Many of the aging medical devices still in wide use at hospitals across the U.S. were built without much consideration for security controls.
Bedside devices or implants, for instance, routinely carry potentially dangerous faults, according to Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan.
Another example? Fu pointed to one local hospital that had "600 Windows XP boxes in deployment." To his astonishment, he was told by one hospital staffer that many were unpatched.
"If you're using this old software, these old operating systems, you're vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years," Fu said at the HIMSS and Healthcare IT News Privacy & Security Forum in Boston.
This is not rocket science; this is basic hygiene," he said. "This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense."
[Related: Data held hostage by ransomware: Should you pay up?]
When it comes to device security, the "media tends to focus on the sensational," he added. "That causes the public – and even some in the (hospital) boardrooms – to misunderstand where the most significant risk is.
"In my opinion, it boils down to much more basic stuff," said Fu. "Hackers do exist. But again, it boils down to something much more basic: 'hand-washing.'"
Indeed, he said, the much bigger risks came from more mundane activities: the "infection vector" of a corrupted USB drive; a vendor applying software updates "and unknowingly infecting machines along the way because they're carrying malware along with them," or the "guy you just let in the door because you have a contract with him, and he's spreading software throughout the hospital by accident."
Because the medical device community tends to be slower in maintaining their machines, and the legacy systems hang around much longer than in other industries, Fu conceptualizes the risk framework in three parts: vulnerabilities, threats and exploits.
"If you have a vulnerability and there's no threat, you're not going to have an exploit – you wouldn't have harm," said Fu. "Similarly, if you have a threat, but no vulnerability, you won't have an exploit."
The problem, he said, is that "it's very difficult to quantify, in any of the metrics clinical facilities are used to with safety, what is the likelihood of a vulnerability combining with a threat to become an exploit."
Related articles from the Heatlhcare IT News Privacy and Security Forum:
CISOs: Healthcare's new rock stars
7 cyberthreats worse than PHI breaches
Cyber security market set to grow big time
