In general, the primary reason behind cybersecurity attacks on medical environments is data theft. This involves the illegal acquisition of essential and sensitive medical data that may be utilized for financial or political gain. This leads us to believe the main things at risk are a medical facility’s computer system or data storage.
So why should we worry about cybercriminals, or criminals in general, hacking medical devices? What exactly would they gain from taking control of a medical apparatus or insulin pump? How exactly can hackers take control of medical devices? Also, if such threats to medical devices are as great as experts say, what measures are being taken?
What Are Medical Devices?
Before we dig further into the security threats surrounding medical devices, let us first take a closer look at what medical devices are. According to the World Health Organization, a medical device is “any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination for a medical purpose.”
From the above definition, medical devices encompass everything from a simple stethoscope to a complex MRI machine. In light of security threats on medical devices, the focus is more on software and complex machines. Also covered, are devices like insulin pumps, pacemakers, and other stand-alone or components of an integrated system or device.
Security Threats Against Medical Devices
It is understandable that medical organizations and security practitioners are concerned primarily with vulnerabilities directly affecting confidentiality, integrity, and availability of data and services. Still, people need to understand that just because a security vulnerability does not directly relate to medical devices doesn’t mean it shouldn’t be a cause of concern.
Any security vulnerability can be utilized by hackers to gain a base of operations within a network they wish to compromise. This means a hacker, if so inclined, can choose to compromise medical devices for whatever malicious reason they may have. Once they have the proverbial one foot in the door, gaining a strong, solid foothold within the system is almost guaranteed.
Focus on the security of medical devices continues to rise as the number of connected devices, let’s say per hospital bed or in one hospital wing, also increases. Such an increase in connected devices also means a higher risk of impact on both the individual device and the entire network of devices.
Experts say it is only a matter of time until we see serious injuries or even deaths caused by compromised medical devices. This is why medical device manufacturers, security professionals, and those in the medical field are continuously taking measures to prevent any medical device hacking-induced massive accident or incident from happening.
Imminent Medical Device Threat: Ransomware
As mentioned, threats surrounding medical environments are mostly focused on data theft. This is typically carried out with the use of ransomware. In fact, ransomware has been one of the significant, and worryingly escalating, issues in healthcare. Thus, ransomware is one of any medical facility’s worst nightmares and the imminent threat to medical device security.
But what does ransomware have to do with medical devices? How could it possibly impact medical devices when they’re meant to take over a hospital’s system to acquire data? Well, that’s exactly it; ransomware can take over the hospital’s system and medical devices that are part of the system.
In general, ransomware attacks induce widespread panic and confusion as well as a significant impairment of operational capacity. The impairment of operational capacity is where medical devices are impacted. If a hacker takes over a system, it will most probably also take over the command server for the medical devices. Once this happens, the devices could stop working leading to a tragic loss of lives.
The Center for Medical Device Cybersecurity
As they say in the medical field, ‘prevention is better than cure.’ But how can such threats on medical devices be prevented? How should medical devices vulnerable to hacking be handled – by the manufacturers, hospitals, and medical practitioners that utilize them? How could threats on internet-connected medical devices in medical facilities be handled? Also, how can medical devices at home (like app-connected high blood pressure monitoring) or inside a person’s body (like pacemakers) be handled?
In the efforts of curbing threats on medical devices, the Center for Medical Device Cybersecurity (CMDC) was formed at the University of Minnesota. The CMDC was formed to foster university-industry-government collaborations as a response to requests of forming a collaborative hub for discovery, outreach, and workforce training in the emerging medical device security field.
The center springboards on the expertise from institutes and centers across the University like the:
- University of Minnesota College of Science and Engineering
- Earl E. Bakken Medical Devices Center
- Technological Leadership Institute
- Office of the Vice President for Research.
The CMDC was founded and funded in large part by five of the leading health industry companies in the US – Boston Scientific, Smiths Medical, Optum, Medtronic, and Abbott Laboratories. The center will focus on developing new research and technologies and on the education and training of workforces or other concerned individuals.
The CMDC will help all groups involved in handling medical devices to understand and manage security risks. This includes those in the manufacturing end, those who will handle the devices in the hospital setting, and everyone else in between. The security risk or threats in medical devices increases as it moves further from the manufacturing site. The risk is furthermore heightened by the fact those on the other end (hospital and other medical facilities) may not have the same knowledge or sophisticated security measures in place.
The end goal is to effectively address potential security threats. That is to say the center will continuously improve aspects where improvement is needed since security, after all, is not a fixed end state. This also means the center will focus on the more critical aspects and on those that will make the biggest difference or impact.
Recent Article: “Spy Mode” Added In Tesla’s New Software Upgrade
