Medical devices must be secure by design, say industry experts

Cyber security experts say the reported hacking vulnerability of medical devices underlines the need for all internet-enabled devices to be secure by design.

According to security researchers Scott Erven and Mark Collao, around 68,000 medical devices at an unnamed US health group were found to be available for hackers to access online, reports the BBC.

Vulnerable devices included 21 used for anaesthesia, 488 in cardiology, 67 used in nuclear medicine, 133 infusion systems, 31 pacemakers and 97 MRI scanners.

“Medical device manufacturers should be designing and building cyber security into medical devices,” said Caroline Rivett, director at KPMG’s cyber security practice.

“Otherwise devices are vulnerable to hackers causing a safety issue and loss of confidential patient information,” she said.

In addition to privacy issues, the vulnerability of medical equipment to hacking has raised concerns that attackers could affect patients’ health and even cost them their lives by altering dosages or treatment plans.

According to Rivett, tackling this problem will require co-ordination between device manufacturers and healthcare regulators.

A similar industry-wide and collaborative approach has been advocated by Beecham Research, regarding all future internet-enabled devices making up the internet of things (IoT).

“The internet of things is already here and some of its denizens are already in critical condition,” said Tripwire’s director of IT security and risk strategy, Tim Erlin.

“Embedded devices are nothing new. The expansion of internet connectivity has turned network-connected embedded devices, from energy to healthcare, into internet-connected embedded devices. As the forward end of the industry works to bring the ‘things’ to the internet, the internet has already been brought to the ‘things’ that were out there,” he said.

As the healthcare industry becomes more integrated into the internet of things, it comes as no surprise that medical devices could become the next target for hackers, said David Emm, principal security researcher at Kaspersky Lab.

“Unfortunately, all connected devices now need to be built with security at front of mind, especially when lives are at risk,” he said, adding that it seems it is not until something bad happens that companies take security seriously.

“However, the challenge is if areas of vulnerability are found in medical devices from scanners to pacemakers, it may not be possible to roll out a patch like you could for a smartphone or PC. This highlights the importance of factoring in security at the design stage and for developers to talk to security organisations, before rolling out this vital medical equipment for public use,” he said.  

According to Emm, this approach should be adopted with all internet-enabled devices, especially in light of the fact that Kasperky Labs’ research with BioNyfiken has shown a rise in people who implant technology in their bodies for greater convenience in everyday life, rather than for medical reasons.

“People are embracing smart implants that allow them to control door locks, make purchases and gain access to computer systems with the wave of a hand. So be it medical or commercial, when we allow bodies – not just computers – to contain increasing amounts of personal, hackable data, it is even more imperative to ensure it can be kept safe from cyber-attacks,” he said.

In August 2015, the U.S. Food and Drug Administration (FDA) was reportedly “strongly encouraging” hospitals not to use a discontinued line of Hospira Symbiq Infusion System pumps that security researchers had found to be hackable.

At the time, John Smith, principal systems architect at security firm Veracode, said that while it was not surprising the FDA was urging healthcare facilities to switch from Hospira’s Symbiq Infusion System to alternative infusion systems, it was surprising and even more worrying that the security flaw in the pumps had gone unfixed for more than a year.

“It is essential that the IoT security is looked at holistically to ensure the devices, as well as their mobile and web applications and back-end cloud services, are built securely by default. Security should not be treated as a bolt-on, otherwise we risk not only putting sensitive information in jeopardy, but potentially opening ourselves up to physical harm,” he said.