Healthcare hacking under observation

As more medical devices are connected to the internet, the benefits that their new capabilities bring will be accompanied by new threats

By Jo Best

Fri 31 Aug 2018 @ 15:50

While the Internet of Things (IoT) is gradually connecting our homes ­­and offices, it’s also laying the foundation for significant developments in healthcare by bringing a new generation of medical devices online. From connected pacemakers and implantable defibrillators (ICDs) to insulin pumps and sensors, more and more healthcare devices are being connected to the internet – bringing not only new capabilities, but also new threats.

Moving from a world where healthcare hardware is standalone to one where it's internet-connected gives doctors and other healthcare practitioners the ability to fine-tune devices to suit individual patients’ needs (an approach called ‘precision healthcare’), and also to update equipment functionality when new software is released. However, giving such hardware a connection to the wider internet also opens up an attack vector, offering cybercriminals a way into medical equipment and networks, and a means to use them for their own ends.

While security flaws in medical devices have been around for at least a decade, the idea of healthcare hacking arguably first hit the headlines thanks to Dick Cheney. The then-US vice president revealed in 2013 that, six years earlier, he had asked his doctor to disable the wireless function on his ICD in case terrorists were tempted to hijack it to cause him harm.

Since then, the warnings have kept coming: last year, the FDA recalled half a million pacemakers over hacking fears – a particularly taxing task given that some were already attached to patients (and had to be patched in situ). Other types of devices have also been affected by such alerts: in 2016, Johnson & Johnson warned diabetics that an insulin pump could be vulnerable to compromise, and issued a fix.

Keeping medical devices secure presents a challenge for a number of reasons. Like other IoT hardware, such devices don't often come with a screen or other interface, limiting the ways the devices have to alert users or administrators when they need an update. Similarly, as they're designed to be unobtrusive, they're easily forgotten and may slip off the radars of security professionals. And, with limited computing capability, they're not likely to have dedicated security software onboard.

Does that mean health device hacking should worry both medical professionals and patients? So far, exploits of medical devices have only been proofs of concept released by security researchers, rather than in-the-wild threats from malicious actors.

However, the WannaCry and similar ransomware attacks that hit healthcare institutions in 2017 gave a glimpse of just how significant a successful medical device hack could be. Numerous hospitals in the UK and beyond found their IT systems taken offline after staff opened emails with the malware attached. The outages also spread to medical hardware, including radiology equipment, taking vital devices offline for 24 hours.

Such presumably unintended consequences highlight the scale of the security risk from medical device flaws. Hackers could of course use them to hijack the devices themselves, either as a way of harming targeted wearers, or as a theoretically highly lucrative outlet for ransomware – who wouldn't pay a ransom in the face of a threat that their defibrillator would stop or their insulin pump would deliver a fatal dose?

However, as well as the worrying threat of physical harm to individual users, compromised hardware can also be used as a way into wider healthcare networks, through which hackers can access hospital records, IT systems, medical equipment and even more devices. While some hackers have previously drawn the line at targeting healthcare institutions, viewing attacks that could potentially cause loss of life as a step too far, it's unlikely any significant number will have such scruples.

There are also signs that the healthcare industry is waking up to the security challenges of internet-enabled medical devices. The FDA recently spoke at DefCon (which device makers have also started attending) and has recently released its Medical Device Safety Action Plan. Elsewhere, a number of cross-industry and intra-industry initiatives have been set up to work on medical device security problems before they move from theoretical risk to genuine threat. While the healthcare and medtech industries may have been slower than hoped to grasp the scale and seriousness of the threat that device hacking could represent, the prognosis is definitely looking brighter.