Are Hackers Eyeing Medical Devices?

As experts warn of future attacks, hospitals and manufacturers must search for solutions

A couple of years ago, Dr. David Klonoff (Medical Director at the Diabetes Research Institute of Mills-Peninsula Health Services) achieved the unthinkable. He convinced a group of doctors to care about cybersecurity.

Alarmed by stories of how insulin pumps can be hacked, Klonoff and his peers drafted the “DTS Cybersecurity Standard for Connected Diabetes Devices.” It was a bold first step towards medical-device security standards through his nonprofit Diabetes Technological Society. The goal, he said, was “not only protect patients from hacking threats but also to provide consumers and regulators with the confidence needed to leverage the vast potential of the Internet of Medical Things in improving quality of life.”

Klonoff figured they had to start somewhere.

The Anthem hack (which compromised data for 78.8 million customers) woke the industry up to the black-market value of medical records—and the lengths to which thieves will try to obtain them. A 2016 recap by the Identity Theft Resource Center revealed that healthcare suffered the most compromised records of any industry, for the second year in a row.

Now that we’re sufficiently freaked out by record theft, it’s time to heed Klonoff’s concerns and remind ourselves that medical devices are also apparently up for grabs. This past October, Johnson & Johnson notified 114,000 patients that their insulin pumps were vulnerable to hacks.

In a CNBC report that followed, Kevin Fu, Director of the Archimedes Center for Medical Device Security at the University of Michigan, stated: “Pretty much every device that has a computer in it is breakable.” Then he ominously added, “The dirty little secret is that most manufacturers did not anticipate the cybersecurity risks when they were designing them a decade ago, so this is just scratching the surface really.”

Consider all the outdated devices in a hospital—and we’ve got an IoT medical system that’s alarmingly vulnerable to attacks. Meanwhile, that same CNBC story quotes a Symantec study which found that less than 6% of healthcare IT budgets go to security.

Thus far, the FDA has proposed recommendations in lieu of regulations. Their suggestions state that “manufacturers…should take steps to ensure appropriate safeguards” and “hospitals…should evaluate their network security.”

Realistically, any future guidelines will need to dig into the latter. “Smart” medical devices with wireless connections, such as some pacemakers and drug pumps, must also be protected on the network end by analytics that will quickly detect anomalous activity. This is critical, of course, because lives are on the line.

A recent feature in Wired magazine underscores the urgency to become proactive. Among their reported findings:

  • A study of new cardiac defibrillators exposed security flaws in 10 ICDs currently on the market
  • Another investigation showed that 36K+ healthcare-related devices in the U.S. are found on Shodan, which is a “search engine for connected devices”
  • A survey found that more than 3% of exposed devices still used Windows XP, which doesn’t offer security updates anymore

One current type of attack, called MedJack, involves malware being planted into medical devices, so it can “fan out across a network” to steal personal information and manipulate prescriptions. There is also a spate of ransomware attacks, including the 2016 attack on Hollywood Presbyterian Hospital, in which hackers disrupted ER systems by encrypting files. (The hospital paid $17K, simply to save lives.)

To stop these uniquely stealthy attacks, medical and healthcare organizations require fast and accurate detection—not to mention a vivid picture of the attack path to prevent further breaches. The right investment protects their reputations from both liability and malpractice claims, and it will protect lives. Cybersecurity is no longer an option; it’s a decision.