The recent attacks from WannaCry–the virus that attacked hospital computer systems throughout England, reducing hospital effectiveness and damaging hospital medical devices such as MRI, PET, and CT scanners–have turned attention to what else might be vulnerable to such cyber terrorism attacks. There is increasing concern that hackers might next target personal medical devices, such as insulin pumps and pacemakers.
Concerns about hackers targeting such devices have existed for a while. Dick Cheney famously had pacemaker rendered unable to be programmed wirelessly, meaning that updates would have to be done surgically, but also that it would be significantly harder to hack. However, an attack is now seeming more and more likely, both in light of recent events, and as it becomes increasingly clear that these devices are far from invulnerable.
A survey conducted by the Ponemon Institute talked to more than 550 medical device manufacturers and healthcare delivery organizations and discovered that 67 percent of the former, and 56 percent of the latter, think a cyberattack on their devices is likely within the next twelve months.
What makes these devices so vulnerable? Of the healthcare delivery organizations surveyed, 53 percent said that they did no security testing on the devices. 43 percent more were unsure if any testing was done at all. In a study by the security company Whitescope, researchers found 8,000 vulnerabilities in the coding of pacemakers and defibrillators from four different manufacturers. It’s not surprising that only 25 percent of the people surveyed were confident that the security that existed was adequate in protecting against hacking.
In addition to shoddy security standards, medical devices are often old and out-of-date, making them extra vulnerable to hackers. And vital security changes, when made, can be difficult to implement. But changes need to be made, and as quickly as possible, as a hack could be deadly. This past autumn, Johnson & Johnson alerted customers to a security flaw in its insulin pumps. By taking advantage of this flaw, hackers would have been able to cause users to overdose on insulin. Likewise, there are fears that similar flaws in pacemakers could allow hackers to administer deadly shocks to those with the implants.
Manufacturers are beginning to become wise to these issues, looking more diligently than ever for security flaws in their products. Meanwhile, “white hat” hackers–hackers who use their abilities for good–have been given permission and means to look for, and report, flaws. Nevertheless, despite current progress, the industry is now in a race against time to fix their products, before someone takes advantage of weaknesses in the code.