VA reports success in thwarting infiltration of networked medical devices
The VA has about 65,000 medical devices on its network, and they are especially vulnerable to malware because they can last for years longer than their underlying software and operating systems.
The number of infected medical devices reported by the Department of Veterans Affairs is steadily ticking down. The agency was dealing with 13 infected devices in January, nine in February, and seven in March. In April, that number dropped to four, according to the VA's latest information security report. The VA has about 65,000 medical devices on its network.
The key to getting that number down is teamwork between facility CIO staff and biomedical workers, said Steph Warren, acting CIO at the VA. "We've knitted that together pretty tightly. It's something I talk about on my site visits with medical center leadership," Warren said.
Medical devices are especially vulnerable to infection. They are durable, and can last for years or even decades longer than their underlying software and operating systems. VA and most other large medical systems have the problem of a large number of devices that run Windows XP, which is out of support. Additionally, the internal software of devices can be hard to update, even when security updates are made available by manufacturers.
At VA, Warren said, there is a "commitment to getting [XP-based devices] out of the enterprise." However, that is a long term project. In the short term, protecting medical devices is a matter of cyber hygiene. Warren said that a key is making sure the technicians who operate the devices are careful with the USB drives that are used to move data from machines to computer networks. The practice at VA is to use laptops to scan for possible malicious software on medical devices, and local tech staffers have to take care that those machines aren't being used to surf the Internet.
The key was "putting the controls and disciplines in place to make sure that people are not doing the silly things that end up causing significant damage to these medical devices," Warren said.
Overall, intrusion attempts were down slightly across VA networks, with significant drops in the number of malware blocks and suspicious email blocks from March to April. Warren credits the drop to the increased use of Einstein 3, the network perimeter blocking system operated by the Department of Homeland Security.