In my previous blog post, I discussed the need to evaluate the risks of the Internet of Things (“IoT”) for HIPAA compliance generally. In this post, we will get more specific on Medical Internet of Things (“MIoT”) risks.
A recent advisory by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”), provides an excellent example of the risks that may exist in one particular type of MIoT devices: handheld medical devices.
The advisory details five (see list below) vulnerabilities that ICS-CERT identified in Roche Point of Care handheld medical devices. These vulnerabilities could allow a hacker to gain access to these devices, modify system settings to alter device functionality, and execute arbitrary code.
The vulnerabilities affect the following Roche Point of Care handheld medical devices:
- Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later).
- CoaguChek Pro II.
- CoaguChek XS Plus & XS Pro.
- Cobas h 232 POC.
- Including the related base units (BU), base unit hubs, and handheld base units (HBU).
Four vulnerabilities are rated at high risk, and one has been rated medium risk. The high risks are these:
- Improper access control vulnerability. An attacker in an adjacent network could execute arbitrary code on the system using a specially crafted message. This vulnerability affects the above devices with the exception of the CoaguChek XS Plus & XS Pro.
- Improper access control vulnerability that would allow an individual who has access to an adjacent network to change the configuration of instrumentation. This threat could be present on versions of all of the devices.
- Insecure permissions in a service interface that could allow unauthorized users in an adjacent network to execute arbitrary commands on operating systems. The vulnerability is present in older versions of Accu-Chek Inform II Base Unit / Base Unit Hub 9 and CoaguChek / cobas h232 Handheld Base Unit.
- Vulnerability that affects the software update mechanism that could be exploited by an attacker in an adjacent network to overwrite arbitrary files on the system using a specially crafted update package. The vulnerability is present in older versions of CoaguCheck Pro II, XS Plus, XS Pro, and Cobras h 232.
The vulnerability rated medium severity is an improper authentication vulnerability involving the use of weak access credentials. An individual who has access to an adjacent network could gain service access to a vulnerable device through a service interface. It is present in Accu-Chek Inform II Base Unit / Base Unit Hub and CoaguChek / Cobas h232 Handheld Base Unit running 03.01.04 and earlier versions.
Roche has recommended mitigation procedures to reduce the risk of these vulnerabilities. Software updates to address the vulnerabilities were scheduled for release in November 2018. The mitigation recommendations are as follows:
- Restricting network and physical access to the devices and their attached infrastructure through the activation of device security features.
- Protecting vulnerable devices from unauthorized access, theft, and malicious software
- Monitoring network infrastructure and system activity for suspicious activity.
See ICS-CRT Medical Advisory (ICSMA-18-310-01), Roche Diagnostics Point of Care Handheld Medical Devices (Update A) at https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01.
This example is not meant as a complete guide to the risks to these particular handheld devices. See the Medical Advisory immediately above for that guidance. And other risks certainly exist, such as the simple loss or theft of such a device. But this example is important in demonstrating the risks that may be inherent in these devices. And these devices are but one component of the universe of the MIoT.
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar last week on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on our Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. It will include the MIoT.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.
Check this blog for more on this area—that is, the risks inherent in the MIoT and possible security measures.