ChannelLife Australia - Industry insider news for technology resellers
Australia
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
CIOs
#
de-acquisition
#
infusion pumps
Secondary market medical devices present security concerns
Tue, 8th Aug 2023
Author image
By Kaleah Salmon, Journalist
Follow us

Rapid7, an expert in cloud risk and threat detection, has released a new report assessing the security implications of improper de-acquisition of medical infusion pumps purchased on secondary markets.

The report aims to illustrate the importance of securing networks, applications, and devices.

In Security Implications from Improper De-acquisition of Medical Infusion Pumps, Deral Heiland, the report’s primary author and principal security researcher at Rapid7, performs a physical and technical teardown of more than a dozen medical infusion pumps, a standard device used in the healthcare sector to deliver and control fluids directly into a patient’s body.

“Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organisation’s networks,” warns Heiland.

Heiland says the concept of security that goes from the cradle to the grave is more than just an industry buzzphrase; it is a critical component of securing networks, applications, and devices.

“Sadly, in too many cases, cradle to grave security was either not considered at conception, or it was outright ignored,” says Heiland.

“Even when organisations are able to take steps to mitigate concerns at the grave portion of the life cycle, they don’t.”

Rapid7 highlights that these devices pose such a risk because of a lack of (or lax) process for de-acquisitioning them before they are sold on sites like eBay. 

WiFi PSK access credentials were discovered in at least eight of the 13 devices used in the study, offering attackers potential access to health organisation networks.

To remedy this risk, Heiland calls for systemic changes to policies and procedures for the acquisition and de-acquisition of these devices.

Heiland continues: “The policies must define ownership and governance of these devices from the moment they enter the building to the moment they are sold on the secondary market.”

“The processes should detail how data should be purged from these devices and, by extension, many others.”

“In the cases of medical devices that are leased, contractual agreements on the purging process and expectations should be made before acquisition,” says Heiland. 

The ultimate finding in the report is that properly disposing of sensitive information on these devices should be a priority.

“Purging them of data should not, and in many cases is not, terribly difficult. The issue lies with the process and responsibility for the protection of information stored in those devices. And that is a major component of the cradle-to-grave security concept,” concludes Heiland.

Rapid7 is advancing security with visibility, analytics, and automation delivered through its Insight cloud. 

Rapid7 solutions are designed to simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for malicious behaviour, investigate and shut down attacks, and automate routine tasks. 

Over 10,000 customers rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organisations.

Related stories
Celigo teams up with TikTok Shop to boost ecommerce efficiency
Exclusive: How BirdDog is shaking up the broadcasting industry
Viva Energy Australia announces partnership with DataMesh
Rapid7 honours partners with 2024 Partner Of The Year Awards
New report shows need for online marketplace evolution
Top stories
Australian businesses fast-track Microsoft cloud adoption amid cyber threats
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Australian emergency services struggle with mobile tech failures
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Game review: TopSpin 2K25 (PS5)