IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
Many medical devices are now vulnerable to cyber-attack with potentially “life or death consequences,” an IT research expert has told the Financial Times.
Part of the burgeoning internet of things trend, cardiac monitors, glucometers, insulin pumps and other medical devices are increasingly connected to wifi and equipped with sensors.
Myriad vulnerabilities in connected medical devices have already been discovered by researchers.
Christian Renaud of 451 Group said that the benefits of connectivity – including continuous monitoring, telemedicine and big data analysis – come with a huge risk: “Abuse by bad actors, just as it does in connected cars and industrial automation, although with much more direct ‘life or death’ consequences.”
In December, British and Belgian researchers found security flaws in the proprietary communication protocols of 10 implantable cardiac defibrillators on the market.
Altering medication
A report by the Industrial Control Systems Cyber Emergency Response Team on the security status of syringe infusion pumps warned that “successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorised access and impact the intended operation of the pump” – meaning a hacker could alter the quantities of medication administered to a patient.
Smiths Medical, which manufactured the devices, has promised to issue a software security update to remedy the vulnerabilities by January 2018.
Vulnerabilities were also found in implantable cardiac defibrillators and pacemakers manufactured by St Jude Medical in January of this year. Patients will have to attend hospitals and clinics to have devices removed, albeit no invasive surgery will be needed.
The recall involves some 465,000 devices.
Doctors disabled wireless connectivity in the pacemaker of former US Vice-President Dick Cheney due to cybersecurity concerns
Doctors disabled wireless connectivity in the pacemaker of former US Vice-President Dick Cheney due to cybersecurity concerns.
In 2016, healthcare brand Johnson & Johnson admitted that its insulin pumps had a vulnerability that, if breached, could cause a potentially fatal overdose of insulin.
Although devices makers are under fire for not prioritising security at all stages of the design process, guidance from the Food and Drug Administration (FDA) recognises that healthcare facilities, patients and providers all have a role to play too.
An article published by The Hill in June reported that the FDA and medical device makers are expecting more hacking attacks.
Commenting on the story, Ilia Kolochenko, CEO of web security company High-Tech Bridge said: “The problem is aggravated by the very low level of cybersecurity at hospitals in general – lack of segregation and access rights, missing security patches and updates, missing or weak encryption, insecure authentication, default or weak passwords.
“Connected medical devices should be strictly and severely regulated by governments, and their manufacturers should bear the liability for any negligence or carelessness during the manufacturing process – otherwise medicine will become an extremely dangerous activity within the next decade.”
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
Pacemakers and other implanted medical devices present “life or death” cybersecurity riskPart of the burgeoning internet of things trend, cardiac monitors, glucometers, insulin pumps and other medical devices are increasingly connected to wifi and equipped with sensors.
Adam Bannister
IFSEC Insider | Security and Fire News and Resources
Related Topics
New app launched to enhance mandatory fire safety training in the NHS
Protecting health workers is a complex challenge, but emerging strategies show promise
Six companies charged with fire safety offences for blaze which destroyed Cheshire retirement village