Normally when we talk about healthcare security, we’re considering how well organisations are protecting our private medical data from hackers.
After all, according to some reports, 24,800 US medical records are exposed every day, and don’t forget that it’s not unusual for medical insurance companies to store social security numbers alongside our names, physical addresses, dates of birth and other personal information.
And such hacks can have significant financial impact. As an ESET infographic published last year portrated, the estimated cost of hacks against medical providers was staggering $17 billion.
But there’s another growing concern – that in the rush to embrace technology to save and improve the lives of patients, medical scientists may have forgotten something important: are they putting your body at risk from hackers?
According to media reports, the US Department of Homeland Security is investigating “two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment” that could potentially cause serious injury or death.
According to unnamed sources said to be familiar with investigation by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), devices under investigation include infusion pumps from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc.
Hospira, Medtronic and St Jude Medical have declined to comment on the investigation.
The security of medical devices is not a new concern, of course. In the past we have discussed fearsthat tiny chips implanted under a woman’s skin to manage her birth control could be hacked, for instance.
And just last year, ICS-CERT published a security advisory warning that hundreds of devices were using hardcoded passwords, opening the door for potential attacks that could change critical settings or modify device firmware.
The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified.
The affected devices are manufactured by a broad range of vendors and fall into a broad range of categories including but not limited to:
* Surgical and anesthesia devices,
* Drug infusion pumps,
* External defibrillators,
* Patient monitors, and
* Laboratory and analysis equipment.
Perhaps most memorably, security researcher Barnaby Jack demonstrated in 2012 how he reverse-engineered a device to deliver a deadly 830 volt shock to a pacemaker from a distance of 30 feet, and discovered a method to scan insulin pumps wirelessly and configure them to deliver more or less insulin than patients required, sending patients into a hypoglycaemic shock.
Sadly Jack died in July 2013, one week before he was scheduled to present new research on how hackers could maliciously exploit medical devices.
Such threats are taken seriously, as can be seen by the fact that former US vice-president Dick Cheney was so frightened of assassination that he had the wireless feature of his implanted heart defibrillator deactivated.
Clearly there are plenty of opportunities for the mainstream media to spread fear about the potential threat, but that doesn’t mean that there isn’t any genuine concern about devices being used for medical purposes that can be communicated with wirelessly, but that haven’t been properly secured.
Chances are that you have enough things to worry about if you’re having a serious operation to embed a medical device inside your body. The last thing you need is to be also losing sleep over whether the gadget that’s helping you stay alive is at risk of being hacked.
What are your thoughts? Do you think the threat is over-hyped, or should more be done to defend devices relied upon by patients from attack? Leave a comment below.
Author Graham Cluley, We Live Security