August 10, 2017 by Rodolfo Melgoza
The health care community has been heavily criticized for weak cybersecurity. Ever since the New Zealand hacker, programmer, and security expert Barnaby Jack demonstrated in 2011 that he could hack into his own insulin pump and potentially give himself a lethal dose of insulin, ethical hackers have placed great emphasis on securing medical devices. Each year at Black Hat and Def Con, attendees at these annual hacker’s conferences make it a point to break into insulin pumps, pacemakers, glucose monitors, and other medical devices—just to prove once again how awful the security is, and to highlight the potentially lethal consequences.
The hackers are usually successful in breaching and taking control of their targets because the medical devices generally lack even basic security features. To make matters worse, many of them are running on outdated operating systems that are no longer maintained or patched. This makes them easy pickings for experienced hackers.
According to an article in the Financial Times, last year the FDA “told hospitals not to use Hospira Symbiq infusion pumps because of a vulnerability that could allow a hacker to change a dose” and Johnson & Johnson warned over 100,000 diabetes patients of a flaw in their insulin pump.”
The good news is that we are starting to see medical device manufacturers enhance the security of their products. This year at Def Con, a number of representatives from medical companies were in attendance, learning first-hand how cybercriminals operate and attack their products. The US Food and Drug Administration (FDA), which regulates medical devices also spoke for the first time at the event, presenting security guidelines for device makers.
But the medical device industry is not just at Def Con to learn. They are also teaching cybersecurity researchers as well. Security experts are often so obsessed with finding vulnerabilities for the sake of it, that they fail to understand the more important aspects of understanding what activities would actually affect patient safety. Working together, the security and medical industries hope to address security concerns before cybercriminals begin to exploit the vulnerabilities in mass.
Representatives from Johnson and Johnson and other medical device makers have promised better security in the near future, and security vendors are starting to create embedded devices to help them.
Although progress is slow, it’s nice to see the momentum starting to build.