How Hackable are Modern Medical Devices

Are concerns of hacked medical devices actually valid? If they are, what can we do today to mitigate the possibility of malicious attacks on our medical hardware?

Headlines all around the medical community are decrying connected medical devices and the inherent danger from hackers.

But is there any truth to the concern? Should we be worried about people hacking into our pacemakers and insulin pumps?

Today we’ll take a look at what kind of medical device is hackable, how it’s done, and whether or not the threat is real and can be mitigated.

How are Medical Devices Hacked?

Sadly, anything connected to a larger network can be hacked or subverted by malicious code. This applies to admin PCs as much as it does to implanted defibrillators and heart monitors.

Unfortunately, the properties that make devices so vulnerable are the properties necessary to protect patients. These devices benefit greatly by being monitor-able and programmable from afar by healthcare professionals.

And if a beneficial party can access it, a hacker can too.

Most devices can be hacked the same way as a computer: the hacker obtains login credentials to the connected network portal through brute-force hacking, phishing, or social engineering, at which point they have the same access as the physician or patient. In the case of a pacemaker, they can administer or withhold the necessary shocks. With something like an insulin pump, the blood sugar of the patient could be harmfully altered.

The idea of such attacks is undeniably scary. But how often have they really happened?

How Much Damage Has Been Done?

Despite concerns, there haven’t been any reported instances of medical devices being hacked and harming anyone.

That doesn’t mean there’s no chance of it happening, simply that either devices are too difficult to hack or hackers realize they have nothing to gain by doing so.

Most hacking is done for financial gain. And hacking an insulin pump doesn’t exactly lead to a huge cash windfall. However, there is always a small but dangerous group of hackers who do things just to cause damage for entertainment.

What this really means is that while it’s great that no one has been hurt at the time of this writing, it’s still not a risk to be taken lightly. Fortunately, there are ways to reduce the chance of these cyberattacks in the future.

Managing the Threat

A common way to deal with vulnerabilities is for manufacturers to release software or firmware patch that plug the holes. Unfortunately, software patches can often create new flaws while plugging old ones, which can lead to unpredictable malfunctions.

With a laptop or phone, a little unpredictability after a patch is irritating. Unpredictable behavior from a pacemaker, however, is slightly more unpleasant, which is why quick patches aren’t a viable form of cybersecurity.

Instead, it’s up to the hospital IT department to ensure it’s using the most secure methods for all network activity and to eliminate the use of legacy hardware and software in the system.

Securing the Network

If the device is difficult to secure, then the responsibility of security moves onto the network these devices connect to.

The first step is to make sure that all of these devices aren’t on the same level of the network. Computers being used for everyday purposes should not be on the same network as a medical device. They should have their own separate network or at the very least a sealed-off version of the network through segmentation.

An NBAD system can also be deployed. A “network behavior anomaly detection” system works by having a control sample of how a device normally functions and detecting any deviations from that preprogrammed “normal” behavior.

So, if a hacker gets control of an insulin pump and tries to dump all of the insulin into a patient, the NBAD program detects this as abnormal usage and shuts the command down. It would also alert HIT and the relevant physician to the abnormal behavior and potential hacking.

First Do No Harm

It’s the job of everyone in the medical industry to protect vulnerable patients, from doctors and nurses to HIT and medical device manufacturers. Connected medical devices have saved countless lives.There’s no need to throw the baby out with the bathwater because of a few hypothetical bad actors.

To learn more about top-of-the-line medical devices, medical computers, and how to best implement current network security practices, contact the experts at Cybernet today.