Level 36
Healthcare Organizations Face Challenge of Tracking, Mitigating All the Risks Identified

The Department of Homeland Security has issued two more advisories concerning cyber vulnerabilities in certain medical devices, the latest in a series of alerts this year.
The stream of recent advisories is helping to draw more attention to the importance of addressing device security, many security experts say.

Since April, DHS's Industrial Control Systems Emergency Response Team has issued about a half dozen alerts advising healthcare entities of cyber vulnerabilities in equipment ranging from medical imaging systems to patient monitoring gear.

The intensifying attention on medical device cybersecurity is creating pressure on healthcare entities to keep track of - and then address - the findings involving medical devices used in their environments.
Two New Alerts

The most recent alert issued on June 5 pertains to improper authentication, information exposure, and stack-based buffer overflow vulnerabilities in certain Philips' Intellivue patient monitors and Avalon fetal and maternal monitors.

ICS-CERT notes that those issues "may allow an attacker to read/write memory, and/or induce a denial-of-service through a system restart, thus potentially leading to a delay in diagnosis and treatment of patients."

In addition, a May 17 ICS-CERT advisory warns of a vulnerability involving "missing encryption" for sensitive data contained in the Medtronic N'Vision Clinician Programmer, a small, portable device that offers a single programming platform for Medtronic Neurological implantable therapy devices.

If exploited, the vulnerability could allow an attacker with physical access to an 8870 N'Vision Compact Flash card to access patient data, ICS-CERT warns.