No manufacturer, hospital, medical facility or consumer wants to experience the nightmare of hacked medical devices. If we don’t beef up the security game soon—the bad guys will be snacking on Kobe Filet while the rest of us choke down skirt steak.
This year, Johnson & Johnson became the first medical device manufacturer to warn consumers about medical device vulnerabilities when the company disclosed the Animas OneTouch Ping Insulin pump could be hacked.
Hacked medical devices gaining traction
During the summer of 2013 the The U.S. Food and Drug Administration (FDA) warned medical device makers and medical facilities to upgrade security protections to protect against potential cybersecurity threats that could compromise the devices or patient privacy.
“Over the past year, we’ve become increasingly aware of cyber security vulnerabilities in incidents that have been reported to us,” William Maisel, deputy director for science at the FDA’s Center for Devices and Radiological Health told Reuters.. “Hundreds of medical devices have been affected, involving dozens of manufacturers . . . many were infected by malicious software, or malware.”
According to a recent study from researchers at KU Leuven, the University of Birmingham and two other institutiona in Europe: Implantable Medical Devices (IMDs) and Implantable Cardioverter Defibrillators (ICDs) are vulnerable to denial-of-service attacks.
“Our work revealed serious protocol and implementation weaknesses on widely used ICDs, which lead to several active and passive software radio-based attacks that we were able to perform in our laboratory,” the researchers explained.
The researchers also discovered that proprietary protocols (where they had no prior knowledge or documentation) could potentially be reverse-engineered by a weak adversary without the adversary needing physical access to the devices.
Medical device attacks
According to this infographic based on protecting healthcare IoT applications, 94 percent of healthcare organizations have been a victim of cyber-attack and 38 percent of patients would be wary of using a hospital associated with a hacked device. Key vulnerabilities include: patient data theft, therapy manipulation and malware.
Arxan, a global leader of application attack-prevention for mobile and IoT says “no platform is immune to threats.”
Threat vectors are constantly evolving and attacks at the application level are prevalent with increasing frequency, sophistication and severity.
Arxan’s Top Medical Device Application Risks:
- Code Analysis: Malicious actors can examine the medical device application code, either statically (for example, as disassembled code) or dynamically (while the program is executing). Such analysis enables the adversary to understand how the internal algorithms work, discover sensitive information, and pinpoint vulnerabilities.
- Intellectual Property (IP) Theft: Attacks on medical device applications can be designed to extract sensitive information and steal copyrighted material or proprietary algorithms.
- Cryptographic Key Theft: Cryptographic keys are at the core of all security systems that deal with encrypted data. If hackers can locate keys in the code or medical device memory, they can completely circumvent or remove the security features and gain unauthorized access to the medical device.
- Tampering: Adversaries can install malicious code or modify controls, causing the program to malfunction, jeopardizing patient safety and compromising sensitive data.
- Malware Injection: Unprotected applications are exposed to malware insertion that can result in privacy breaches, performance loss, unauthorized remote control, and unintended medical device operation.
Michael Thelander of Iovation adds an important security think-bit (often overlooked) to the mix: “Manufacturers must build security measures into medical devices that include the software lifecycle.”
Beefing up medical device security in 2017 is critical, not purely for security reasons (though security should be at the top of the list) but, to also ensure patient safety and privacy.