By Taylor Armerding
July 4, 2017
Camejo said regardless of the class of device, or whether it is located inside or outside of the hospital environment, “the risks are essentially the same: Patients’ lives often depend on these devices performing their functions accurately, and an attacker who can control one of these devices can alter those functions to the potential detriment of the patient, up to and including death.”
So should certain devices be banned? Domas and other experts say no – that it is difficult to say that one device, or even class of devices, is more vulnerable than others. They say the problem lies more in specific capabilities or features that can make them much more attractive targets and/or their users more vulnerable to harm.
These are the 5 features that the experts I spoke with say cause the greatest risk:
1. Cloud dependent
Only about 10 percent of medical devices fall into what the Food and Drug Administration (FDA) calls Class III, which means they are designed to sustain or support life (e.g., pacemakers and glucose meters). If these devices were hacked, an attacker could put patients’ lives or health in jeopardy.
Sonali P. Gunawardhana, of counsel with Wiley Rein and a former FDA attorney, pointed to glucose meters that are smartphone connected, which help patients monitor their sugar levels. If the app on the phone is hacked and a patient receives incorrect data, leading to incorrect decisions on managing sugar levels, “that can cause irreparable harm,” she said.
Chris Clark, principal security engineer at Synopsys, said devices that depend on the cloud for performance are “similar to telemedicine,” and can include devices like infusion pumps and patient monitors that use the cloud to perform their services.
“They have to go out to the internet,” he said, “which means there is a high potential for disruption or denial.”
2. RF connectivity
Clark said anything that is RF (radio frequency) based is at higher risk.
“Fitbit talks Bluetooth to our smartphones,” he said, “which is mostly OK, since it doesn’t talk to other devices.
“But the phone is an aggregation point for all types of technology, not just healthcare,” he said. “Most people don’t even know if they have Wi-Fi or Bluetooth. They just assume the manufacturer has provided for their security. But once we’ve enabled that type of tech, its more savory for an attacker.”
3. Commercial operating systems and software
Domas noted that WannaCry (one of the most recent high-profile ransomware worms), “was not targeted at medical devices. Nothing about it was aimed at hospitals, but it affected a lot of them once it was able to get in.
“Those attacks look for anything that is vulnerable. They saw devices that were vulnerable and attacked them.”