By Taylor Armerding
July 4, 2017
Medical device cybersecurity is lousy — beyond lousy.
Indeed, the word from security experts for most of the past decade (and certainly since those devices increasingly have become connected to the internet) has been that while the physical security of most is superb and the devices function flawlessly, possibly for years at a time, when it comes to security from malicious online attacks, these devices are frighteningly insecure.
The web is practically littered with recent reports confirming this:
- A study by WhiteScope IO released in May reported more than 8,000 vulnerabilities in the code that runs in seven pacemakers from four manufacturers.
- A report released in December 2016 on an investigation into new implantable cardiac defibrillators (ICD) found security flaws in the proprietary communication protocols of 10 of them.
- Trend Micro reported in May that more than 36,000 healthcare-related devices in the U.S. alone are discoverable on Shodan, the search engine for connected devices.
- Ponemon, in a survey sponsored by Synopsys, reported in May that, “roughly one third of device makers and HDOs (health delivery organizations) are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.”
The problem, which has existed since HDOs began connecting these devices to the internet, is that the majority are being trusted to do what they weren’t designed to do — protect patient information and the patients themselves — from cyber attacks.
Chris Camejo, director of product management, threat intelligence at NTT Security, noted that most medical devices in use today would be secure, “only in a closed, trusted environment without any potentially malicious activity."
“Unfortunately a hospital network can't be considered trusted, as it is connected to the internet and contains thousands of internal users, any one of whom could click on the wrong link or download the wrong attachment,” he said.
Still, debate continues about how imminent is the risk of physical harm. Jay Radcliffe, a medical device security expert and Type-One diabetic, famously said at the 2014 Black Hat conference that it would be far more likely for, “an attacker to sneak up behind me and deliver a fatal blow to my head with a baseball bat,” than to be harmed by a cyber attack.
And the experts I spoke with say they are unaware of a documented, targeted attack on a device that caused physical harm to a patient.
But Stephanie Domas, lead medical security engineer at Batelle DeviceSecure Services, said a lot remains unknown about whether malfunctions of devices are caused by malicious cyber incidents. “I don’t know of a manufacturer that does root-cause forensics when a medical device misbehaves,” she said. “Nobody is looking to see how it happened.”