It seems like cyber attacks make headlines on an ever-increasing basis. Hacking into websites, payment systems, etc. seem to be common. However, a new threat is emerging – the ability to hack into patients’ medical devices and diagnostic systems.
Security researchers Scott Erven and Mark Collao recently found that a “very large” number of medical systems, including cardiology, infusion systems, pacemakers, MRI scanners, among others, were vulnerable to computer hacking. Erven observed that, “Once we start changing [search terms] to target speciality clinics like radiology or podiatry or pediatrics, we ended up with thousands with misconfiguration and direct attack vectors. Not only could your data get stolen but there are profound impacts to patient privacy.” It seems like the vulnerabilities are infinite.
As part of their research, Erven and Collao laid out some “bait honeypots” in order to see if “real life” medical devices would actually be attacked. Sure enough, thousands of attackers logged into the software running the devices and some even completely disabled the devices. Collao reported that, “[The hackers] come in, do some enumeration, drop a payload for persistence and connect to a command and control server.” Scary stuff.
To show that some people take this seriously, former United States Vice President revealed that in 2007, he asked doctors (and engineers) to disable the wireless capability of his implanted heart device. He was afraid that, “a sophisticated attacker might wirelessly access the device, reprogram it it, and . . . kill [him].”
Many experts believe that the healthcare industry is not ready to deal with the risk. They are hoping to fix that. Kevin Fu, a professor in electrical engineering and computer science at the University of Michigan, works with manufacturers to improve the safety of medical devices.
Fu points out that many manufacturers are starting to wake up to the threat and have “started security engineering programs within their companies.” He notes however that, “While these early adopters are making great strides, many manufacturers are still playing catch up.”
For example, some specialists seem to believe that imminent attacks are remote possibilities. Richard Schilling, a cardiologist at the Bart’s Heart Center in London quips that, “The potential downsides are so small it would seem excessive to raise the prices of the devices, depriving some patients of their benefits, because of what I think is an unreasonable fear.”
It is likely that automakers felt the same way at one point. Fu notes that for years he wondered what would happen first – “a cybersecurity recall of a medical device or a car.” He stated that, “The medical device community should consider itself lucky that the automotive community has earned the dubious honor of having the first cybersecurity-only recall.” He also pointed out that it was “just a matter of time before some medical device company will receive a painful, late-night phone call.”