Securing connected medical devices: Will categorizing them as ICS help?

Since April of this year, the Department of Homeland Security (DHS) Industrial Control Systems Emergency Response Team has issued several alerts advising healthcare entities of cyber vulnerabilities in equipment ranging from medical imaging systems to patient monitoring gear. In addition, medical device manufacturers have reported their own security vulnerabilities via ICS-CERT alerts, including Philips, Abbott and BD.

In reviewing the ICS-CERT notices, it’s interesting to note that within the United States, medical devices are categorized as Industrial Control Systems (ICS). For many in IT security, ICS or SCADA (Supervisory Control And Data Acquisition) security only gained notoriety with the advent of the Stuxnet malware that was used to compromise Iran’s nuclear facilities in 2010. Who could imagine that medical devices would be grouped with SCADA technologies in terms of the magnitude and criticality of their security?

When viewed as previously isolated and discrete hardware that has since been connected to a network, medical devices are no different from ICS or SCADA systems. While these devices have been networked and interconnected for some time now, only recently has the industry begun to implement physical and logical security controls to protect them.

Fortunately, several initiatives are underway to improve the security of medical devices, including the FDA’s recently published “Medical Device Safety Action Plan.” There’s also an interesting proposal for a Hypocratic Oath for Connected Medical Devicesthat has been proposed by I Am The Cavalrya cybersecurity volunteer association focused on public safety concerns. Their Oath identifies measures to preserve patient safety and trust in the healthcare system as a response to the increasing reliance placed on connected devices.

Now that they’re longer protected by an “air gap,” let’s consider what’s needed to protect connected medical devices from security threats.