Mobile Security Processes Could Be Applied to Medical Devices: Bluebox

Friday, May 10, 2013

Steve Ragan

A58bf865b185e0e3f665473bf8f3ca6d

Earlier this week, Adam Ely, COO and co-founder of mobile security startup Bluebox, commented on the security of medical devices. His comments focused on how the medical world is heading towards the adoption of mobile device technologies; and how mobile security measures could help protect patients and the devices they use.

Ely’s comments came via a PR pitch to InfoSecIsland’s sister publication, SecurityWeek, and was based on a DHS advisory written one year ago this month.

In the 2012 DHS alert, the agency warned that the expanded use of wireless technology on the enterprise network of medical facilities, along with the wireless utilization of medical devices, opens up both new opportunities and new vulnerabilities to patients and medical facilities.

The DHS warnings were mirrored earlier this month by Mac McMillan, a former Department of Defense cyber-security analyst, who’s now the CEO of CynergisTek Security, during an interview with Government Health IT.

“More and more of our medical devices now communicate to the network, and more often than not they’re in a wireless network, as opposed to a direct connection. What that means is that our wireless networks need to be more secure than they’ve needed to be in the past...”

There are three main risks, McMillan explained, the first being patient safety. After that, there’s the integrity of the data itself, in terms of availability, and the integrity of the devices themselves, “...with respect to their susceptibility to compromise from other types of vectors, such as malware...”

Ely, in comments sent to SecurityWeek, disagrees with McMillan for the most part, noting that malware isn’t a big threat right now. However, his comments were based on the 2012 DHS advisory.

Before malware could become a threat, Ely added, attackers would have to write malware specifically targeted to these devices and organizations; or the devices would have to adopt a standard platforms and software.

If standard platforms and software is adopted, then the malware authors would be blindly attacking remotely accessible interfaces without knowing what it was, simply because they would be targeting the vulnerable software first and foremost.

“It stands to reason that the medical community would eventually adopt mobile device technologies, not only for convenience, but to meet the demands of their patients, who are accustomed to accessing data in all other areas of their lives (personal, work) on demand. It would also stand to reason that this adoption would increase vulnerability as mobile devices used in the medical field are in no way immune to the attacks faced by any consumer or corporate device,” Ely said in an email.

“Unfortunately, with the "always-on" nature of mobile devices and the rise in peer-to-peer communication, mobile data has quickly become a target. Previously, it had been hard to find these devices, but now that attackers have the ability to locate, attack, and compromise mobile devices they also have the ability to control an always-on mobile device — not only to steal the data, but also to use as a launch point for further attacks that may be difficult to track.”

With that said, Ely suggests a holistic approach to medical device protection. He encourages organizations to implement device, application, and data centric controls along expanding application security practices to mobile applications.

“Applying security across the entire mobile ecosystem, combined with secure development processes, will net the biggest risk reduction,” Ely concluded.

While it was written last year, the DHS advisory on risks to the healthcare and public health system is worth a read. The advisory is linked above, where it is hosted by PublicIntelligence.net.

Possibly Related Articles:
22508
Operating Systems Vulnerabilities
Bio/Pharma Healthcare Provider Hardware
malware Security Medical Devices Embedded Device Bluebox Adam Ely
Post Rating I Like this!
Default-avatar
Johnnie Nix I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we can use them in other fields also.
http://www.ohshow.net
1369135119
Default-avatar
Mike Keller I came onto your blog while focusing just slightly submits. http://www.dietmythsandfacts.com/2013/11/feast-your-fat-away-review.html
1422644314
Default-avatar
Mike Keller Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon. https://www.rebelmouse.com/howtocureacnenaturally/
1424519123
Default-avatar
usman ali thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we can use them in other fields also.

Download PayPal Money adder
http://realhack.net/paypal-money-adder-updated-2015/
1425277082
Default-avatar
mike lines Unfortunately, with the "always-on" nature of mobile devices and the rise in peer-to-peer communication, mobile data has quickly become a target. Previously, it had been hard to find these devices, but now that attackers have the ability to locate, attack, and compromise mobile devices they also have the ability to control an always-on mobile device — not only to steal the data, but also to use as a launch point for further attacks that may be difficult to track. http://www.nutrisystemfast5.com/
1425465262
Default-avatar
mike lines If standard platforms and software is adopted, then the malware authors would be blindly attacking remotely accessible interfaces without knowing what it was, simply because they would be targeting the vulnerable software first and foremost. https://simpleaccounting.sg/simbiz/
1426017911
Default-avatar
Eamon Walsh Using some Mobility Management app development option - like Kony, which comes out of the box with device security, intelligent EMM API and tools , admin friendly console, lifecycle integration - email encryption, location tracking, LDAP based device selection and active directory config - could come in handy.http://bit.ly/1Bmq11k
1426043775
Default-avatar
mike lines Ely added, attackers would have to write malware specifically targeted to these devices and organizations; or the devices would have to adopt a standard platforms and software. http://www.garciniacamboslim.com/slimera-garcinia-cambogia/
1426164602
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.