Vulnerability Management and Medical Device Manufacturers

By Eric Noonan • February 18, 2016

Recent updates from the FDA on securing network-connected medical devices show that there is a growing concern for security surrounding the medical industry.  Hospital networks, medical devices, and other critical infrastructure are all at risk.  An article from Threatpost.com last week covered the Kaspersky Lab Security Analyst Summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network.  What did he find?  According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients but also their physical well-being.”

While this may or may not be surprising, I do find it concerning that security appears to be an afterthought for the medical device industry.  Protecting patient information, ensuring wearable medical technology is secure and shoring up defenses for medical devices should be paramount.  As FierceMobile Healthcare predicted in late-December 2015, the Internet of Things will play an increased role in healthcare in 2016.  Security should be incorporated at the start of the process, rather than strapping it on at the end and hoping that the security features do their job.  By working security into the process,  medical device manufacturers are taking the time to ensure software and applications within these devices are developed using secure standards, as this one proposed by the IEEE.

In the previous example of the Moscow hospital network, backdoors, vulnerable software, and poorly secured configurations – all can be mitigated with regular vulnerability management.  Instituting scans, remediation plans, mitigating vulnerabilities, and patching out of date software are all part of a robust vulnerability management program.  This type of program makes your organization more proactive, rather than reactive.  Planning for routine updates and fixes to your devices will keep your patient and data safe.

It is good business and best practice to secure medical devices, hospital networks, and patient healthcare information. It is also important for medical device manufacturers to understand their vulnerabilities to know where you stand.  If your organization hasn’t conducted a security assessment to review your security program, that would be the place to start.  With a roadmap in hand, your next step is to begin identifying and remediating the risks.  Where are your gaps?  Do you have a vulnerability management program?  Do you know what medical devices connect to your network regularly?  All of these questions will help you develop a stronger security program.

How CyberSheath Can Help You Manage Your Risk

Taking the defense-in-depth approach to securing your network is effective at managing risks. In order to manage these risks, a picture of your network must first be obtained.  Whatever your security needs are, CyberSheath can assist you along the way.  From conducting an information security assessment to building a security program, let us help you secure your data.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security