Healthcare and Technology news
37.9K views | +8 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

NIST to Address Medical Device Security

NIST to Address Medical Device Security | Healthcare and Technology news | Scoop.it

In an effort to address the cybersecurity challenges of networked medical devices, the National Institute of Standards and Technology, through the National Cybersecurity Center of Excellence, is launching a project to secure those devices from risks such as malware, hacking and access control.


The project, done in collaboration with the Technological Leadership Institute at the University of Minnesota and the medical device industry, is inviting comments on ways to properly secure medical devices that are increasingly being connected to central systems within hospitals, the NCCoE says, starting with draft use case on wireless infusion pumps.

While security experts see the move as a positive step forward in raising awareness on security risks to such devices, it may not be enough to get device manufacturers to address the issues. For one, NIST doesn't have any regulatory oversight, says Mac McMillan, CEO of security consulting firm CynergisTek. "Whatever they come up with is not going to get us where we need to go," he says. "What we need is for the Food and Drug Administration to put out a hard and fast rule that [manufacturers] have to pay attention to."

Still, NCCoE's initiative is a comprehensive effort to address medical device risks, says Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth, a healthcare system in the Pacific Northwest. "We need to start with a realistic use case, and infusion pumps are a high-use medical device."

The push by NCCoE to address medical device security comes two months after the Food and Drug Administration issued final guidance calling for manufacturers to consider cybersecurity risks as part of the design and development of medical devices.

In Aug. 2013, the FDA also issued guidance on the radio frequency of wireless medical devices, including recommending authentication and encryption for reducing security risks and related patient safety threats.

Project Details

The draft use case NCCoE is launching will focus on wireless infusion pumps, which transport fluids, drugs and nutrients into a patient's bloodstream. "A networked infusion pump can allow centralized control of the device's programming as well as automated cross checks against pharmacy records and patient data to ensure the right dose of fluids or medication are delivered," NCCoE says. "But these connected devices can introduce new risks in safety and security compared with stand-alone devices."

The case identifies the people and systems that interact with infusion pumps, defines their interactions, performs a risk assessment, identifies applicable security technologies and provides an examples method or implementation to secure the system, NCCoE says. Comments on the draft use case should be submitted by Jan. 18, 2015.

After the use case is finalized, the NCCoE will invite organizations to participate in developing a practice guide that contains materials and information needed to deploy an example solution of off-the-shelf products that address the technical security problems.

Moving into 2015, the NCCoE would like to have a set of practice guides dealing with different types of medical devices, says Gavin O'Brien, project manager at NCCoE. "For instance, MRIs ... have lots of computing power on them," he says. "They're very different than infusion pumps and all of those are different from say implantable [devices]."

But for now, the practice guide being developed around the infusion pump use case will be written in a way that people can use pieces from the guide to secure devices within their own organization, O'Brien says. "In the use case, we talk about issues that are specific to infusion pumps, but where those issues apply to other devices ... the [practice guide] will be beneficial to them."

Analyzing the Latest Effort

Before all medical devices are networked, standards and baseline security controls need to be in place, PeaceHealth's Paidhrin says. "Healthcare will leverage them, if they are available," he says. "Medical device manufacturers are wakening to the challenge, but the pace is slow compared to the advance of technology and exploits."

A key challenge will be getting the medical device manufacturers on board with the latest efforts around medical device security, says privacy and information security expert Rebecca Herold. "The overall sentiment coming from the manufacturers has been that they will basically do only the minimum necessary to secure the devices, as required by the FDA," she says.

And while the FDA recently released high-level guidance, "it really did not provide the details necessary to spur medical device manufacturers to take action and engineer their devices" with certain security controls built in, Herold says.



more...
No comment yet.
Scoop.it!

'Wiper' Malware: What You Need to Know

'Wiper' Malware: What You Need to Know | Healthcare and Technology news | Scoop.it

The FBI has reportedly issued an emergency "flash alert" to businesses, warning that it's recently seen a destructive "wiper" malware attack launched against a U.S. business.

Security experts say the FBI alert marks the first time that dangerous "wiper" malware has been used in an attack against a business in the U.S., and many say the warning appears to be tied to the Nov. 24 hack of Sony, by a group calling itself the Guardians of Peace

Large-scale wiper attacks are quite rare, because most malware attacks are driven by cybercrime, with criminals gunning not to delete data, but rather to quietly steal it, and for as long as possible, says Roel Schouwenberg, a security researcher at anti-virus firm Kaspersky Lab. "Simply wiping all date is a level of escalation from which there is no recovery."

Many Sony hack commentators have focused on the fact that previous wiper attacks have been attributed to North Korea, and that the FBI alert says that some components used in this attack were developed using Korean-language tools.

But Schouwenberg advocates skepticism, saying organizations and IT professionals should focus their energies on risk management. "We are much better off trying to understand the attack better, and maybe use this incident as an opportunity for businesses everywhere to basically re-evaluate their current security strategy, which probably isn't quite tailored to this type of scenario and say: 'Hey, this is where I can improve my posture,'" he says. "So we should be focusing on that technical aspect, rather than on the potential motivations of the attackers."

In this interview with Information Security Media Group, Schouwenberg details:

  • The relative ease with which wiper malware attacks can be crafted;
  • Steps businesses can take to improve their security defenses against wiper malware;
  • The importance of whitelisting applications - meaning that only approved applications are allowed to run on a PC, while all others are blocked.



more...
No comment yet.