With each passing week, as new cyber-attacks and hacks occur, it’s becoming more apparent that Internet-connected medical devices, a.k.a. IoMT (Internet of Medical Things) need first-rate vulnerability management.
Stats show that the healthcare industry has endured the most cyber-attacks in the past few years. The reason why is simple: the healthcare institutions and their IoMTs are rich in data that can be easily monetized by cybercriminals on the Dark Web and IoMTs are, generally, very poorly protected.
Attacks on IoMTs may not just be done by those seeking financial gain. Hackers of medical devices can also do significant physical and psychological harm to the patients attached to them. Below are examples of the kind of cyber-attacks on healthcare facilities and the medical devices that could happen or have actually occurred:
In a recent Government Tech blog, it was pointed out that a “connected cardiac medical device – a ‘smart’ pacemaker and monitor combination” could be hacked and patient lives could be at risk. The blog writer also claimed to have hacked a morphine infusion pump that “could remotely overdose and potentially kill the patient.”
While we’re on the subject of medical pumps, Johnson & Johnson recently informed diabetics using its insulin pumps that there’s a remote possibility that their connected device could be hacked, leading to an overdose of insulin.
Patients Hacking Their own IV Pumps
Patients could severely hurt themselves by hacking their own IV pumps. Recently at an Austrian hospital, there were two incidents where patients hooked up to an infusion pump and felt their pain management wasn’t enough. So they went online, found service documentation, got the hard-coded service credentials to their infusion pumps, logged in, and increased their dosages, which led to respiratory problems for both. If patients can do this for themselves, there’s little to prevent a third party from using the same methods to hack someone else’s IV pump and, perhaps, cause an overdose.
As Medical Device Connectivity Accelerates, so does the Potential for Cyber-attacks
IoMTs are becoming an integral part of healthcare for medical staff and patients. “Ultrasounds, thermometers, glucose monitors, electrocardiograms, and more are all starting to become connected and letting patients track their health.” While more IoT devices means more accessible data for physicians and better healthcare for patients, they also mean more soft targets for cybercriminals.
Many hospitals have experienced data breaches and the after-breach autopsies reveal that “their medical devices had been infected with malware that can move laterally within” the hospitals’ networks. Examples of other medical devices documented as having been hacked include:
- Blood gas analyzers
- PACSs (picture archiving and communication systems)
- X-ray machines
Here is a list of IoMTs that we don’t know that have been hacked yet, but if they were to be, it could lead to the death of a patient:
- Implantable cardioverter defibrillators
- Blood refrigeration units
- CT scanners
Medical Devices Running Windows XP are Easy Targets
Security researchers found that thousands of “critical medical systems” are vulnerable and exposed online. One example was a US healthcare organization that had more than 68,000 exposed medical systems. Most medical devices are running Windows XP or XP service pack two and generally don’t have antivirus making them easy targets. “Not only could your data get stolen but there are profound impacts to patient privacy.”
FDA Calls for Medical Device Manufacturers to Consider the Vulnerabilities
As early as 2013, the U.S. Government was advising manufacturers of medical devices to consider defensive measures for cyber-attacks on their connected products. “We are aware of hundreds of devices involving dozens of manufacturers that have been affected by cyber security vulnerabilities or incidents,” said an official of FDA’s Center for Devices and Radiological Health.
Lack of Security Tools for IoMT
Traditional IT security tools lack the context of connected medical devices. To them, every IoMT is simply an IP address on the network. Without knowing whether the device behind an IP address is really an IV pump, a blood gas analyzer, or an MRI machine, it is impossible for these solutions to effectively secure them.
The IT Security departments at healthcare institutions often lack dedicated tools to secure their IoMT networks. Consequently, traditional IT security solutions are repurposed and used in this environment, which is woefully inadequate for safeguarding IoMTs. Traditional solutions aren’t designed to protect medical devices that are diverse and have a wide variety of hardware, operating systems, and software applications.
Are the Internet of Medical Things in your healthcare network adequately protected against cyber-attack? Not very confident? ZingBox can help. Check out ZingBox IoT Guardian for IoMT security now.