Patch Released for “Smart Car” Security Flaw – Considerations for Medical Devices

connected-carA patch has been released for the security flaw recently identified in certain computerized vehicles, which potentially allows outside attackers to control critical functions of the car.

Workers in the healthcare field should be familiar with similar scenarios for medical devices, which also may endanger customers’ lives. As with regular computers a medical device may require security updates to the operating system or programs installed therein.

The process of patching medical devices should only be performed by or under supervision of the security & compliance officer, including Business Associates they have enlisted to handle on their behalf. Policies and procedures for each practice may vary, yet in general the following steps should be involved:

– Register to receive automatic alerts/notification upon any patches released.
– Assess criticality of the devices, including sensitivity of the data, for instance based on Three Classes of Regulatory Control.
– Perform a cost/benefit evaluation for each installation, and prioritize critical security updates.
– Backup all data on affected devices before rollout; consider creating system restore points (if available) and disconnecting other devices until after completing the patch process.
– Scan for viruses/malware on the devices; anything detected may require to reformat the device before continuing further.
– Installation may be delivered through the network architecture or removable media, such as USB; the files involved need to be authenticated beforehand.
– Test functionality after installation, including software validation steps.
– Documentation completion in your records, according to the practice’s change management policies.

The staff security department should actively scan and test devices to identify potential unreported risks, and end users should report discrepancies in operating performance, which often indicate some breach or malware. Many active medical devices run on outdated/unsupported operating systems yet are otherwise fully operational equipment and too expensive to upgrade/replace within the firm’s budget. Not all manufacturers necessarily provide ongoing support, and legal regulations may restrict end users from modifying certain categories of medical devices; in such situations the practice may consider keeping those offline as much as possible.

In terms of the current “Smart Car” recall, please visit the following page to find out if your vehicle is affected:

This patch can be downloaded to a USB drive, or you may opt to receive one through postal delivery at the address on the registration. If not confident about personally performing this procedure, you may bring your vehicle to a dealer for professional service. Experts are raising concerns about potential scam opportunities, where some one could send malware claiming to be from a legitimate dealership. Flash drives are a common source of computer viruses overall, and in theory the owner could unknowingly infect his or her own car, which is shaping up to be an ongoing concern.

The above article is for informational purposes only and not to be construed as instruction or legal advice. Please consult with your attorneys about any fact-specific legal situation.


Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.

Latest posts by EHR 2.0 (see all)