Understanding the growing threat of medical cyberattacks

This entry was posted on Wednesday, September 6th, 2017.

Depending on what you read or who you talk to, medical devices, along with hospital networks, fall into two categories: they are either woefully unprepared for a cyberattack, or designed and maintained by those who believe that piecemeal cyber security measures (sans a holistic approach) will hopefully deter attacks and prevent digital intrusions.

Ahead of the curve in 2017? Not so much. A recent survey conducted by Deloitte Touche confirms that preventing cyberattacks hasn’t been easy for medical institutions. The findings? One-third of 370 healthcare IoT professionals—and their respective organizations—suffered some sort of nefarious cyber scenario in the past year. This study was reported in two major Internet Security journals: eSecurity Planet and Dark Reading (an archived webcast on the topic can be found here). And more recently, MEDSec 2017 explored security and privacy issues related to the Internet of Medical Things.

According to Dark Reading, there are many causes for the growing threat of medical cyberattacks – five to be exact. The most important one being that in the always-on information age we live in, data is highly lucrative, where hospital health records offer a farmer’s market of sensitive information that can be bought and re-sold on the dark web.

The other four reasons?

  • Cyber criminals have an affinity for Windows-based computers prone to data breaches and hacking, often targeting easy-prey legacy computer systems.
  • An application-heavy environment provides a broad attack landscape, where “healthcare customers are logging into twice as many applications as the average user…which could put them at risk of attack.”
  • Life is on the line, as “healthcare professionals and their patients often can’t afford to have systems down,” or even wait for an incident response team to come in and clean up digital data.
  • Healthcare is historically not very secure.

Perhaps most worryingly, medical devices such as implantable heart devices are vulnerable to attack via malware and side-channel attacks. Indeed, millions of implanted medical devices (IMDs) do not typically receive software upgrades to address security vulnerabilities. Such devices – which are often connected via the internet or wireless technologies – include cardiac pacemakers, insulin pumps and brain neurostimulators. Consequently, IMDs pose very clear risks along with their obvious benefits.

It should be noted that the FDA posted notice on Aug. 29 that nearly half a million pacemakers from the health company Abbott (formerly St. Jude Medical) have the potential to be hacked and require a protective software update. The urgent memo to doctors (as well as Abbott’s press release) spells out the potential dangers of the Internet of Things (IoT) as it pertains to medical devices:

“The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. Wi-Fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA notice reads. “However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery.”

Interested in learning more about securing medical devices? You can check out our article archive on the subject here.