Tuesday, May 12, 2015

Securing insecure devices

I'll bet a lot of people read this post already http://boingboing.net/2015/05/07/drug-pump-is-most-insecure.html

It talks about one particular medical device that has practically no security. No passwords, open telnet by default and a root shell. Yikes! For those not really into IT security, that's really bad....

It also talks about some other devices that are almost as bad. But in the medical space these devices are needed. I mean if someone doesn't get the right dose of drugs they will die and if this is the only machine available (I'm not saying it is), then until it is really fixed patients and doctors unfortunately need to roll the dice and hope for the best. Sort of like we all do with identity theft every day, but that's a different story.

So what can CIOs and CISOs do to protect them? Well the short answer is get after the vendors, but in the real world that takes time and honestly a lot of time IT just doesn't carry that much weight to over rule the medical professionals. As much as that's the right thing to do, it's not the effective thing to do.

Instead secure the network and don't allow unauthorized machines to connect to these devices. Tools like Network Access Control (NAC) and Network policy have been around for years (decades in some cases) and allow IT administrators and security experts to restrict  how and who can connect to these insecure devices.

For example, if people outside of IT shouldn't be allowed to telnet to the drug pump, the network can simply block all access to it. You can even go a step further and log if someone tries to telnet to it and alert security to investigate who did it and why.

If you are worried about someone unplugging the pump from the network and plugging it into a switch to tamper with it, you can even monitor the device and alert when it goes offline. That's probably not a bad thing to do actually in case the device fails.

I think we need to stop throwing our hands up and saying "The device isn't secure, it's not fair" and instead look at when we can do today with existing technology. We can make things better so don't give up.