Internet of Insecure Medical Devices

RxContinuing where we left of last week, let’s take a look at the security of network connected medical devices.  As we discussed in an earlier post, the Mayo Clinic recently sponsored a hackathon of sorts, inviting a number of security practitioners to their campus in Rochester Minnesota to see how hard it would be to hack the medical equipment.  As it turned out, disturbingly, not too hard at all.

Then there is the recent and all too embarrassing crypto-malware incident that affected a hospital in Hollywood California, that resulted in the hospital paying out $17,000 to the bad guys to purchase the key to decrypt their files.  Generally, good recent backup are your “get out of jail free” card in these situations, so I am curious what did or did not happen in this case.

The good news is that the Food and Drug Administration has finally released guidelines to medical device manufacturers outlining the sort of security they want to see in these devices.  Some of the elements in this draft of the guidelines are:

Some of the key elements of this draft guidance include (from Naked Security):

  • Apply the 2014 NIST voluntary framework for improving critical infrastructure cybersecurity.
  • Define essential clinical performance to develop solutions that offer protection from cybersecurity risks and also help respond to and recover from them.
  • Keep on top of sources that help identify and detect cybersecurity vulnerabilities.
  • Understand and assess the implications of a vulnerability.
  • Create and follow a seamless vulnerability management process.
  • Put in place and practice a well-coordinated vulnerability disclosure policy.
  • Cybersecurity risk mitigations must be deployed early and prior to exploitation.

More Information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.