IoT
IoT
Partner Perspectives  Connecting marketers to our tech communities.
Commentary
4/10/2015
09:55 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Google+
LinkedIn
Twitter
RSS
100%
0%

Hacking Vulnerable Medical Equipment Puts Millions at Risk

Hospitals and medical device manufacturers need to start doing more to detect and thwart incoming attacks on networks and devices.

Implantable medical devices are forecast to grow about 7.7% through 2015, and more than 2.5 million people already rely on them to keep various illnesses at bay, according to a study by Freedonia Group.

Medical equipment used to regulate medical conditions has already been deemed vulnerable in various proof-of-concepts, significantly increasing the risk of losing human lives to cyberattacks.

Lack of Basic Security

Today’s medical equipment supports everything from Wi-Fi to Bluetooth communication in the hopes of increasing the efficiency of the flow of patient information to medical staff. However, these devices are not properly secured, and most are shipped preconfigured with default passwords such as “password” or “admin,” making them worryingly easy to attack.

As part of its research, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited 300 medical devices from 40 companies that had unchangeable passwords. If an attacker were to obtain a list of these passwords, he could theoretically log in and change critical settings, with unfortunate consequences.

Manufacturers that ship these devices are also having a hard time issuing security patches to OTS (off-the-shelf) software, as most medical equipment requiring a software upgrade needs to be resubmitted for FDA approval. Of course, a guidance document specifically states under which conditions a security patch can be issued without immediate FDA approval, but that’s still a long way from effectively and proactively updating medical devices across multiple hospitals and countries.

Hacking IMDs

Hacking an implantable medical device (IMD) is something that even the US Department of Homeland Security takes very seriously. In fact, the DHS has been actively investigating how and which medical devices could potentially be tampered with.

With more than 300,000 Americans receiving wireless IMDs each year, including pacemakers, neuro-stimulators, and drug delivery pumps, attackers could easily exploit existing OTS software vulnerabilities and literally hack the bodies of hundreds of thousands (if not millions) of people who rely on these devices to stay alive.

With the proliferation of IoT (Internet of Things) devices with what looks like any other IP address, it’s easy to imagine an attack scenario that might involve remotely taking control of an implanted defibrillator and rigging it to perform battery-draining tasks. The battery life needed to regulate heartbeats would easily be depleted, thus requiring medical intervention for replacement.

Even the communication technologies used by IMDs are sometimes not regulated and dangerously insecure. Advanced hacking tools and methodologies can easily take advantage of these poor security mechanisms and either change the default settings of such devices or deliver remote commands.

Incorporating computer technology into biological systems has its obvious benefits, giving doctors real-time patient information so they can adjust prescriptions or diagnose diseases. However, these devices could easily be vulnerable to critical attacks on either hospital network infrastructures that control and regulate a large number of them or on an individual device of interest.

Network-Enabled Hospital Equipment

Patients not wearing IMDs may still be at risk, even in the comfort of their trusted hospital ward. Network-enabled hospital equipment such as infusion pumps can be vulnerable to cyberattacks because of OTS software vulnerabilities.

The FDA has been particularly interested in improving the safety of infusion pumps after it reviewed several “software defects.” The Infusion Pump Improvement Initiative was specifically aimed at manufacturers to facilitate device improvements through software upgrades and to mitigate risks that might make them vulnerable to outside interventions (read: cyberattacks).

Although a far more likely scenario would be for a cybercriminal to attack a hospital’s Wi-Fi network (sometimes insanely easy to access) to gain access to all stored medical data, there’s still a chance that a specific lifesaving piece of equipment could be targeted.

A Tale of Caution and Opportunity

The FDA has already taken its first steps toward implementing OTS software security specifications to encourage faster mitigation of known security vulnerabilities affecting infusion pumps. It should continue supporting this program for all network-enabled medical equipment, as more than just infusion pumps require software scrutiny. However, the current previsioning process is lengthy and costly for manufacturers.

Perhaps a solution would be for the FDA to allow the involvement of seasoned security companies or security experts to expedite the update and forensics process by working directly with manufacturers and following up-to-date security best practices.

Hospitals should invest a lot more in IT infrastructure and adopt strict network policies regarding passwords, network policies, and privileges, along with layered security and firewall solutions, to detect and stop incoming attacks on local network infrastructures.

IMD and medical device manufacturers should also consider revising their software coding capabilities more assiduously, while working closely with security vendors in identifying possible security gaps and vulnerabilities.

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
4/27/2015 | 9:46:11 PM
Bueller...
HIPAA really needs to be amended to include mandatory security protocols for hospital networks/medical devices particularly since medical information is infinitely more profitable than credit cards and social security numbers are. Not to mention interfering with devices just for grins/gigs.
kstaron
50%
50%
kstaron,
User Rank: Ninja
4/24/2015 | 9:18:27 AM
Sounds like a plot of a thriller
Why am I envisioning a thriller where the villain hijacks a medical device of someone with high security clearance and threatens to meddle with it if they don't get the stuff they want?

While you mention it's much more likely that a hacker will go over the wi-fi network to get data, what is the actual likelihood of a hacker going after a particular medical device? Would it be a targeted attack on an individual or more random? And if it is targeted, are new security measures really going to stop a determined hacker?
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
4/10/2015 | 1:35:22 PM
Tip of the iceberg
Although this is a particularly large, threatening tip. In the rush to implement the IOT and to exploit its great potential, the security issues are being largely ignored. If the trend continues, sooner rather than later there will be a tragedy.

 
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of August 21, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.