Medical Internet of Things (IoT) devices may be left vulnerable to attack due to outdated operating systems which are often easy to hack into.
Catherine Norcom, a hardware hacker for IBM’s X-Force Red division said:
Manufacturers of medical IoT devices should be prioritizing security, especially considering the potential detrimental consequences of a breach.
Medical IoT devices are a top target of cybercriminals, so even if a manufacturer thinks it has developed a device with reasonable security, criminals may still find vulnerabilities. I recently read a Ponemon Institute study that said 67 percent of medical device makers believe an attack on one or more medical devices they have built is likely.
This is, of course, extremely alarming to anyone with a medical IoT device since a breach would expose highly sensitive data and cause significant damage.
If a user loses a device or it is stolen, criminals could access the hardware and retrieve medical data that is stored within the device. However, data could also be breached over Wi-Fi networks or be using USB ports on devices they do not control, such as in public places.
Cybercrime within the Medical Industry is a real threat – just last year the UK’s National Health Service was hit with a massive attack in the form of WannaCry ransomware. The ransomware disproportionately hit computers and networks in the system that were running on older tech and as a result, were less secure. Due to this, the NHS has proposed that all NHS computer be updated to Windows 10.
At the Black Hat InfoSec conference in 2018, a team of researchers presented findings showing how detrimental medical device hacking can be. They remotely disabled an implantable insulin pump, removing the pumps ability to deliver the lifesaving insulin. They also demonstrated hacking into a pacemaker and taking control of the device. People with a slow heart rate rely on pacemakers to regulate their heart function, ensuring it operates at a healthy level.
The pair of researchers criticized the manufacturer’s response to their findings. Medtronic manufactured the devices and responded slowly to the claims. At the time of the conference, the pair highlighted that they told Medtronic about the vulnerabilities 570 days ago, and finally decided to go public with the findings.
Medtronic did respond to say that they wouldn’t fix the flaw, instead encouraging recipients and doctors to be more careful about the networks they connect to. As you can imagine, this response did little to allay people’s fears about their medical devices being hacked.
A spokesperson for Medtronic said:
Medtronic places product safety above all considerations.
All devices carry some associated risk and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide.
Security needs to be built into these systems from the moment of conception, rather than as an afterthought. We are talking about devices that keep people alive and store extremely sensitive data – the level of security built into these systems needs to be significant.