Shortly after IoT became a mainstream topic, the idea of device access-control falling into the wrong hands also grabbed headlines. Was it possible? What would happen? These are particularly concerning questions for healthcare organizations who deal in life-saving devices. But the notion of hacked medical devices such as defibrillators, pacemakers and insulin machines seemed more science fiction than real risk – a few years ago. Today, we know hacked medical devices are reality.
Last week, Abbott Laboratories mailed notices to 456,000 people in the US urging them to update the firmware that runs their pacemakers. Without it, pacemaker recipients could fall victim to a potentially fatal attack whereby the malicious attacker could alter device settings or otherwise impact functionality. You can read the full FDA cybersecurity notice here but the short of it is this is some pretty serious stuff.
The thought of a cybercriminal being able to exert some measure of control over a patient’s most critical medical devices is unsettling at best, but surprisingly enough, that shouldn’t be our only concern. Hacking medical IoT devices to physically harm someone may still feel far-fetched but not because it isn’t possible, rather it isn’t in line with the majority of money-seeking hackers out there. Much more likely is the threat of harming people to get a ransom paid. We still have to remind ourselves that most cybercriminals are plying their wares to enrich themselves. Sure, there are still a small number of hackers out there “doing it for the lulz”, but it’s hard to picture a mischievous hacker like that intentionally causing physical harm to people.
Ransomware has already hit the healthcare industry hard - the 2017 Verizon Data Breach Incident Report (DBIR) ranks ransomware as the fifth most common attack type in healthcare and 72% of all healthcare malware attacks last year were ransomware. There is little reason to believe ransomware attacks will slow, only evolve, which is what we are seeing now.
Ransomware is most commonly spread through email and malicious advertising. “Ransomware 2.0” is the evolution of that malware to also include network and server-side vulnerabilities and self-replication. While ransomware ups its technical game, the criminals behind it are also constantly evolving. For maximum monetization, they often use the ‘spray and pray’ method when looking for new, easy targets. Given better malware and the lack of sufficient protections that we know are common in medical IoT, this is one area they are sure to continue to use.
As of right now, the many players involved in healthcare aren’t making this process any easier. Medical device manufacturers make the device, medical teams implant them and patients rely on them. Only the device manufacturer really understands the device firmware so it’s up to them to maintain those devices and patch any vulnerabilities. But as WannaCry and other attacks recently called out, those updates don’t always get made at the manufacturing layer, let alone get passed along to healthcare providers or patients who rely on those devices. But the hopeful silver lining is that it appears a lot of device manufacturers are now acutely aware of cybersecurity issues and are taking the much needed engineering and development steps to provide quick responses to found issues… and delivering future products that are easier to fix when the need arises.
What can be done until then? Obviously the critical step for those on the front lines is to deploy any available security updates as quickly as possible. If you are a medical device manufacturer or other healthcare organization, maintaining a strong security posture across your network and all of your endpoints could save you a lot of money in ransom. For your company, it could save you millions in regulatory and legal penalties. For your patient, as scary as it may sound… it could mean the difference between life and death.