As the departments of Defense and Veterans Affairs work to make the digital medical records that each manages for some 10 million beneficiaries compatible, they face an unlikely foe.
Medical devices in their hospitals are vulnerable to malware that could allow attackers to compromise all that patient health data.
In fact, it’s more likely someone will hack a drug infusion pump to break into a connected health records system, than to give you an overdose, says the VA’s top medical device security official.
While there have been harrowing demonstrations of how to manipulate a pump or pacemaker, those attacks are unlikely to play out in reality anytime soon.
The here-and-now danger is the “advanced persistent threat” that piggybacks off a vulnerability in a medical device linked to a hospital’s electronic health record network, Lynette Sherrill, VA deputy director of health information security, tells Nextgov.
Because most medical device manufacturers do not have the know-how or tools to patch vulnerabilities in medical devices quickly, that “really brings about the potential for these devices to be the weakest link we have on the network…they can become a launching point for the rest of the network if they are exploited,” she said.
Many medical devices connected to VA networks are based on traditional operating systems, like Windows. “We’ve seen everything from CT scanners to MRI machines running Windows operating systems,” Sherrill said.
When a software vulnerability is discovered in your Windows computer or Apple iPhone, your machine can send an automatic update to fix…