Hacking Vulnerable Medical Equipment Puts Millions at Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
02:15 PM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly

Hacking Vulnerable Medical Equipment Puts Millions at Risk

Hospitals and medical device manufacturers need to start doing more to detect and thwart incoming attacks on networks and devices.

Implantable medical devices are forecast to grow about 7.7% through 2015, and more than 2.5 million people already rely on them to keep various illnesses at bay, according to a study by Freedonia Group.

Medical equipment used to regulate medical conditions has already been deemed vulnerable in various proof-of-concepts, significantly increasing the risk of losing human lives to cyberattacks.

Lack of Basic Security

Today’s medical equipment supports everything from Wi-Fi to Bluetooth communication in the hopes of increasing the efficiency of the flow of patient information to medical staff. However, these devices are not properly secured, and most are shipped preconfigured with default passwords such as “password” or “admin,” making them worryingly easy to attack.

As part of its research, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited 300 medical devices from 40 companies that had unchangeable passwords. If an attacker were to obtain a list of these passwords, he could theoretically log in and change critical settings, with unfortunate consequences.

Manufacturers that ship these devices are also having a hard time issuing security patches to OTS (off-the-shelf) software, as most medical equipment requiring a software upgrade needs to be resubmitted for FDA approval. Of course, a guidance document specifically states under which conditions a security patch can be issued without immediate FDA approval, but that’s still a long way from effectively and proactively updating medical devices across multiple hospitals and countries.

Hacking IMDs

Hacking an implantable medical device (IMD) is something that even the US Department of Homeland Security takes very seriously. In fact, the DHS has been actively investigating how and which medical devices could potentially be tampered with.

With more than 300,000 Americans receiving wireless IMDs each year, including pacemakers, neuro-stimulators, and drug delivery pumps, attackers could easily exploit existing OTS software vulnerabilities and literally hack the bodies of hundreds of thousands (if not millions) of people who rely on these devices to stay alive.

With the proliferation of IoT (Internet of Things) devices with what looks like any other IP address, it’s easy to imagine an attack scenario that might involve remotely taking control of an implanted defibrillator and rigging it to perform battery-draining tasks. The battery life needed to regulate heartbeats would easily be depleted, thus requiring medical intervention for replacement.

Even the communication technologies used by IMDs are sometimes not regulated and dangerously insecure. Advanced hacking tools and methodologies can easily take advantage of these poor security mechanisms and either change the default settings of such devices or deliver remote commands.

Incorporating computer technology into biological systems has its obvious benefits, giving doctors real-time patient information so they can adjust prescriptions or diagnose diseases. However, these devices could easily be vulnerable to critical attacks on either hospital network infrastructures that control and regulate a large number of them or on an individual device of interest.

Network-Enabled Hospital Equipment

Patients not wearing IMDs may still be at risk, even in the comfort of their trusted hospital ward. Network-enabled hospital equipment such as infusion pumps can be vulnerable to cyberattacks because of OTS software vulnerabilities.

The FDA has been particularly interested in improving the safety of infusion pumps after it reviewed several “software defects.” The Infusion Pump Improvement Initiative was specifically aimed at manufacturers to facilitate device improvements through software upgrades and to mitigate risks that might make them vulnerable to outside interventions (read: cyberattacks).

Although a far more likely scenario would be for a cybercriminal to attack a hospital’s Wi-Fi network (sometimes insanely easy to access) to gain access to all stored medical data, there’s still a chance that a specific lifesaving piece of equipment could be targeted.

A Tale of Caution and Opportunity

The FDA has already taken its first steps toward implementing OTS software security specifications to encourage faster mitigation of known security vulnerabilities affecting infusion pumps. It should continue supporting this program for all network-enabled medical equipment, as more than just infusion pumps require software scrutiny. However, the current previsioning process is lengthy and costly for manufacturers.

Perhaps a solution would be for the FDA to allow the involvement of seasoned security companies or security experts to expedite the update and forensics process by working directly with manufacturers and following up-to-date security best practices.

Hospitals should invest a lot more in IT infrastructure and adopt strict network policies regarding passwords, network policies, and privileges, along with layered security and firewall solutions, to detect and stop incoming attacks on local network infrastructures.

IMD and medical device manufacturers should also consider revising their software coding capabilities more assiduously, while working closely with security vendors in identifying possible security gaps and vulnerabilities.

Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/27/2015 | 9:46:11 PM
HIPAA really needs to be amended to include mandatory security protocols for hospital networks/medical devices particularly since medical information is infinitely more profitable than credit cards and social security numbers are. Not to mention interfering with devices just for grins/gigs.
User Rank: Ninja
4/24/2015 | 9:18:27 AM
Sounds like a plot of a thriller
Why am I envisioning a thriller where the villain hijacks a medical device of someone with high security clearance and threatens to meddle with it if they don't get the stuff they want?

While you mention it's much more likely that a hacker will go over the wi-fi network to get data, what is the actual likelihood of a hacker going after a particular medical device? Would it be a targeted attack on an individual or more random? And if it is targeted, are new security measures really going to stop a determined hacker?
User Rank: Ninja
4/10/2015 | 1:35:22 PM
Tip of the iceberg
Although this is a particularly large, threatening tip. In the rush to implement the IOT and to exploit its great potential, the security issues are being largely ignored. If the trend continues, sooner rather than later there will be a tragedy.

How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll