Hospitals have largely been unaware of these unseen dangers but are slowly waking to this new reality.
Medical devices have historically been regulated for effectiveness and safety and not for security purposes. At the present moment only the FDA in the US issued guidance - which is voluntary and non binding - for manufacturers of medical devices to preferably conduct a security assessment on their products.
According to publicly available reports, unpatched vulnerabilities exist in 20 products made by the popular Medtronics medical device manufacturer, including defibrillators and home patient monitoring systems. Medtronics apparently confirmed to a news media that any update is not yet available to fix the flaws. The flaws apparently could allow a local attacker to take control of the devices' functions – and for a product like an implantable cardioverter defibrillator, which is inserted under the skin and shocks patients' irregular heartbeats into a normal rhythm, that could have dangerous implications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.
Impacted products include homecare patient monitors, portable computer system used to program cardiac devices, and several specific Medtronic implanted cardiac devices.
At Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing. In new research presented at the Black Hat information security conference, a pair of security researchers remotely disabled an implantable insulin pump, preventing it from delivering the lifesaving medication, and then took total control of a pacemaker system, allowing them to deliver malware directly to the computers implanted in a patient’s body.
To take control of the pacemaker, the researchers went up the chain, hacking the system that a doctor would use to program a patient’s pacemaker. Their hack rewrote the system to replace the background with an ominous skull, but a real hack could modify the system invisibly, while ensuring that any pacemaker connected to it would be programmed with harmful instructions.
Hospitals and health systems really and seriously need to take a proactive and pre-emptive approach to security. They should invest in and develop a strong IT infrastructure with layered security and firewalls to deter hacking. Healthcare organisations are constantly being challenged to anticipate unintentional threats and potential vulnerabilities. Therefore, it is important that healthcare remain vigilant in this area as they continue to develop comprehensive systems to mitigate security risks.