Secondary market medical devices present security concerns
Rapid7, an expert in cloud risk and threat detection, has released a new report assessing the security implications of improper de-acquisition of medical infusion pumps purchased on secondary markets.
The report aims to illustrate the importance of securing networks, applications, and devices.
In Security Implications from Improper De-acquisition of Medical Infusion Pumps, Deral Heiland, the report’s primary author and principal security researcher at Rapid7, performs a physical and technical teardown of more than a dozen medical infusion pumps, a standard device used in the healthcare sector to deliver and control fluids directly into a patient’s body.
“Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organisation’s networks,” warns Heiland.
Heiland says the concept of security that goes from the cradle to the grave is more than just an industry buzzphrase; it is a critical component of securing networks, applications, and devices.
“Sadly, in too many cases, cradle to grave security was either not considered at conception, or it was outright ignored,” says Heiland.
“Even when organisations are able to take steps to mitigate concerns at the grave portion of the life cycle, they don’t.”
Rapid7 highlights that these devices pose such a risk because of a lack of (or lax) process for de-acquisitioning them before they are sold on sites like eBay.
WiFi PSK access credentials were discovered in at least eight of the 13 devices used in the study, offering attackers potential access to health organisation networks.
To remedy this risk, Heiland calls for systemic changes to policies and procedures for the acquisition and de-acquisition of these devices.
Heiland continues: “The policies must define ownership and governance of these devices from the moment they enter the building to the moment they are sold on the secondary market.”
“The processes should detail how data should be purged from these devices and, by extension, many others.”
“In the cases of medical devices that are leased, contractual agreements on the purging process and expectations should be made before acquisition,” says Heiland.
The ultimate finding in the report is that properly disposing of sensitive information on these devices should be a priority.
“Purging them of data should not, and in many cases is not, terribly difficult. The issue lies with the process and responsibility for the protection of information stored in those devices. And that is a major component of the cradle-to-grave security concept,” concludes Heiland.
Rapid7 is advancing security with visibility, analytics, and automation delivered through its Insight cloud.
Rapid7 solutions are designed to simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for malicious behaviour, investigate and shut down attacks, and automate routine tasks.
Over 10,000 customers rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organisations.