Implantable medical devices are forecast to grow about 7.7% through 2015, and more than 2.5 million people already rely on them to keep various illnesses at bay, according to a study by Freedonia Group.
Medical equipment used to regulate medical conditions has already been deemed vulnerable in various proof-of-concepts, significantly increasing the risk of losing human lives to cyberattacks.
Lack of Basic Security
Today’s medical equipment supports everything from Wi-Fi to Bluetooth communication in the hopes of increasing the efficiency of the flow of patient information to medical staff. However, these devices are not properly secured, and most are shipped preconfigured with default passwords such as “password” or “admin,” making them worryingly easy to attack.
As part of its research, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited 300 medical devices from 40 companies that had unchangeable passwords. If an attacker were to obtain a list of these passwords, he could theoretically log in and change critical settings, with unfortunate consequences.
Manufacturers that ship these devices are also having a hard time issuing security patches to OTS (off-the-shelf) software, as most medical equipment requiring a software upgrade needs to be resubmitted for FDA approval. Of course, a guidance document specifically states under which conditions a security patch can be issued without immediate FDA approval, but that’s still a long way from effectively and proactively updating medical devices across multiple hospitals and countries.
Hacking an implantable medical device (IMD) is something that even the US Department of Homeland Security takes very seriously. In fact, the DHS has been actively investigating how and which medical devices could potentially be tampered with.
With more than 300,000 Americans receiving wireless IMDs each year, including pacemakers, neuro-stimulators, and drug delivery pumps, attackers could easily exploit existing OTS software vulnerabilities and literally hack the bodies of hundreds of thousands (if not millions) of people who rely on these devices to stay alive.
With the proliferation of IoT (Internet of Things) devices with what looks like any other IP address, it’s easy to imagine an attack scenario that might involve remotely taking control of an implanted defibrillator and rigging it to perform battery-draining tasks. The battery life needed to regulate heartbeats would easily be depleted, thus requiring medical intervention for replacement.
Even the communication technologies used by IMDs are sometimes not regulated and dangerously insecure. Advanced hacking tools and methodologies can easily take advantage of these poor security mechanisms and either change the default settings of such devices or deliver remote commands.
Incorporating computer technology into biological systems has its obvious benefits, giving doctors real-time patient information so they can adjust prescriptions or diagnose diseases. However, these devices could easily be vulnerable to critical attacks on either hospital network infrastructures that control and regulate a large number of them or on an individual device of interest.
Network-Enabled Hospital Equipment
Patients not wearing IMDs may still be at risk, even in the comfort of their trusted hospital ward. Network-enabled hospital equipment such as infusion pumps can be vulnerable to cyberattacks because of OTS software vulnerabilities.
The FDA has been particularly interested in improving the safety of infusion pumps after it reviewed several “software defects.” The Infusion Pump Improvement Initiative was specifically aimed at manufacturers to facilitate device improvements through software upgrades and to mitigate risks that might make them vulnerable to outside interventions (read: cyberattacks).
Although a far more likely scenario would be for a cybercriminal to attack a hospital’s Wi-Fi network (sometimes insanely easy to access) to gain access to all stored medical data, there’s still a chance that a specific lifesaving piece of equipment could be targeted.
A Tale of Caution and Opportunity
The FDA has already taken its first steps toward implementing OTS software security specifications to encourage faster mitigation of known security vulnerabilities affecting infusion pumps. It should continue supporting this program for all network-enabled medical equipment, as more than just infusion pumps require software scrutiny. However, the current previsioning process is lengthy and costly for manufacturers.
Perhaps a solution would be for the FDA to allow the involvement of seasoned security companies or security experts to expedite the update and forensics process by working directly with manufacturers and following up-to-date security best practices.
Hospitals should invest a lot more in IT infrastructure and adopt strict network policies regarding passwords, network policies, and privileges, along with layered security and firewall solutions, to detect and stop incoming attacks on local network infrastructures.
IMD and medical device manufacturers should also consider revising their software coding capabilities more assiduously, while working closely with security vendors in identifying possible security gaps and vulnerabilities.Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio