Technology is encompassing every aspect of our lives. With the internet of things (IoT) devices, everyday equipment has a smart edge to them as well. Medical devices are no different. But unless the security loopholes are not plugged in, medical data could be hacked into by enterprising hackers. Hacking can entail anything from getting your vital medical data to actually hacking medical devices to administer fatal doses. Extrapolate this and you have entire hospital networks at risk.
According to a report in Wired, IoT security firm Zingbox claims that in the US hospitals there are around 10-15 connected devices per bed and a lot of hospitals seems to be using them. There are benefits of course as IoT devices help with remote monitoring of patients. But there are dangers too. “For the past three years the healthcare sector has been hacked even more than the financial sector. And more and more hacking incidents are targeting medical devices,” said Zingbox.
A lot of the smart medical devices still have a lot of proprietary software, making it difficult for anyone other than the device maker to debug the code and discover vulnerabilities. Add in the fact that a lot of vulnerable devices still use legacy software such as Windows XP, which has been retired by Microsoft, and there are no security patches for the same. This makes it difficult for security experts to identify security loopholes immediately.
According to Wired, an exploit called MedJack lets attackers insert malware into medical devices which, because they are connected on the hospital networks, then spread it to the rest of the network. The medical data intercepted by hackers in such cases could be used for tax fraud and identity theft. In the worst case, hackers could use the identity to order prescription medicine online and sell it on the dark web.
Hackers also employ techniques to stay under the radar when they are hacking into medical devices. According to security firm TrapX, MedJack hackers deliberately using old malware which only attacked medical devices running on outdated operating systems such as Windows XP or Windows Server 2003 and so on. This was done to avoid detection as there would be no flags raised due to lack of security updates in these OSes.
The attackers can use multiple ways to get benefits out of the stash of medical data they are able to hack into. For instance in the Rainbow Children’s hospital in Texas, data of 33,368 patients was hacked and then encrypted to get a payout for releasing data back to the hospital. In more recent cases of ransomware attacks, computers were rendered useless as they went offline and emails were disabled forcing medical staff to rely on fax and telephones. This could be disastrous for a hospital which requires access to keep patients alive.
While the Food and Drug Administration (FDA) has made cybersecurity a criteria for product approval, it is ultimately up to the device makers to ensure that security aspect is thought of during the product and software conception stage. Till that happens, smart medical devices, and in effect patients being treated using them, will continue to be at risk from hackers.