Medical devices these days are connected to a hospital network for the purpose of remote monitoring and administration. Whilst most people may not be comfortable at the thought of a computer controlling the level of oxygen or medication dosage being administered to them, today’s medical care has advanced to the point where automation is an accepted protocol. This automation makes use of collective analysis to perform once manual tasks.
Medical devices and associated technology
The medical industry employs technology in order to provide the best possible care for patients, where decisions can be made quickly and effectively in terms of drug administration to control pain. Modern devices are pressure sensitive, and can deliver medication in extremely accurate amounts. Such medical automation allows both resources and drugs to be more effectively deployed, and allows staff to focus on other duties.
However, as with all networks, the medical industry is at risk from a cyber attack. Whilst evidence would suggest that nobody has died as a result of cyber criminals, various equipment has been identified as containing flaws which could allow for compromise – and the potential for the device to be controlled remotely. Administrators of medical devices are often unaware that the device itself contains an outdated and vulnerable operating system, or still uses the default username and password in order to grant access. Additionally, as these medical devices are monitored from a central location, who actually checks to ensure that they are correctly performing the function they are supplied for ?
Why would a cyber criminal want to hack surgical equipment ?
If you consider what is on offer, medical networks appeal to a cyber criminal owing to the information that is potentially accessible. In this case, patient medical information. This data is considered personally identifiable, and fetches a high price on the dark web. Using this data, criminals can assume identities, and by doing so, are able to gain access to other products and services in your name for financial gain. However, there is a much darker side to vulnerable medical devices, where a cyber criminal could take advantage of a number of weaknesses to threaten the life of a patient in return for financial gain.
Whilst this sounds very much like the plotline from a film or TV series (Homeland), it’s not just remote control that is a concern for this type of equipment. A cyber criminal could install Ransomware on a device, whereby it is rendered inoperable unless a fee is paid to release it. In a situation where a patient is reliant on a medical device, this raises an immediate problem. You could argue that the affected institution could remove the machine and revert to manual procedures, although how would they be aware of such a compromise in the first instance, and how much damage could be caused as a result ?
In most cases, hackers attempt to access medical automation networks and use them as a means of breaching an adjacent network that contains the personally identifiable information they are looking for. Using technologies that have been around for a number of years, it should be the case that the impacted network has been physically and logically divided into segments where access controls can be deployed, enforced, and managed. Design plays a key factor here, and any weaknesses are easily exposed by an experienced hacker. These vulnerabilities can then be leveraged to gain access to other areas of the medical network not usually available by traditional means, or intended for unauthorised or public access. Unfortunately, medical devices appear to offer little in terms of protection or security, and are easily accessed.
Two medical devices that have are proven to be particularly vulnerable are MRI scanners, and Infusion pumps. Speculation also indicates that some Pacemakers have recently been identified as containing vulnerabilities if they are wireless connected, and internet enabled. Admittedly, this does sound like the stuff of fiction, and realistically, who would want something inside their body providing a life supporting function that could be remotely controlled – either intentionally, or maliciously ? Think of it this way – hackers have been using Ransomware to either steal or delete data from computer systems if the target does not pay the required fee for over 25 years, so this is not a new concept. Admittedly, it has taken various new forms over the years, and the encryption algorithm has undergone numerous iterations, but the original goal is still the same. With the onset of medical robots performing surgical functions, and Ransomware being touted as the biggest cyber security threat to the medical industry for 2016, who would want to take any risks in this area ?
Both critics and industry experts have reported that the medical industry is around 10 years behind others when it comes to protecting devices from cyber attack. The threat could go from fiction to fact in an alarmingly short space of time, once cyber criminals realise the benefits of exploring these weaknesses further. Seeing as this threat is indeed very personal to a victim and their families, the likelihood of success is greater in terms of payment than it would be encrypting the files on your computer. For this reason alone, the threat to the medical industry is now a major discussion point, and one that will be hugely successful if action is not taken to address weaknesses and vulnerabilities in affected medical devices – probably with serious consequences.
This issue raises the debate concerning security of these networks, and an inevitable cause for action in terms of addressing the core areas. It should not be the case that the compromise of a medical device by a cyber criminal leads to the death of an innocent victim. In this case, if remote intervention and / or tampering could be proven, the legal implications for the device manufacturer, the institution using the equipment, and the medical industry as a whole could be huge – and ultimately, very damaging – both from a monetary and trustworthiness perspective.