Medical Devices

Connected devices make healthcare easier but invite plenty of problems. Here’s what CIOs and CISOs need to do.

The voluntary recommendations from the industry group, which aim to build consumer trust in companies that handle health and wellness data, are meant to supplement, not supplant, existing legal requirements, says CTA.

At the Health 2.0 Annual Fall Conference next week in Santa Clara, I'll sit down with Livongo Executive Chairman Glen Tullman to look back at the company's IPO — and ahead to healthcare's digitally-empowered future.  

The C4MI Verified program is designed in part around recommendations made by the National Academy of Medicine and will be conducted through partnerships with medical device vendors and its member health care organizations.

A cybersecurity expert offers a comprehensive and in-depth look into an emerging area of healthcare security, and offers tips for healthcare execs on what they can do and where they can look for answers.

The IoT: "Every something that comes on the market is in essence its own small computer with an ability to find its way into something."

Medical devices must be managed from a security perspective, but also from an operational perspective. Using analytics to establish behavior baselines helps support risk assessments, find malfunctions and enhance staff productivity.

The health system's IT arm says the network, focused on real-world evidence, will help with curated clinical data sharing among providers, pharmaceutical researchers, device manufacturers, policymakers and others.

Building the right technology ecosystem with advanced printing technologies can help healthcare organizations both save ‘clicks’ for providers and improve care delivery.

It’s the operating system that runs the elevator, the HVAC system, medical equipment, and even the router that connects everything else in a hospital to the outside world. Wind River Systems’ VxWorks real time operating system powers these devices and more. But pervasive vulnerabilities in versions going back over a decade have recently been discovered. The vulnerability is within the TCP/IP (IPnet) stack, which exists in a wide range of older IoT devices. However, according to Wind River Systems’ FAQ, the latest release of VxWorks is not affected. Wind River has recommended that organizations deploying devices with impacted versions of VxWorks patch immediately and said it has fully tested patches to address the TCP/IP (IPnet) stack vulnerabilities. WHY IT MATTERS Researchers at Armis, who call VxWorks "the most widely used operating system you may never (have) heard about," have discovered 11 vulnerabilities, six of them critical, that affect Wind River VxWorks versions since version 6.5 – and are collectively referring to them as "URGENT/11."  Wind River notes that certain releases, including its latest release, are not affected. Six of the 11 vulnerabilities are remote code execution vulnerabilities. Other vulnerabilities include denial of service vulnerabilities. The significance of the RCE vulnerabilities is that successful exploitation could allow a hacker to remotely take over the impacted devices. Successful exploitation of other vulnerabilities could lead to leakage of information, denial of service, and logical flaws.  Additionally, these vulnerabilities can be exploited by an unauthenticated remote attacker. "The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern," said Ben Seri, vice president of research at Armis. VxWorks and operating systems with similar vulnerabilities are the lightweight and powerful systems that drive many mission critical and specific-use devices. These devices range from perimeter-level ones like routers and firewalls to medical equipment which sit inside secured networks like connected medical devices. The consequences of any of them being brought to outside control could directly impact everything from the routine functioning of a hospital’s basic facilities to life-critical operations. Wind River has issued patches and is working on mitigation with customers, but as Wired has pointed out, addressing such widespread IoT updates can be a long process. On Tuesday, the U.S. Department of Homeland Security put out a Cybersecurity and Infrastructure Security Agency ICS Advisory that explained the vulnerability in detail and offered mitigation information. THE LARGER TREND The healthcare industry has been recognized as both target-rich and easy pickings. Any new vulnerability to something so deep-seated in a hospital’s network architecture should reinforce the need to be willing to spend big on investments to security. This is doubly true with the relatively new class of IoT devices which are currently expanding inside hospitals at a meteoric pace. While this is hardly the first instance of a connected IoT medical device getting hacked, any news of new vulnerabilities makes for a call to action on security. ON THE RECORD "URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security," said Yevgeny Dibrov, CEO and co-founder of Armis. "Every business with these devices needs to ensure they are protected. The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk." "Wind River’s dedicated security incident response team worked closely with Armis to ensure customers were notified and provided patches and mitigation options," said Arlen Baker, Wind River's chief security architect, in a blog post. This shared, collaborative process was designed and executed to help device makers mitigate potential risks to their users. We thank the security researchers for their role in helping us discover these vulnerabilities in the IPnet networking stack." Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media. Twitter: @BenzoHarris.