If you keep up with tech news and developments you may be aware of the potential for embedded medical devices to be hacked and used to covertly track and monitor people. Their devices could even be used to distribute malware. Pacemakers and insulin pumps, heart monitors and other devices could be vulnerable. Imagine using medical devices to extort someone with a threat on their life. Disrupting a device to kill or injure a person is a frightening prospect. As medical devices that are implanted or worn become more common the threat of them being exploited by criminals is a real possibility. A simple search of “embedded medical device security” can bring up some terrifying stuff.
This type of thing is often portrayed in popular fiction, but most of us probably didn’t realize this is a real concern. This isn’t just a fantasy or some far fetched science fiction plot device. It is a very real and present danger that is sure to blow up in our faces if policies aren’t enacted to mitigate damage. Computers are everywhere. Devices that we use daily are actually computers and people don’t see it that way because they aren’t sitting on a desk with a monitor. They are all vulnerable to attack. Some devices are more secure than others but nothing is invulnerable.
Many hospitals and clinics use older operating systems. Often they don’t have current security patches and security becomes complicated when you factor in medical devices and electronic health records. Medical facilities and medical devices are becoming a target for malware and other security threats. Software running patient monitoring equipment is at risk for exploitation. There isn’t much in the way of public evidence that any patients have actually been harmed but it is a very frightening prospect. In 2012 The MIT Technology Review posted an article that mentioned an incident at Beth Israel Deaconess Medical Center in Boston. Apparently the Fetal Monitors in the ICU were slowed.
Security vulnerability of older Microsoft operating systems that have not been patched is a primary concern. Hospitals in the United States have to contend with FDA regulations when it comes to modifications of medical systems and installing anti-virus products. Even though FDA urged medical providers and manufacturers to cooperate on reducing security risks back in 2009, The Government Accountability Office warned of continued vulnerability to hacking and exploits. They asked FDA to address the issue again in September of 2012. It is 2015 now and despite the FDA reviewing it’s regulations malware or exploits like Conficker , Zeus, Citadel, and have been discovered on medical devices. Other types of malware as well as ransomware have been found also. Regulatory review is a very slow process, and when regulations are used as an excuse to put off reform of a fast paced problem it is a disaster.
As Medical devices, software, and mobile apps become more connected with electronic health records which are also vulnerable to attack the threat only increases. BYOD policies, short for “Bring Your Own Device”, complicate the problem even more. Without strong and enforced policies regarding what apps can be used to access medical records on these devices, how they can do it, what information can even be accessed they are just another potential security risk.
Many medical devices in hospitals use or are operated by systems based on Microsoft Windows. This of course can make them vulnerable to various Windows exploits. These are closed devices and systems that may have network or wireless connectivity but aren’t open to traditional anti-virus scanners and tools that run from desktop computers. These devices are often using secondary firewalls that only the manufacturer has access to and unfortunately malware infection is becoming common on them. They can’t be scanned by hospital security stuff and aren’t open to their security tools. Blood-gas analyzers, PAC systems that used to view and share imaging results like MRI and CT scans, X-Ray systems, and all sorts of devices have been found to harbor malware. Much of it isn’t target to medical devices specifically but a portion of it was and some of it was used to compromise the hospitals networks and computer systems.
If medical manufacturers and medical providers don’t come together to find ways to openly scan and secure medical devices for exploits and malware we could end up with a very serious problem that will be difficult to mitigate. Closed standards and lack of access to devices for security purposes are a nightmare. While medical security personnel are trying to find ways to secure these devices criminals are already exploiting them. Given enough time real damage will start being done to real people. Whether it is an embedded device or a device used in a hospital or clinic the potential for harm is enormous. Call me an alarmist if you wish. I would rather be the alarmist than the person that didn’t say or do anything until people died. The lack of evidence of serious harm coming to anyone yet doesn’t preclude the very real possibility of it happening. Considering the rate at which technology and exploits of technology continue to develop real action on the matter sooner rather than later is best.
