The IoT security gaps have been well-documented for connected home devices. Often the biggest security gaps involve hard-coded passwords and unavailable or complicated security patches not easily updated by consumers. Hospitals is another facility at risk from lacking security measures for connected devices.
In this article, the author describes the challenges specifically with infusion pumps within hospitals. The author stated,
The lack of security in the medical front is particularly alarming. The latest case in point: security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously. The device is utilized to deliver medications, blood, antibiotics and other fluids to critical care patients, patients undergoing surgery (anesthesia) — and newborn babies.
In one case, noted above, an independent researcher identified and the NCCIC/ICS-CERT reported vulnerabilities including:
- Buffer copy without checking size of input
- Out-of-bounds read
- Use of hard-coded credentials
- Improper access control
- Use of hard-coded password
- Improper certification validation
- Password in configuration file
The recommended risk mitigation in this particular situation was provided in the report. It’s worth noting these security recommendations since it may help other connected device designers and engineers plan better.
- Assign static IP addresses
- Monitor network activity for rogue DNS and DHCP servers
- Ensure network segments
- Consider network micro segmentation
- Consider use of network virtual local area networks (VLANs) for the segmentation
- Apply proper password hygiene standards across systems
- Do not re-use passwords
- Routinely take backups and perform routine evaluations
Although the reported risk within a clinical environment remains low, it’s still important for hospital administrators to be aware a risk does exist. It is recommended that hospitals and other medical organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage. Further, developing a formal IT security policy around how these connected devices are networked, maintained and updated is an important process to ensure the health and safety of patients and staff.