"The vendors are trying to aggregate as much information as they can electronically," Gostomelsky says. "Obviously, security is not their first concern. They're trying to be the first to market."
To make matters worse, the hospital has some unique challenges when it comes to locking things down.
"A hospital network is filled with HIPAA information and data," Gostomelsky says. "But in a hospital, you have a large number of workstations that can't be locked [when someone isn't using them]. They're connected to things like crash carts that allow doctors or nurses to type in a password or scan a thumbprint and grab whatever drugs they need for a patient in an emergency."
It's not up to only the hospitals
Hospitals can do more to secure their environments, he says. They can do a better job isolating their networks using VLANs and they can deploy intrusion detection. But fundamentally, he says, the onus will rest on device manufacturers to get their houses in order.
"Hospitals don't necessarily have a huge IT budget," Gostomelsky says. "Their focus is on buying medical equipment, paying doctors and delivering the best patient experience. Hospitals alone cannot solve the problem. Anything they're trying to fix is an afterthought. Device manufacturers who actually create the medical devices need to have comprehensive testing. They need to build more secure devices."
Getting there, he believes, is going to take the development of industry standards.
"It's only a matter of time," he says. "If the industry doesn't create standards, the FDA will step in. If we don't do it ourselves, the government will set standards and we may not like the results."
What hospitals can do, though, is put pressure on medical device makers to create standards and certify their adherence to those standards.
"Hospitals need to require certified devices," he says. "I think that will drive the industry. People have reported vulnerabilities to medical devices before, sometimes over several years, and they have not been fixed. They simply don't have the pressure on them to secure the device."
As an example he points to a penetration test he performed several months ago in which he discovered a medical device used by a Philadelphia hospital was operating on a radio frequency outside the ISM band reserved for industrial, scientific or medical purposes other than telecommunications.
"The frequency they chose was way too close to the frequency used by the Philadelphia Fire Department," Gostomelsky says. "Every time the fire department used that frequency, it jammed the device and reset it. It violated laws and went against best practices."
"Good decision-making starts right at purchasing," he adds. "Hospital CIOs need to demand to know whether the device passed security testing — independent security testing by a reputable organization."
Sign up for Computerworld eNewsletters.