Is IoT Medical Device Hijacking, fiction or reality? Security is another hot-button topic in healthcare. In the past few years, several hospitals have been surrounded by ransomware attacks. The FBI and other government agencies have also released warnings related to the cybersecurity of medical devices.
Hacked medical devices make for scary headlines. Former vice president Dick Cheney ordered changes to his pacemaker to better protect it from hackers. Implanted medical device hijacks are so memorable because they’re so personal. You wouldn’t want something inside your body or on your skin to be remote-controlled by a criminal.
Unfortunately, many types of these devices are broadly vulnerable to attack. As hijackers increasingly take advantage of historically lax security on embedded devices, defending medical instruments has taken on new urgency on two fronts: protect patients and protect medical devices.
Like in Hollywood action movies or big network TV shows, hospitals can be attacked through medical devices. Why? Because they are connected to a vast series of sensors and monitors, making them potential entry points to larger hospital networks.
May Wang, chief technology officer at Zingbox says,
- “People tend to think healthcare is very conservative. Healthcare is very slow because of regulations and liabilities, but because of the huge benefits they’re seeing by using IoT devices, hospitals are deploying more and more of them.”
- “For the past three years, the healthcare sector has been hacked even more than the financial sector; and more and more hacking incidents are targeting medical devices.”
Medical Device Security
Healthcare has always been and remains a major target in the cyber world, with nearly 90% of healthcare attorneys saying the industry is at a greater risk of data breaches compared to other industries. The newest attack on major healthcare organizations comes in the form of MEDJACK, otherwise known as “Medical Device Hijacking”.
MEDJACK is a method of undetected cyber-attack on medical devices through malware, focuses on finding vulnerabilities to create backdoors “behind the firewall”. Medical devices often run on insecure operating systems such as Windows 2000 / XP, or Linux, and traditional cyber defenses cannot run on these devices without the manufacturer’s authorization.
MEDJACK looks to gain access to hospital networks, steal confidential data, or even compromise medical devices like diagnostic equipment(1), therapeutic equipment(2), and even life support equipment(3). Any medical device that is connected to the internet should be considered a vulnerable target that can be leveraged in an attack.
Very few diagnostic cyber security tools are available for a hospital to use in identifying malware on an overwhelming number of medical devices. MEDJACK takes advantage of this weakness and successfully establishes backdoors on medical devices by deploying older malware that goes undetected.
With hospitals and medical facilities still adapting to the recent digitalization of patient medical records, haijackers are capitalizing and exploiting the many vulnerabilities in these organizations’ security layers.
In response to increased attacks on the healthcare industry, some security companies have developed several programs including: end-user training and threat education, end-point security, network security, and cyber security advisory.
Suzanne Schwartz, the associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological says, the FDA (Federal and Drug Administration) agency has delayed and even blocked medical devices from coming to market if they don’t meet the agency’s cybersecurity standards.
She adds that the FDA has seen improvement in the foundational cybersecurity protections that are baked in to new products coming under review. For the FDA, cybersecurity in the medical devices is not optional.
As one of the largest individual markets within the United States with a large annual expenditure of about 17.5 percent of the GDP in the United States, the healthcare industry harbors a continuously growing challenge to defend against cyber-attacks.
Medical Device Hijacking is REAL. It is important to raise our voices to make the government and private companies associated to it, to take the necessary measures to be sure the healthcare industry is responsible and accountable to ensure the security and privacy of the patients.
1 Diagnostic equipment: PET (Positron Emission Tomography) scanners, CT (Computed Tomography) scanners, MRI (Magnetic Resonance Imaging) machines
2 Therapeutic equipment: Pumps, lasers, or surgical machines
3 Support Equipment: Heart – lunch machines, ventilators, oxygenation and dialysis machines
LEAVE A COMMENT below
Your opinion and feedback are important to me