnerabilities in two medical management platforms that are used for generating patients reports and managing surgeries. The vulnerabilities lead to an elevated response from the United States Food & Drug Administration and the Department of Homeland Security.

According to information from Secure Business Intelligence, an Australian news service, the vulnerabilities gave security researchers remote root access to the impacted systems. When an individual has root access to a device, he or she can control most of its functions. With the root exploit for the Philips’ platform management system, hackers could potentially steal patient records and other private healthcare information.

The exploit also gave researchers the ability to remotely control medical devices that are connected to the Philips platform. Any connected device that communicates via the HL7 standard could potentially be controlled by hackers.

Due to the severity of the exploits, both the DHS and the FDA took action. Both government groups urged Philips to fix the exploit immediately. However, Philips may have ignored initial warnings. According to Billy Rios and Terry McCorkle, the security researchers who discovered the exploit, private attempts by the researchers to warn Philips about the exploits were ignored. In response, the researchers shared information about the exploit with the FDA and the DHS.

Two days after information about the exploit was released, Marty Edwards, the control system director at the DHS, announced that the government agency would handle all future information on medical device security vulnerabilities.

A smaller exploit was also discovered in a patient monitoring tool by SpaceLabs ICS-Xprezz. The platform, designed for use with the Apple iOS, could give hackers access to restricted parts of a corporate network.