Many implanted medical devices, such as pacemakers and insulin pumps, now feature wireless connectivity and remote monitoring, enabling health professionals to monitor and adjust the devices unobtrusively. However, as is the case with other Internet of Things (IoT) devices, they can also be discovered and compromised by hackers.
Pacemakers and CT scanners become targets of ransomware
One concern with connected medical devices is that hackers may insert ransomware that affects the performance of the device. How much would someone pay to keep the heart pacemaker in their chest working properly?
But there is another concern facing hospitals and other medical providers. Hospitals are increasingly becoming targets of ransomware attacks, and connected medical devices with poor security can provide entry points to a hospital’s computer systems. Once they are in the system, hackers can access patient records and other information. According to Wired.com, U.S. hospitals average 10 to 15 connected devices per bed, and a large hospital may have more than 5,000 beds. That is a lot of potential entry points for hackers who may wish to use the hospital’s system to access private medical records or even launch a ransomware attack.
Once the system is infected, the hackers can launch ransomware attacks against the facility. Hospitals face losing not just money, but the resources they need to keep patients alive.
As with other IoT devices, there are no security regulations or standards in place. It is up to manufacturers, vendors and users to make sure devices are operated securely. Unlike desktop computers and other devices that run anti-virus and anti-malware programs, IoT devices are often easy to compromise. The MedJack exploit uses medical devices as the entry point, and the malware fans out across the medical facility’s network from there. TrapX’s Vice President of Marketing Anthony James says, “No one is thinking about a CT scanner or an MRI machine and seeing a launchpad for a broader attack.”
One area of vulnerability is the use of open source software. A study by Black Duck Software found that the average commercial application included almost 150 discrete open source components, and 67 percent of the applications included vulnerable open source components. The problem is not necessarily the use of open source code, it is that the organizations using the devices and software may not be aware of the underlying open source components and any vulnerabilities that may be discovered.
The Food and Drug Administration is involved in ongoing efforts to protect the public from these cybersecurity risks. They say they are unaware of any patient injuries or deaths from cybersecurity breaches, and they have made recommendations to vendors and medical facilities about maintaining security.