Lack of cyber security draws hackers to hospital devices



Imagine if simply typing “password123” into a computer did not open your email account, but an internet-connected medical device responsible for feeding you drugs or monitoring your blood oxygen or insulin levels.

It may sound like the nightmare stuff of fiction, but the lack of basic cyber security on hospital equipment is attracting hackers who want to use them as a way to enter medical networks.

Experts say that while they have not yet seen someone die as a result of hacking, the risks are growing. Motives for attacks could range from wanting to harvest patient information or stealing intellectual property from medical trials to simply wanting to create chaos.

Devices with default passwords that are left unchanged, and outdated operating systems that are connected to the network, such as medical databases, are all too common in healthcare, says Greg Enriquez, chief executive of TrapX, the cyber security company that works with hospitals around the world.

The company has found security flaws in a blood gas analyser, a medical image system and radiology equipment. “We have found active malware, different strains of malware, we even found [non-activated] ransomware on one medical device [which could give the hacked the ability to prevent the device from working when it is in use],” Mr Enriquez says.

With PwC, the professional services firm, forecasting that the market for internet-connected healthcare products will be worth about $285bn by 2020, the security of medical devices is becoming a priority for manufacturers, hospitals and patients.

Regulators are also paying attention. The US Food and Drug Administration, the US regulator that has oversight of medical devices and approves their use, issued its first warning this year that a device could be tampered with by hackers.

The FDA strongly encouraged healthcare facilities to stop using the Hospira Symbiq infusion pump used to give drugs and pain medication, even though there had not been any reports of criminals accessing the device. Hospira removed the pump from the market and said it has strengthened cyber security on new pumps it is developing.

The FDA has also been running workshops for manufacturers — the next one is in January — to push for “a total product life-cycle approach, from design to obsolescence”, says Suzanne Schwartz, a director at the Center for Devices and Radiological Health at the FDA.

“This means building security early on in the design phase, addressing security in the premarket submission for new products, and ongoing post-market surveillance with proactive vulnerability management,” Dr Schwartz says.

“The reality is that bad actors intentionally look for ways to overcome cyber-security safeguards, so we always work to stay one step ahead and to take aggressive steps to stop this criminal behaviour,” she adds.

Wes Wineberg, a researcher at Synack, a cyber security company, says: “To me, it is a sector very much like the critical infrastructure industry, with a few major manufacturers and a lot of devices. So really it is just now a waiting game [until some are hacked].”


Read the full article here

Credit: The Financial Times