Is Your Medical Device a Cybersecurity Threat?
We may not have the Star Trek tricorder yet, but today’s medical devices and apps are connected in ways unimaginable just a decade ago. They're making healthcare more mobile, more personal and more powerful, but could they also pose a threat to patient safety and data security?
Here are four malicious ways hackers could exploit connected medical devices.
1. Harming Patients By Hijacking Medical Devices
This is the nightmare scenario: a hacker breaks into a patient’s medical device and injects a malicious code that causes it to harm or kill its wearer. Dick Cheney famously disabled the wireless connection on his pacemaker in 2007 because of concerns that it could be used in an assassination attempt. These kinds of attacks could be one-offs directed at a particular patient or widespread attacks on all patients using a particular device.
2. Disrupting Hospital Operations Through Denial-of-Service Attacks
More often, hackers trying to break into a medical device are after something bigger than an individual patient. Medical devices, particularly those used in hospital settings, can provide “back door” access to the wider hospital network. Once inside, hackers could launch a “denial-of-service” attack to cause widespread disruption to hospital operations. Shutting down a hospital network, even for a short time, can seriously compromise patient health and safety. As healthcare workers rely more and more on network-connected devices for patient monitoring, drug delivery and other patient care, the potential consequences of even a short outage are alarming.
3. Stealing Network Data Through a Medical Device
Hospitals store thousands of records containing sensitive financial, medical and identity information, making them a tempting target for cyber thieves. These networks are generally highly protected, making them difficult targets for opportunistic hackers. But what happens when you plug an unsecured device into the secure hospital network? Hackers look for these unsecured alternate entries to pivot into the network itself. In most cases, hackers aren’t looking for the medical information stored on the device itself, but for entry into records containing financial or identity information that can be sold on the black market.
4. Holding Hospitals Hostage Through Data Ransom Attacks
In this example, hackers use a medical device to pivot into a hospital network. Once inside, they can encrypt sensitive data within the hospital network and then demand money in exchange for a password to unencrypt the data. Medical centers under this type of attack may suddenly find all of their patient information encrypted, making it impossible to access records such as patient prescription information, pathology reports, diagnostics and other information critical for providing patient care.
Fixing Medical Device Cybersecurity: What’s the Answer?
So what are patients and healthcare providers to do? Should we disconnect all our medical devices and take healthcare back to the pre-internet era? Of course not! The health and safety benefits provided by these devices far outweigh the risks. But there are things that medical device manufacturers should be doing to find and close security vulnerabilities. The vast majority of cybercrimes are crimes of opportunity. If medical devices are no longer a weak link to exploit, they will become much less attractive as a target for hackers.
Battelle’s DeviceSecure™ is a suite of cybersecurity services to help developers implement best practices in cybersecurity gleaned from decades of work in government and industry.