Ivenix: Addressing Cybersecurity in Infusion Devices

As medical devices become more connected, they are more vulnerable to hackers who may wish
to compromise or control that device, or even use it as an entry point to more broadly attack the healthcare network. These concerns are getting increasing attention in the media, the FDA, and within the U.S. federal government. For example, in 2014, the Department of Homeland Security (DHS) began investigating 24 cases of suspected cyber security flaws in medical devices and hospital equipment. This included a review by DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of security flaws reported in existing infusion pumps and backend infusion management systems. These investigations revealed security vulnerabilities that, in some cases, allowed the devices to be reprogrammed through a cyber-attack.

In May 2015, TrapX Security, a cybersecurity research firm, published a report entitled Anatomy of an Attack – MEDJACK (Medical Device Hijack). The study begins by stating, “Medical Devices have become the key pivot point for attackers within healthcare networks. They are visible points of vulnerability in the healthcare enterprise and the hardest area to remediate even when attacker compromise is identified. These persistent cyber-attacks threaten overall hospital operations and the security of patient data”.