Could hackers threaten your health?
Like many industries, healthcare has been swept up in an ever-growing tide of technological innovation. New technology can increase the quality and capabilities of medical care without causing a corresponding increase in cost. However, this innovation also carries a degree of risk.
Last year researchers from the University of Leuven in Belgium and the University of Birmingham in the UK found a way to hack into implanted medical devices. Intercepting signals between pacemakers and their programmers, they were able to steal medical information, drain the device’s battery, and even send malicious messages, causing the devices to malfunction and disrupt critical lifesaving care.
This problem is not isolated. Implanted devices often connect to sensors and monitors within a hospital without using passwords, encryption or other security measures. Wireless connectivity and remote monitoring make it easier for health providers to adjust device settings without invasive procedures, but they also create a potential ‘back-door’ into hospital networks. Unsecured devices can provide hackers with an entry point to steal valuable medical data or launch a widespread ransomware attack.
Unfortunately, hospitals make appealing targets. Not only do they hold valuable troves of highly sensitive data, which can be used for anything from identity theft to illegally obtaining prescription medication, they also hold responsibility for hundreds of lives. If a hospital’s network is shut down by ransomware, they must act quickly to take back control and safeguard patients.
The global WannaCry ransomware attack in May proved that this risk is real. The attack severely impacted NHS health services in the UK and even, as Forbes’ Thomas Brewster reported, spread to some medical devices in the USA, showing just how vulnerable healthcare can be to a cyberattack.
Luckily, medical device makers are waking up to this growing threat. In this year’s Def Con hacking conference, representatives from the US FDA, the government body responsible for the security of medical devices, spoke for the first time. Attempting to spark a dialogue between medical device makers and “white hat” hackers, their main goal was to encourage cooperation. If both sides work together, they can find potential flaws and vulnerabilities in medical equipment, enabling companies to fix them before they can be exploited. At the same time, producers of medical devices (including Johnson & Johnson and Philips) have also started sending staff to Def Con in order to keep abreast of the latest developments in cybersecurity.
After being hit by recent discoveries of security flaws in on-the-market insulin pumps, pacemakers, and infusion pumps, cyber security researchers and medical suppliers are even considering a “Hippocratic oath” for device makers who, like doctors, would vow to act in the best interest of patients. There has also been an increase in regulatory action, with the FDA now requiring a firmware update intended to reduce the risk of a certain type of cardiac pacemaker being hacked.
While it is impossible to deny the myriad advantages that come with today’s advancing medical technology, increasing cyber threats mean medical device providers must now take security matters to heart, literally.