Secondary Market Medical Device Security Risks – Source: www.govinfosecurity.com

Legacy infusion pumps commonly available for purchase on the secondary market often contain wireless authentication and other sensitive data that the original medical organization owners failed to purge, said researcher Deral Heiland of a recent study conducted by his team at security firm Rapid7.

Secondary marketplaces, such as eBay and similar websites, are popular destinations for IT maintenance teams at hospitals and other healthcare providers to buy older-model medical devices for spare parts or to be completely refurbished for reuse, he said.

“These devices can have a very long shelf life,” he said in an interview with Information Security Media Group.

If a nefarious individual were to purchase devices that had not been properly purged, “then they can access the Wi-Fi credentials, Active Directory or whatever else is stored on them. That in itself gives them potential data that can be used to breach an organization … and the medical networks these tie into,” Heiland said.

“These are the networks where critical care patients and other medical technology are located,” he said. “So if those organizations or networks become breached, that becomes a potential issue of health, safety and concern.”

In this interview with Information Security Media Group (see audio link below photo), Heiland also discussed:

• The types of popular infusion pumps available on the secondary market that the Rapid7 study examined and why these outdated products are often purchased and refurbished by other healthcare entities;
• Practices that organizations should consider to reduce security risks surrounding medical devices such as infusion pumps throughout the entire product life cycle, including decommissioning;
• Potential security risks involving other popular legacy medical device products.

Heiland has more than 25 years of experience in the IT field, including more than 15 years focused on security research, security assessments, penetration testing and consulting for corporations and government agencies. Heiland has conducted security research on numerous technical subjects and has produced white papers and security advisories.