Hackers Could Hold Medical Devices Hostage

Next year, hackers will could begin threatening the lives of people with implantable devices according to a prediction by a tech market research firm.

Brian Buntz

Ransomware could be headed to the world of medical devices and wearables, according to Forrester Research. By taking remote control over implantables such as pacemakers, hackers could extort users of the devices to pay them money to continue living, giving a new twist to the phrase: "your money, or your life." The research firm named ransomware attacks on medical devices as their top cybersecurity prediction for 2016.

Ransomware has been a quickly growing problem with PCs. Hackers hold important files on a user's hard drive hostage, encrypting them and blocking a victim from accessing them. Then, the hacker demands the payment of a ransom to grant the user access to them. If the user doesn't send payment--usually in the form of a digital currency--within a given time frame, the hacker often threatens to wipe all of the files off the hard drive. According to the FBI, such schemes cost U.S. consumers more than $18 million between April 2014 and June 2015. The Cyber Threat Alliance estimates that a single form of ransomware has resulted in at least $325 million in damages internationally.

Still, the possibility of a widespread ransomware medical device attack may be overstated, says medtech security expert Jay Radcliffe, who is a senior security consultant and researcher at Rapid7. "While getting malware onto a medical device might be technically possible right now, it's not a very realistic risk, and would it be very hard to distribute widely," he says. That doesn't mean that the threat isn't real, however. "It's the next generation of medical devices, which will be increasingly connected to smartphones, tablets, computers, etc., where risks like these will escalate and cause more reason for concern. The time to act is now; we have the opportunity to put in place preventative technologies to safeguard these devices." (Radcliffe spoke on the subject of medical device security at the upcoming BIOMEDevice San Jose event. The topic will also be featured at MD&M West in Anaheim, CA, which is held February 9-11 2016. )

By targeting life-critical medical devices, hackers could feasibly demand substantially larger sums of money from their victims than they would stand to receive from computers users. In September of this year, a Cisco blog post reported that ransomware in general was growing exponentially.

Security firms continually rate the cybersecurity of most medical devices poorly. According to a 2013 DHS advisory, 300 medical devices from 40 manufacturers still used hard-coded passwords that can be discovered by simply downloading the manual for the device from the Internet.

McCafee noted a significant spike in ransomware attacks earlier this year and stated that the problem could creep into the IoT field, including medical devices, according to a Vice article.  

The Cyber Safety Framework plans on publishing recommendations to help medical device companies avoid ransomware in their products, and stresses the importance of planning to optimize security early in the design stage and work with regulatory authorities to roll out regular security updates, mimicking an approach that is common in computing. I Am The Cavalry also recommends disconnecting or segmenting out system critical functions in medical devices with connected functionality.

Forrester Research is not the first to predict that ransomware would be a problem in the medical device domain. Last year, Europol's Internet Organized Crime Threat Assessment (iOCTA), also noted that the hacking strategy was likely to be a problem for medical devices.