• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Medical Device Security Fiasco?

October 1, 2018 By Emil Hozan

You would think that medical devices, which aid in sustaining health and wellness on many levels, would be focused on security to some extent, right? Well thinking it and it being a reality apparently are not two peas in the same pod. Despite numerous outcries and public demonstrations from cyber security specialists and researchers to medical equipment vendors, and even to the FDA, which is responsible for regulating medical devices, security of these devices seems to not even be on the minds of their developers.

 

In a rather surprising article detailing the works of Billy Rios and other security researchers working with the Mayo Clinic, the truth about the security of medical devices is rather disturbing. To compound these concerns, detailed reports and research investigations were transmitted to the vendors as well as the FDA – yet not much has been done in the way of improving the security of devices. It seems that vendors of the equipment are pointing their fingers at network perimeter defenses and appliances, such as firewalls and respective network gateways.

Further, the article states that vendors responded with a statement saying that the security of the devices is only a layer on their initial defense line. While there is some validity to this, layered security is better than solely relying on a network’s perimeter defense. The fact that these security concerns are seemingly not being taken seriously is a tad unsettling as well. There are numerous researchers raising awareness of this and going public to gain more exposure and put pressure on manufacturers.

 

The take-away that the Mayo Clinic had from this experience was a fresh set of security requirements for its medical device suppliers. The take-away that Rios got was the realization of the severity of the issue and the seeming lack of interest from vendors. In a quote from an article posted by The Guardian, Suzanne Schwartz, an FDA director responsible for cyber security partnerships, stated that the presented case study illustrated a “gap in the ecosystem.” Rios knew that the Mayo Clinic was one of very few entities that had a large enough presence to really put their foot down, but the number of smaller entities that didn’t have as much pull posed an issue and a major concern.

Many live demos have been presented by researchers at varying events. Rios and Jonathan Butts performed a hack at Black Hat, first warning those with pacemakers to exit the room before demonstrating the ability to shutdown these down remotely. Barnaby Jack performed an attack on wireless insulin pumps in Miami at the Hacker Halted conference back in 2011. In the same article there is a reference to a 2008 academic research where researchers demonstrated their ability to intercept medical information from implantable cardiac devices and pacemakers and cause them to turn off or issue life-threatening electrical shocks.

 

Now don’t get me wrong, I am not against these devices for as the vendors have mentioned, the good outweighs the bad. The issue though, is for how long? What would it take for a terrible and malicious threat actor to spring up and issue a kill command to these devices?

I bring it up this way because in the article posted by Bloomberg detailing Rios’s work and such, his work led TrapX Security to conduct a test. They installed software in more than 60 hospitals that traced medical device hacks. They also created virtual replicas of these devices and installed them, appearing as though they were online and running. During a 6-month period, TrapX concluded that all of the hospitals contained medical devices that had been infected with malware. Through spear phishing hospital staff and luring them into opening malicious emails, hospital computers leaked malicious infections that spread throughout the network. The computers themselves had antivirus that ended up catching the virus in the long run but the medical equipment itself had no defense.

 

References

Gellman, L. (August 20, 2018). The Fight to Secure Vulnerable Medical Devices From Hackers. Retrieved from http://nymag.com/selectall/2018/08/insecure-medical-devices-vulnerable-to-malicious-hacking.html

Goodin, D. (October 27, 2011). Insulin pump hack delivers fatal dosage over the air. Retrieved from https://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

Hern, A. (August 9, 2018). Hackable implanted medical devices could cause deaths, researchers say. Retrieved from https://www.theguardian.com/technology/2018/aug/09/implanted-medical-devices-hacking-risks-medtronic

Reel, M. and Robertson, J. (November 2015). Hack the Hospital Firewalls and medical devices are extremely vulnerable, and everyone’s pointing fingers.Retrieved from https://www.bloomberg.com/features/2015-hospital-hack/

Share This:

Related

Filed Under: Editorial Articles Tagged With: medical device hacking, medical devices, Personally identifying Information

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use