Hackers May Prey on Medical Devices

NEWS TRENDS

With increased connectivity comes security risks, and certain medical devices could become the next target for hackers. Potential vulnerability means companies must focus even more on ensuring the safety of connected devices.

“Malware [malicious software] and connectivity are outpacing security today, and hackers are getting more successful, not less, in gaining unauthorized access to valuable data,” says Adrian Turner, CEO of Mocana Corp. (San Francisco). “Right now, the barn door is wide open, at least on the medical device front.”
Medical PCs are the primary targets, Turner says, but hackers and malicious software writers could be targeting non-PC medical devices, especially ones attached to a network. In this context, a non-PC is a device that has a central processing unit, and is Internet-protocol addressable or can communicate with the outside world. This includes pacemakers, bedside monitors, magnetic resonance imaging machines, and portable drug-delivery pumps.
The Medical Device Security Center has drawn attention to several studies that reveal critical security risks surrounding medical devices. The center is a group comprising researchers from Harvard Medical School, the University of Massachusetts–Amherst, and the University of Washington. In a paper published last year about pacemakers and implantable cardioverter-defibrillators (ICDs), the researchers were able to hack into an ICD and intercept private data transmitted between the device and a commercial programmer. Through their experiments, they revealed that ICDs were vulnerable to attacks in the form of altering patient data or therapy settings for how shocks are administered.
The same types of attacks that have traditionally targeted sectors such as consumer electronics could be setting their sites on medical devices, with much more catastrophic consequences, warns Turner. Potential threats include:
•Sniffing (also called snooping) or eavesdropping. •Theft of sensitive information.•Data destruction.•Zombification. A zombie is a device attached to the Internet that has been compromised by a hacker, virus, or Trojan horse, and can be remotely used, without the owner's knowledge, to perform malicious tasks. •Bricking. This usually refers to damage to system software or firmware, which would require a complete system wipe and reinstall in order to regain use of the device. In the case of medical devices, this could entail sending the product back to the manufacturer.

The researchers from the Medical Device Security Center have expressed the need for developing a way to balance security and privacy while still adhering to the standard of device safety and effectiveness. Achieving such balance is a challenge, given the constant evolution and increased connectivity of today's devices, combined with quickly emerging security threats.

One big problem is anticipating attacks. “With PCs, you at least have a database of potential viruses to check for,” says James Blaisdell, chief technology officer at Mocana. “With medical devices…you don't know what the attack vectors will be, and you usually won't even know you're being attacked. If a defibrillator or ECG is hijacked, there's no built-in firewall looking for weird traffic.”
Part of the solution could be integrating a security system into a device. For example, Mocana offers a system called the Device Security Framework (DSF) that gives medical devices different layers of security including a firewall, virus and malicious software protection, secure data communications, and device identity management.
Both access to private information and device malfunction are concerns that manufacturers must address. “Attacks on medical devices aren't only realistic, they're already happening,” says Turner. “Especially when you think about the automated polymorphic malware that's out on the Internet today—those programs don't care whether your device is medical or not. All they need is a system environment with resources they can hijack in order to breed and spread.”Copyright ©2009 Medical Device & Diagnostic Industry