Some pretty frightening news has come out of the healthcare industry in recent months related to cyberattacks and medical devices.
- A legal case is now underway questioning the safety of cardiac implants used by a large U.S. hospital. A lawsuit claims the devices are vulnerable to potentially life-threatening cyberattacks.
- The OneTouch Ping insulin pump has been found to be susceptible to hacking, and it’s not the first time pumps have been targeted. Five years ago, a hacker demonstrated vulnerabilities in another insulin pump in a proof-of-concept.
- A recent study in the Washington, D.C. area exposed critical security vulnerabilities in hospital software and medical devices. In some instances, the security specialists proved the ability to bypass online authentication processes to “weaponize” a medical device against a targeted patient.
What sounds like a plot for a sci-fi movie or an episode of the TV show “24” is actually a very real, very worrisome threat that needs to be recognized and dealt with.
The vulnerability we’re seeing in many of these devices comes from the insecure transport of communications. By design, the devices communicate wirelessly and remotely with users. And they often don’t require authentication in order to perform state-changing behavior, such as modifying sensitive device configuration settings.
So that means a hacker can change the action of the device without proving his or her identity. And he or she could go one step further and use the device to access patient records, hospital networks and anything connected to the device.
There are two separate considerations to solving this problem, from my point of view:
1) Building security into the device in the premarket (development, manufacturing) phase
2) Protecting devices postmarket by pushing updates and guarding against new vulnerabilities without costly product recalls
One approach can assist with both aspects: penetration testing.
In the manufacturing phase, penetration testing can be used to explore the device, see what kind of systems and services are being used and where the security vulnerabilities lie.
From there, recommendations can be made to correct issues before the device goes public. And the fix can be something as simple as blocking external access to IP ports or eliminating the presence of default credentials.
From a postmarket standpoint, testing could yield insights that lead to applying pressure to passive manufacturers, pushing out patches and updating operating systems remotely to prevent attacks.
The key is in knowing what vulnerabilities exist and how they can be managed, both efficiently and cost effectively. And penetration testing is a great first step.
And keep in mind, though attacks on medical devices grab a lot of headlines, they’re just one example of a broader issue at work here: IoT cybersecurity.
A medical device is an IoT device, and there are parallels in how the devices should be designed and maintained. As the recent Mirai attacks showed us, IoT is the next frontier in cybersecurity. Better to start testing and preparing now before your device falls victim.
Jason Hoerner is the managing consultant of CSC StrikeForce Cybersecurity Consulting. Connect with him on LinkedIn.