In its alert "Attack Surface: Healthcare and Public Health Sector," DHS says medical devices that connect to IT networks may pose a threat to security. Find the entire PDF here (download and read it).
The protection of networked MDs can best be implemented in a layered security approach using the suggested following best practices:
• Purchasing only those networkable medical devices which have well documented and fine-grained security features available, and which the Medical IT network engineers can configure safely on their networks.
• Including in purchasing vehicles vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy.
• Operating well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical.
• Configuring access control lists (ACL) on these network segments so only positively authorized accounts can access them.
• (U) Establishing strict policies for the connection of any networked devices, particularly wireless devices, to Health Information Network (HIN) including; laptops, tablets, USB devices, PDAs, smartphones, etc. such that no access to networked resources is provided to unsecured and/or unrecognized devices.
• Establishing policies to maintain, review, and audit network configurations as routine activities when the Medical IT network is changed.
• Using the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network.
• (U) Implementing safe and effective, but legal patch and software upgrade policies for Medical IT networks which contain regulated medical devices.
• (U) Securing communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel.
• (U) Having and enforcing password policies to protect patient information.