Unfortunately, a lack of regulation has created an industry where hackers can profit from the vulnerabilities in medical devices. It is estimated that cybercrime will cost the healthcare sector $6 trillion by 2022. The article discusses how to protect your device during production and after launch with tips such as using independent software vendors (ISVs) for security testing, training employees on cybersecurity frameworks like PCI DSS before deployment and biometric authentication methods for identification at every point-of-sale terminal.
The “cyber attack on medical devices” is a major concern for the healthcare industry. Medical device manufacturers have been working to make their devices more secure from hackers and cybercriminals.
Pacemakers that don’t transmit electrical pulses to a patient’s heart when they’re needed the most; vital signs that are messed up, resulting in unneeded therapy; or insulin pumps that don’t work. All of these situations are ones that hackers claim are conceivable since they’ve tried it and know it can be done.
We chatted with Christian Espinosa, a white hat hacker (sometimes known as a “ethical hacker”) with decades of expertise in cybersecurity. He is presently the CEO and Founder of Alpine Security, as well as a Maryville University cyber security lecturer. Christian hacks into medical equipment with his Alpine Security team in order to assist manufacturers detect security holes before someone with evil intent discovers them.
Christian discusses why the medical profession is so vulnerable to cyberattacks in the interview below, as well as how serious—and complicated—the situation is.
Could you provide an outline of the medical field’s cybersecurity threats? What is the scope of the issue?
Medical gadgets have been mainly overlooked in terms of cybersecurity. Many of these gadgets run out-of-date operating systems that are riddled with flaws.
Alpine Security’s CEO and Founder, Christian Espinosa
It’s not meant to be linked to a hospital’s network. Many medical equipment are now linked to hospital networks, which include Internet connections, for ease of control, data access, and upgrades, among other things.
Hospital networks are inherently insecure, and any threats to them are passed on to linked medical equipment. Unsecure wireless connections are the primary threat to implanted devices. Wireless technology was used to make implantables easier to monitor and update. It’s much too dangerous to have cardiac surgery every time a pacemaker or implanted cardioverter defibrillator (ICD) has to be replaced, for example.
Medical device hazards are a major issue with serious and perhaps fatal implications.
What is your method for detecting security flaws as a white hat hacker? Do you attempt to hack everything, or do you prefer to target certain sorts of devices or networks?
Our approach is determined by the scope of the project. If we’re asked to evaluate a medical device, we usually go through the following steps: 1) learn more about the device; 2) define a security boundary for the device; 3) perform a risk assessment of the device; 4) identify all possible entry points in the system/device; 5) develop attack trees and assess all entry points into the system using penetration testing and other techniques; 6) determine a mitigation strategy based on the results of 1-5.
In terms of hacking everything and everything, the technique I just described takes a risk-based approach to our evaluation. We start with the big-ticket things that provide the greatest risk to patient safety, stressing how the device might be exploited and the impact of data security, integrity, and availability assaults. We collaborate with manufacturers and service providers to address the most significant issues first, then work our way down a prioritized list depending on the level of risk. Validation tests are also performed to check that the repair methods were successful.
When you find a vulnerability, how responsive are companies? Do they normally deal with the problem?
Some people are more open than others. We sometimes encounter opposition, such as “there’s no way someone would conceive of doing that.” The majority of the time, though, our results are well-received.
Regrettably, business bureaucracy, costs, timeframes, and other variables make it difficult to repair devices in development or in the field. Repairing devices that have been deployed throughout the globe or that are still in development is incredibly expensive for medical device makers.
What do you believe attracts hackers to medical equipment and hospital networks?
“You can directly alter a person’s physical condition and well-being if you can hack into a medical equipment.”
There are many causes for this. PHI (protected health information) is more valuable than other sorts of data, for example. On the illicit market, patient records fetch a higher price than other forms of stolen sensitive data.
Another factor is the potential for bodily harm from medical equipment hacking. Normally, stealing credit card data from a web application causes someone to be inconvenienced—this is an indirect impact on the individual. You can directly alter a person’s physical status and well-being if you can hack into a medical equipment.
What is one form of security flaw that keeps you up at night?
There isn’t a single one that keeps me up at night. I’ve accepted the reality that it’s just a matter of time until something disastrous occurs. Despite several warning signals, there is still a head-in-the-sand attitude. It’s almost as if the danger doesn’t exist if we pretend it isn’t there.
“I’ve accepted the reality that it’s just a matter of time until something disastrous occurs.”
However, if I had to choose one concern that would keep me up at night, it would be the threat of weaponized medical nanotechnology, which is a kind of biomedical hacking.
Nanotechnology, often known as “nanotech,” is a term used to describe incredibly tiny computers that are smaller than a pinhead. Nanobots may be employed in the human body for things like delivering chemotherapy to just cancer cells in order to eradicate them. These nanobots may also transport harmful poisons or perform specialized tasks in the human body, such as immobilizing your limbs for a short period of time. The terrifying part is that they are quite easy to introduce into the human body. You may inhale them without even realizing it.
Do you believe the FDA is doing enough to avoid cyberattacks and react to them?
The difficulty, in my opinion, is determining who is ultimately accountable for medical device security: the device maker, the user, the hospital, clinic, the Department of Homeland Security, the FDA, the doctor, the patient, and so on.
The FDA has essentially offered premarket and postmarket recommendations for medical devices and has delegated responsibilities to healthcare providers (HDOs). “HDOs are responsible for installing devices on their networks,” according to the FDA, “and may need to patch or update devices and/or supporting infrastructure to eliminate security concerns.” Recognizing that modifications need risk evaluation, the FDA advises “collaborating closely with medical device makers to discuss essential adjustments.”
“Physicians don’t become doctors to preserve data,” said a medical practitioner we talked with recently. What part does a typical doctor play in keeping medical equipment and networks secure?
This is something I agree with. Doctors already have a lot on their plates. A list of “authorized medical devices” that they may use and suggest should be provided to them. These gadgets should be properly scrutinized for security flaws. Other approaches, like as penetration testing, should be employed.
Where does this “authorized list of medical gadgets” originate from, is the question. Who is in charge of the approval process? Because medical devices are complicated systems with numerous known and undiscovered weaknesses, this is not an easy issue to fix. What has been authorized today may be revoked tomorrow. This should not be the doctor’s duty.
Watch This Video-
The “can insulin pumps be hacked” is a question that has been asked by many people. The answer is yes, but there are ways to prevent this from happening.
Frequently Asked Questions
Can medical devices get hacked?
A: Yes, medical devices can get hacked. Smartphones have been found to have vulnerabilities but they are not as common.
Can hospital equipment be hacked?
A: No, not unless you use the hospitals personal network.
How can you prevent medical devices from being hacked?
A: Medical devices are typically very difficult to hack due to the complexity of the systems in them. Another reason why many medical device hackers have found it difficult is because of how much time, money and effort go into creating a secure product.盾
Related Tags
- medical device security vulnerabilities
- medical devices getting hacked
- how are insulin pumps protected from medical hacks
- how is a cgm device protected from medical hacks?
- pros and cons of telemedicine