SoS Musings #17 - Hacking Bodies and Networks
SoS Musings #17
Hacking Bodies and Networks
The realm of medical technology is rising in the ranks of targeted areas by cyber attackers. The purpose of medical technology is to save and improve the quality of life as such technology is used in the diagnosis, monitoring, and treatment of an extensive range of major illnesses, minor ailments, and injuries. However, as the healthcare sector increases in connectivity, hackers are becoming more enticed to target medical devices. In addition to higher connectivity, the healthcare sector also contains valuable data and inadequate security practices, which greatly contributes to the increased targeting of medical devices. Medical technology such as pacemakers, anesthesia systems, electroencephalogram systems, and more, have been found to be vulnerable to cyberattacks. Cyberattacks on such medical devices call for concern as the disruption of these devices poses a danger to the operation of healthcare providers as well as the safety and privacy of patients.
Recent discoveries of security vulnerabilities contained by medical devices have brought further attention to the insecurity of such devices, which poses a threat to the welfare and privacy of patients, as well as the security of hospital networks. Security researchers from WhiteScope and QED Secure Solutions, have found vulnerabilities that put widely-used pacemakers and implantable insulin pumps manufactured by Medtronic at risk of being controlled by hackers. The vulnerabilities discovered in Medtronic's software delivery network, could be exploited by hackers to remotely perform life-threatening activities via pacemakers and insulin pumps such as manipulating electrical impulses used to regulate heart rate and disrupting the administration of insulin. In addition to posing threats to the well-being of patients, cyberattacks on medical devices can also lead to breaches in patient privacy as indicated in a study conducted by a Spirent SecurityLabs researcher in which the security of IV infusion pumps and digital smart pens used by doctors was examined. The study found that these devices, which are used to deliver fluids to a patient's body and prescribe medications, contain vulnerabilities that could allow attackers to steal information such as the names, contact information, and sensitive medical data of patients. Researchers at Cisco's Talos Intelligence Group uncovered vulnerabilities contained by software used in several electroencephalogram (EEG) devices called NeuroWorks, which could allow attackers to gain unauthorized access to patient data on EEG devices and systems connected to the hospital network, as well as execute larger attacks on the network. According to Ben Gurion University's (BGU) Malware Lab researchers, medical imaging devices such as computed tomography (CT) and magnetic resonance imaging (MRI) machines, also contain vulnerabilities that could lead to the high discharge of radiation, disruption of image results, and more. Other recent research findings have also brought attention to the possibility of hackers falsifying patient vitals and invading hospital networks due to the use of a weak communications protocol and presence of Wi-Fi security flaws in medical equipment, which could lead to incorrect diagnoses and the invasion of hospital networks. Discoveries of security vulnerabilities surrounding medical devices call for further research and development in the protection of such technology against cyberattacks.
Efforts continue to be made in the improvement of security for medical devices against cyberattacks. The vulnerabilities discovered in highlighted research pertaining to medical device cybersecurity have derived from a lack in the implementation of digital code signing, the abuse of network security protocols, insecure software code, and more. An article in Infosecurity Magazine also emphasizes poor user practices that contribute to the insecurity of medical devices, which include the inappropriate use of embedded browsers on medical workstations and use of outdated software. As a result of the increasing risk of cyberattacks on medical devices, the Food and Drug Administration (FDA) has released a "Medical Device Safety Action Plan", which supports the continuous patching and updating of medical devices, improvement of vulnerability disclosure, and more. The healthcare industry has also increased spending on cybersecurity resources in order to defend against cyber threats facing systems and technology used by the industry. In addition, researchers have developed and proposed new methods for securing medical devices. Researchers at MIT have developed an innovative new transmitter to prevent the compromise of wireless devices such as medical devices, which applies an ultrafast frequency-hopping method to protect data transmitted between devices. An encryption method has been proposed by researchers from KU Leuven, Belgium, that would improve the security of implantable neurostimulators. In an attempt to secure CT devices, BGU Malware Lab Researchers have been working on a machine learning-based algorithm to improve the detection of anomalies in such machines. Progress must continue to be made in the research and development of cybersecurity solutions for medical devices as these devices increasingly become targeted by hackers.
As cyberattacks on medical devices could lead to major consequences such as the physical harming of patients, breach of sensitive medical data, and disruption to the operation of healthcare providers, it is vital that research and developments surrounding the advancement of security for such devices continue to grow.