Medical devices could be cyber underground’s next juicy target
Posted on | April 29, 2010 | 1 comment
As the cybercrime underground continues to advance, criminals inevitably will continue to seek out fragile technologies being used to manage valuable digital assets. In this LastWatchdog guest blog post, Kurt Stammberger, vice president of marketing at device security vendor Mocana, makes the case that medical devices and systems are ripe for attack. Stammberger helped launch cryptography startup RSA and their spin-off company VeriSign, and was involved in the founding of the RSA security conference.
By Kurt Stammberger
Vice President of Marketing, Mocana
Millions of Americans depend on things like advanced implantable pacemakers, insulin pumps, and remote patient monitoring systems. These devices are increasingly connected to the network, to help doctors and healthcare professionals better care for you, no matter where you are. But most of these electronic medical miracles – which are essentially tiny computers – have been fielded without adequate security measures on board. That means these tiny computers can be hacked, spied-on and remotely crashed, just like your desktop PC… only this time with potentially life-threatening consequences.
There are dozens of examples of successful attacks against medical devices (including virus infections) in the literature. In May 2006, Christopher Maxwell, 19, was sentenced to prison and fined $252,000 for unleashing a botnet which attacked computers at Northwest Hospital and Medical Center in Seattle, shut down computers in the ICU, jammed doors in operating suites and disrupted the paging system.
(Editors note: Maxwell was a script kiddie botherder looking to spread adware. The Sasser-type worm he launched got away from him, as described in this LastWatchdog investigative report.)
In March 2008, researchers at 3 American universities demonstrated a radio hack on an implanted defibrillator & pacemaker. They were able to extract personal information, shut the device down, and deliver shocks at will. In April 2009, the “Conficker†virus infected thousands of MRI devices nationwide… but hospital IT departments weren’t allowed to apply the “patchâ€, or fix, because FDA requirements mandated that hospitals wait 90 days before installing new code.
And in July of 2009, a team at the Medical Devices Security Center reported on the lack of security mechanisms in neural implants that help people hear, move prosthetic limbs, or control computers. Hackers targeting these types of systems, the report implied, could find it relatively straightforward to take control of artificial limbs, or even deliver “unprescribed†deep neural stimulation.
Two things need to change – and soon. First, hospital IT and clinical engineering staffs need to collaborate better so they can make smarter purchasing decisions, and insist on (at least) basic security functionality in the devices they buy. Industry watchdogs like the Healthcare Information and Management Systems Society (HIMSS) have created a “consumer reportsâ€-like security scorecards for medical devices, called the Manufacturer’s Disclosure Statement for Medical Device Security. But hospital buyers could make it more of a habit to demand them from manufacturers.
Second – and more importantly – medical device manufacturers need to take more responsibility for the security posture of the devices they sell. Sophisticated cryptography, authentication and information security technologies are commonplace on the Internet.
Even the most computer-phobic among us has some idea that when we type in a credit card number into a computer to buy something online, that transaction is shielded from hackers. It’s time for medical professionals and consumers to demand at least a comparable level of security from the electronic devices we put inside our bodies to monitor our vital signs, deliver drugs into our veins or shock our hearts into regularity.
Comments
1 Comment »
RSS feed for comments on this post.
We have accepted the suggestion from a BU family member to facilitate discussion on medical matters which is a topic area that should interest us all. Based on exchanges with and between BU family members posted over time, many of you work in the medical field or possess information on various medical issues acquired based on personal circumstance or otherwise.
============
Medical Health Blog
Comment by Medical Health Blog — 6/3/2010 @ 2:09 am