Hackers Can Attack Medical Devices, Feds Warn
Surgeons operating on a patient in an operating theatre.
CREDIT: Tyler Olson/Shutterstock.com
If a device has an operating system, it can be hacked.
This includes lifesaving medical devices, according to two recent advisories from the Department of Homeland Security and the Food and Drug Administration.
Billy Rios and Terry McCorkle of Cylance, an Irvine, Calif,-based security firm, discovered a vulnerability that affects 300 medical devices available from 40 different manufacturers. Although there is no evidence that these devices have ever been hacked in real-life situations, a flaw in the devices' password systems could allow a potential malefactor to tamper with a device's firmware and then program unwanted routines.
Among the devices affected are surgical implements, ventilators, drug infusion pumps, external defibrillators, patient monitors and lab analysis equipment. It doesn't take an especially imaginative mind to think of a few creative ways to ruin someone's day by hacking these devices: Improper drug dosages or faulty test results could kill a patient.
This is not the first time that researchers have noticed vulnerabilities in medical devices. Hackers have previously determined ways to tamper with the software in wireless insulin pumps and pacemakers, even discovering ways to make pacemakers zap their users.
Wireless medical devices offer plentiful advantages for both patients and caregivers. Setting up a drug dosage remotely or allowing computers to run rote lab tests frees up technicians for more complex work. It also allows them to spend more time with patients who really need the attention and less with those who prefer solitude.
Because most of the equipment is hospital specific, an attacker would have to physically be in range of a hospital's Wi-Fi in order to cause havoc. This means that while medical vendors must take responsibility for their own devices, medical facilities can make it nearly impossible for an unauthorized user to access patients' devices.
According to the FDA's alert, the organization "typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity." Instead, it makes a number of recommendations for hospitals: restrict Wi-Fi access to authorized personnel; make sure that antivirus and firewall software stay up-to-date, and monitor network usage. [See also: The 10 Biggest Online Security Myths And How to Avoid Them]
The FDA and Department of Homeland Security have also made themselves available should a hospital administrator believe that his or her facility has come under some form of cyberattack. Discerning between a routine equipment malfunction and a directed firmware attack could prove difficult, though.
If you are a patient who is reliant on these devices, your options are limited. If you notice that your hospital has only unsecured Wi-Fi networks, consider staying at a different facility next time. Although Cylance did not reveal exactly how the password hack works, an enterprising hacker may figure it out sooner or later.