How Heartbleed Affects Medical Devices

Security Expert Explains Risk Mitigation

By , May 2, 2014.
Mike Ahmadi
Mike Ahmadi

Listen Now

One of the biggest misunderstandings about the Heartbleed bug in the healthcare sector is that it only affects websites and Web servers. In fact, medical devices are also at risk for the vulnerability, says security expert Mike Ahmadi.

"Anything that has the affected versions of OpenSSL/TLS installed on it - that means any medical device, and medical system, MRI, server, any handheld devices that are on a healthcare network - is affected," explains Ahmadi, global director of medical security at Codenomicon, the software testing firm that recently discovered the Heartbleed bug.

"The problem right now is that many healthcare organizations are not fully aware of how many devices are actually affected by the bug," he says in an interview with Information Security Media Group. For example, they may not realize that some devices have an embedded version of OpenSSL, he says.

"The biggest risk right now is that healthcare organizations are unaware of how affected they are," he says. "And once they do discover that, it's not as simple as issuing a patch because the devices have to take care of patients and work all the time.

"Sometimes when you patch something, like an operating system on a computer, sometimes that computer doesn't reboot," he explains. "That happens all the time. But if that happens in the patch of a medical device, that means it puts patients at risk." As a result, healthcare organizations must take "the additional step of validating that the patch itself will not cause a new issue," he says.

Among the ways healthcare organizations can identify the devices at risk for Heartbleed is by performing a static binary analysis with a free tool that's available from Codenomicon, as well as detection tools that are available from other organizations, he says.

"Anything that's running any kind of communication stack really should be checked," he points out. "And unfortunately, in the hospital space, that's a lot of devices."

In the interview, Ahmadi also discusses:

  • How the recent Internet Explorer vulnerability potentially puts medical devices at risk;
  • Steps healthcare organizations can take to mitigate cybersecurity risks to medical devices;
  • The biggest risks to medical devices running Microsoft's Windows XP operating system, which is no longer supported by the vendor;
  • The biggest emerging cybersecurity threats facing medical devices.

Ahmadi is the global director of medical security at Codenomicon, a firm that tests software for its security robustness. He has extensive background in project management and information systems for projects addressing cybersecurity in multiple industries, including energy, industrial automation and healthcare. He serves as a member of the Medical Device Innovation, Safety, and Security Consortium and is a member of the Association for the Advancement of Medical Instrumentation (AAMI) Medical Device Security Working Group and Wireless Strategy Task Force. He also serves on the U.S. Secret Service Electronic Crimes Task Advisory Board.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE U.S., UK Plan 'Cyber War Games'

The U.S. and U.K. plan to hold "cyber war games" to help them prepare for defending against online...

Latest Tweets and Mentions

ARTICLE U.S., UK Plan 'Cyber War Games'

The U.S. and U.K. plan to hold "cyber war games" to help them prepare for defending against online...

The ISMG Network