Experts weigh in on the state of medical device security today and beyond
By Charlie Osborne for Zero Day – February 21, 2017
The heat is on medical device vendors, healthcare providers, and security firms to tackle the emerging problem of cyberattacks focused on the Internet of Medical Things (IoMT).
Hardly a week goes by when we don’t hear of the latest company to fall victim to hackers, but the ability to compromise medical devices may go far beyond the consequences of standard malware infections and the theft of personally identifiable information (PII).
Attacks against medical devices can occur due to social engineering and network infiltration, as well as vulnerabilities in hardware and software. The most common threats today include ransomware, man-in-the-middle (MiTM) attacks, phishing and, on occasion, physically compromising devices.
Strong networks can create a barrier between attackers and healthcare systems, but medical devices can suffer from the same vulnerabilities, exploits, outdated firmware and security flaws that plague traditional computer systems.
Medical device security hit the spotlight in 2012 when IOActive security researcher Barnaby Jack discovered transmitter security flaws which could be used to deliver lethal shocks to pacemakers. Recently, medical equipment maker St. Jude Medical was forced to patch security holes in the firm’s cardiac devices.
While medical devices may be targeted for the purposes of causing harm to individual patients or blackmail, one of the main reasons appears to be for financial gain.
In March 2016, US hospital chain MedStar’s IT infrastructure was crippled after a successful malware attack, and California’s Hollywood Presbyterian Medical Center paid attackers thousands of dollars after ransomware disrupted critical services in the same year.
Speaking to ZDNet, Jason Allaway, vice president of RES UK & Ireland, said the main threat to hospitals is ransomware due to the “devastatingly effectiveness” of attacks — and “because the consequence of losing data goes far beyond a financial cost.”
“Unlike data held by other organizations, such as those operating in finance, medical data holds a life or death value,” Allaway says. “Medical organizations can’t even give out the most basic of painkillers if their data is not fully available. […] Unless hospitals have a stringent backup policy, there is little option other than paying a ransom so that staff can continue to provide critical medical care.”