Medical Devices Are the Next Security Nightmare
HACKED MEDICAL DEVICES make for scary headlines. Dick Cheney ordered changes to his pacemaker to better protect it from hackers. Johnson & Johnson warned customers about a security bug in one of its insulin pumps last fall. And St. Jude has spent months dealing with the fallout of vulnerabilities in some of the company’s defibrillators, pacemakers, and other medical electronics. You’d think by now medical device companies would have learned something about security reform. Experts warn they haven’t.
As hackers increasingly take advantage of historically lax security on embedded devices, defending medical instruments has taken on new urgency on two fronts. There’s a need to protect patients, so that attackers can’t hack an insulin pump to administer a fatal dose. And vulnerable medical devices also connect to a huge array of sensors and monitors, making them potential entry points to larger hospital networks. That in turn could mean the theft of sensitive medical records, or a devastating ransomware attack that holds vital systems hostage until administrators pay up.
“The entire extortion landscape has changed,” says Ed Cabrera, chief cybersecurity officer at the threat research firm Trend Micro. “You do get into this life or death situation potentially.”
The Internet of Health Care
Implanted medical device hacks are so memorable because they’re so personal. You wouldn’t want something inside your body or on your skin to be remote-controlled by a criminal. Unfortunately, many types of these devices are broadly vulnerable to attack. For example, in a December investigation of new generation implantable cardiac defibrillators, British and Belgian researchers found security flaws in the proprietary communication protocols of 10 ICDs currently on the market.