In the healthcare industry, the majority of security efforts have focused on protecting patients’ electronic medical records, and other important data. Not much attention has been paid to protecting medical devices, which are crucial to the health – and in fact life – of many patients.
Moreover, the last few years have seen devices such as pacemakers and insulin pumps connect to large healthcare networks to allow medical professionals to assess and adjust their functions remotely. The danger, says Andrew Sjöberg, Chief Technology Officer at DRS a Cyber 1 company, is that these devices have found themselves on cyber criminals’ radars, as a compelling target to steal personal data, or to use as a stepping stone to breach the provider’s network.
If an attacker compromises a single device, he could have access to the entire organisation, putting confidential and other valuable data at risk, Sjöberg says. “An even scarier thought, is that a more morally bankrupt attacker could cause far greater problems than information theft. He or she could alter the device’s settings, disabling it totally, or affecting the way it works. This could be done for two reasons. A possible assassination attempt, or even as a means to extort the patient for a ransom. In either case, lives could be on the line.”
The first time this was a consideration was in 2013, when former US vice president Dick Cheney announced that his pacemaker’s Wi-Fi functionality had been switched off, due to fears it might be targeted by attackers in an assassination attempt. “Then more recently, the Food and Drug Administration in the US recalled six different varieties of pacemakers that had been implanted in nearly half a million people, due to the fact that attackers could change the patient’s heartbeat, or even run the batteries down.”
To date, Sjöberg says attacks on the healthcare sector have focused on monetary gain, but we need to seriously consider the possibility that they could be used to cause serious, physical harm. “Imagine the potential. Hackers could change a person’s blood type, or alter test results. The ensuing chaos and damage could be catastrophic.”
In the not too distant past, a hacker from the US showed how an insulin pump could be hacked remotely, delivering a fatal dose to a patient. “As implantable and digestible devices grow in popularity, the risks are bound to grow with them. Everything that connects to the Internet is a potential target or stepping stone for hackers.”
As attackers start to turn more attention to historically lackadaisical security on medical devices, defending these devices is becoming increasingly crucial. “Patients need to be protected to avoid hackers administering a lethal dose of insulin, or stopping a pacemaker. Moreover, these devices connect to a plethora of monitors and sensors, so their potential as a point of entry into the larger network needs to be halted too. It’s time healthcare organisations took security seriously, and started building it in from the ground up,” he concludes.