sudok1 - Fotolia

Medical devices must be secure by design, say industry experts

The information security industry is calling for medical device manufacturers to design and build cyber security into all internet-enabled devices after thousands are found to be hackable

Cyber security experts say the reported hacking vulnerability of medical devices underlines the need for all internet-enabled devices to be secure by design.

According to security researchers Scott Erven and Mark Collao, around 68,000 medical devices at an unnamed US health group were found to be available for hackers to access online, reports the BBC.

Vulnerable devices included 21 used for anaesthesia, 488 in cardiology, 67 used in nuclear medicine, 133 infusion systems, 31 pacemakers and 97 MRI scanners.

“Medical device manufacturers should be designing and building cyber security into medical devices,” said Caroline Rivett, director at KPMG’s cyber security practice.

“Otherwise devices are vulnerable to hackers causing a safety issue and loss of confidential patient information,” she said.

In addition to privacy issues, the vulnerability of medical equipment to hacking has raised concerns that attackers could affect patients’ health and even cost them their lives by altering dosages or treatment plans.

According to Rivett, tackling this problem will require co-ordination between device manufacturers and healthcare regulators.

A similar industry-wide and collaborative approach has been advocated by Beecham Research, regarding all future internet-enabled devices making up the internet of things (IoT).

“The internet of things is already here and some of its denizens are already in critical condition,” said Tripwire’s director of IT security and risk strategy, Tim Erlin.

“Embedded devices are nothing new. The expansion of internet connectivity has turned network-connected embedded devices, from energy to healthcare, into internet-connected embedded devices. As the forward end of the industry works to bring the ‘things’ to the internet, the internet has already been brought to the ‘things’ that were out there,” he said.

As the healthcare industry becomes more integrated into the internet of things, it comes as no surprise that medical devices could become the next target for hackers, said David Emm, principal security researcher at Kaspersky Lab.

“Unfortunately, all connected devices now need to be built with security at front of mind, especially when lives are at risk,” he said, adding that it seems it is not until something bad happens that companies take security seriously.

“However, the challenge is if areas of vulnerability are found in medical devices from scanners to pacemakers, it may not be possible to roll out a patch like you could for a smartphone or PC. This highlights the importance of factoring in security at the design stage and for developers to talk to security organisations, before rolling out this vital medical equipment for public use,” he said.  

According to Emm, this approach should be adopted with all internet-enabled devices, especially in light of the fact that Kasperky Labs’ research with BioNyfiken has shown a rise in people who implant technology in their bodies for greater convenience in everyday life, rather than for medical reasons.

“People are embracing smart implants that allow them to control door locks, make purchases and gain access to computer systems with the wave of a hand. So be it medical or commercial, when we allow bodies – not just computers – to contain increasing amounts of personal, hackable data, it is even more imperative to ensure it can be kept safe from cyber-attacks,” he said.

In August 2015, the U.S. Food and Drug Administration (FDA) was reportedly “strongly encouraging” hospitals not to use a discontinued line of Hospira Symbiq Infusion System pumps that security researchers had found to be hackable.

At the time, John Smith, principal systems architect at security firm Veracode, said that while it was not surprising the FDA was urging healthcare facilities to switch from Hospira’s Symbiq Infusion System to alternative infusion systems, it was surprising and even more worrying that the security flaw in the pumps had gone unfixed for more than a year.

“It is essential that the IoT security is looked at holistically to ensure the devices, as well as their mobile and web applications and back-end cloud services, are built securely by default. Security should not be treated as a bolt-on, otherwise we risk not only putting sensitive information in jeopardy, but potentially opening ourselves up to physical harm,” he said.

Read more about IoT security

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

That just seems like a no brainer, and I’m a little shocked that the FDA doesn’t already require that, given the importance of HIPAA and the arduous regulatory and compliance processes to which medical device companies are already subjected.
Cancel
Seems that everything is now hackable, from connected devices of all sorts to our back accounts and right on to our most secret of secrets . How did we manage to leave so much so vulnerable? Maybe we need to hire the hackers to help us close the gaping holes in everything. Sort of an advance ransom....
Cancel
With the idea being that a ransom paid in advance is going to be less costly in the long run? I think that we left some many things so vulnerable because we used one of our favorite heuristics - we assumed. Either we assumed someone else would secure it, or that it wasn’t that big of a deal, etc. It’s OK to assume, as long a you realize that it is not guaranteed to provide an optimal solution, and that it can fail.
Cancel
They just had a tv show on this topic. An episode of CSI:CYBER had someone hack medical equipment and was extorting the hospital for money or it would start killing patients by controlling the devices remotely. Scary to think this could really happen. Yes, it may be a convenience to have them attached to the network, but do they really need to be ?? 
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close