How Serious Is the Security Threat to Connected Medical Devices?

I’m in New York City this week for the second Mobile Health Expo, which wrapped up Thursday afternoon. You may have seen the story I wrote for InformationWeek based on one session related to the security of networked medical devices.

Since I just do news and not commentary for InformationWeek, I figured EMR and HIPAA—specifically, the HIPAA part— was the perfect forum to discuss a small controversy that I may have stirred up with that story.

The two presenters from Indianapolis-based security firm eProtex talked about how connected medical devices have recently been popping up all over the place. “As little as two years ago, we checked some hospitals and found that there was less than one networked clinical device per bed,” eProtex Executive Director Earl Reber said.

With network connection and exposure to the Internet came heightened threats from viruses and malware, both internal and external, Reber and eProtex Chief Security Officer Derek Brost said. Sometimes it’s because devices are so old that they still run DOS and simply weren’t built for the HIPAA era. Other times, the greater reliance on various versions of Windows makes medical devices vulnerable to attacks.

Often, Brost said, hospitals are trying to protecting the wrong assets. “It’s not the actual medical device in most cases [that is at risk]. It’s the individual patient’s health information,” he said.

All this makes a lot of sense, though it is important to note that the warnings are coming from a security vendor with a real interest in selling products and services to prevent and combat insidious threats to medical equipment and other connected devices such as smartphones and tablets.

This was not lost on at least one person, “ZigZagZeke.” In a comment titled “Ignorance,” this poster said in no uncertain terms:

The speaker is using scare tactics to try to make sales of his protection software. Makers of such software are desperately trying to convince people that their Apple products need protection, because as more and more users switch to Apple, sales of anti-virus software are declining. This use of scare tactics is know by an acronym: FUD, which stands for “fear, uncertainty, and doubt.” It is the speaker’s only hope.

I suspect some of the criticism was directed at me for not differentiating between malware and viruses or between Linux/Unix/Macintosh and Windows.

Did I screw up here by not pressing the speakers on these differences, or are Apple devices and operating systems becoming just as vulnerable to data corruption as Windows? Windows became a prime target not just because of security holes, but because of its ubiquity. Now, the iPad and iPhone seem to rule at least the physician market. Wouldn’t that critical mass put Apple iOS in the crosshairs of a growing number of hackers and malware spreaders?

So what’s the real story here? As devices get connected to EMRs and hospital networks and produce more protected health information (PHI), should healthcare providers be concerned about greater HIPAA liability? If so, where should they focus prevention efforts?

About the author

Neil Versel

Neil Versel


  • I think it depends on what the definition of “Medical Device” is…might it be any “hardware” that has the potential to touch PHI?
    With the forced push to EMR’s and all the uncertainty of new technologies being deployed to making it happen, we discover daily (although after-the-fact) how easily compromise from such takes place, and learn that many providers are now exposed as operating within an un-secured domain due to such. Ouch!
    With the rush to EMR’s, healthcare providers appear not to take seriously their responsibility to protect the information entrusted to them by the lack of policies addressing these issues and such not keeping up. Many look at the latest gadget as an avenue to provide service and affect efficiency without clearly understanding the latent risk any unproven technology brings into this environment; the current portable devices (e.g., wireless hardware, mobile phones, tablets, etc.) are a perfect example.
    EMR’s have clearly brought a threat and complexity most never imagined! The lack of information and/or large amount of misinformation is a vicious cycle too slowly being addressed.
    Large practices will afford regular pro-active audits; private will be forced to react to failed. What’s more expensive, education or ignorance? We were told EMR’s would realize huge saving, but the true costs of such will not be fully known for years…it’s not looking good.

  • healthcare providers appear not to take seriously their responsibility to protect the information entrusted to them

    DING DING DING – we have a winner.

    The unnatural rush to EHRs has certainly thrown providers off balance.

    Few offices realize how stupid simple it is to screw up when it comes to PHI.

    Add to that every person carrying an iPad thinks they are a genius and you have a potent mix to problems.

    In reading the post, I too was confused on what was going to be considered a connected device. Especially when DOS was mentioned.

    Until fines are handed out, few providers will take seriously their requirement to protect PHI.

    Until the, the wild west will continue in medial IT.

    A note on the Apple device remark above: a computer is a computer. Some are easier to use than others, yes.

    Most virus/malware spreading these days is via social engineering – tricking people to click or give away their info.

    There are plenty of problems in the Apple world, whether it be hacked iPad accounts, the fact that there actually are viruses aimed at the MacOS or defective wireless card in Mac Books. These things just don’t seem to phase an Apple user.

    As with politicians, I don’t give electronic devices “rock star” status. This is not intended to start a Apple vs the world argument, just pointing out reality.

    The point is, EHR access from smart phones and tablets is going to be a security issue.

  • One would think that any device which captures patient data for transmission to patient monitoring stations and to the patient’s individual EMR needs to be protected.

    And while patient information is the HIPPA focus what about the need to protect the security for those devices which supply part of the patient’s treatment … such as IV pumps, cardiac pacemakers … especially as more of these devices are controlled wirelessly.

    Security protocols need not only be concerned about protecting patient information … but also protecting patient safety during treatment.

  • Don,
    Some days this EMR venture seems like a nasty can of worms…Eek! I’ll admit, I’m becoming a little more alarmist by the day.

  • American healthcare rarely designs, funds, and builds systems or infrastructure that is integrated from end to end.

    Capital shortages at every step of the way result in patchwork all over the place. Name one major health care campus that doesn’t look like mating octopuses as one example … or consider the myraid of “snap on tools” found in an ICU room.

    Stuff is bought to attract or retain the physician who thinks its necessary for his practice … or to meet the revenue needs of the wife of an administrator who reps a device company.

    If it is up to the facility to be first to ask the information integrity question … there is no hope. Facilty needs to be the last to address the medical device security topic by simply saying “Show us”.

    The device folks don’t want to be held accountable … they just want to sell stuff. The enterprise EMR package has already been bought and the developers will be more than happy to bill out a new software release to add new device data streams to the protection protocol. I sure wouldn’t expect anyone to sell a Plug and Play compatibility without getting paid for it … and the risk they would be taking on.

    From Hill Street Blues’ Sgt Phil Phil Esterhaus: “Hey, let’s be careful out there.”

  • # packets … Risk aversion … perhaps one reason there are so few EMR developers in the UK to go along with the fact that they don’t have an ARRA-like bonanza program.

  • For some “deep diving”, look up “Internet of Things” and check out the group on LinkedIn. The concept is emerging in healthcare. Security layers being only one aspect of the challenge.

Click here to post a comment