Hacking medical devices: Managing and bolstering MedTech cybersecurity defenses
What if a cyber criminal could hack into your pacemaker and stop your heartbeat?
Cybersecurity risks associated with connected medical devices have attracted some attention over the past decade. For example, the Food and Drug Administration (FDA) issued an alert in 2017 announcing security flaws in more than 465,000 connected pacemakers. While there were no reports of hackers harming patients, the pacemakers contained cybersecurity vulnerabilities that could allow bad actors to gain access and change settings, potentially posing a threat to the patient’s health.
Implantable cardiac devices such as pacemakers rank among the most hackable medical devices, along with smart pens, drug infusion and insulin pumps, and wearable vital sign monitors. To date, there’s no evidence of a hacker harming a patient through a connected medical device, but vulnerabilities in this category of healthcare IoT devices should be taken seriously.
Should I be worried about medical device hacking?
IoT security vulnerabilities are always a matter of concern and worth guarding against. Even though there hasn’t been a direct documented attack on patients with wearable or implanted medical devices, hackers have caused harm to hospital systems — and indirectly to patients. In 2017, “Wannacry” ransomware hit more than 200,000 computers, including 48 U.K. hospitals, where medical devices within their networks were affected. Specifically, several hospitals said their radiology equipment was shut down by the ransomware attack.
A 2015 report showed that hackers are using medical devices as back doors to break into healthcare networks and steal medical data. Experimental hacker Jay Radcliffe demonstrated how simple it is to take control of a connected insulin pump and trigger a lethal dose to the patient. Certainly, these examples demonstrate why medical device designers must safeguard their products against would-be hackers.
Why hack medical devices?
What motivation would an individual hacker, organization, or government entity have to carry out attacks on medical devices? Let’s look at a few possible reasons.
On an individual level, breaking into an implanted medical device would give the hacker the ability to kill their target remotely (by stopping their heart, administering a deadly dose of medication, or other method depending on the device). Currently, ransomware has the ability to steal or erase data from a network — but if it could kill someone, higher ransoms might be demanded. To deter possible attackers, former U.S. Vice President Dick Cheney opted to disable the wireless feature on his implanted cardiac device back in 2007.
Many computer viruses and malware make no distinction between business computers, home PCs, and medical devices. On their quest for data, they corrupt any system they have access to — and with medical devices, the consequences of data corruption are more immediately damaging.
Stealing personal or medical data
In many cases, hackers are after personal medical data that is sensitive — detailed information about a person’s health status that could be very powerful in the wrong hands.
Finding back doors into larger networks
Often, public Wi-Fi networks — and some home Wi-Fi networks — are not adequately encrypted and secured. When they’re not, hackers can easily use IoT devices on the network to break through to the larger network. Some hackers may target medical devices as back doors to break into wider hospital networks.
6 Medical devices hackers might target
Now let’s take a closer look at the medical devices most vulnerable to medical hacks:
1. Pacemakers and heart rate monitors
Pacemakers and other cardiac devices have the capability to disrupt a patient’s heart rate, making them dangerous tools in the hands of bad actors. In 2018, two security researchers uncovered vulnerabilities in devices made by Medtronic which could be exploited to control the devices remotely. Even if a device is secured from remote control, another area of concern is data collection. A 2021 statement from the DHS warns, “An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication.”
In many cases, the security vulnerability isn’t in the implanted device itself, but the external devices that interface with it. If someone is able to interact with your pacemaker using a device other than the one you have, then that person can potentially cause damage.
The level of risk in this product category is somewhat high because many medical companies have not taken hacking into account in their designs. For example, Medtronic uses the proprietary Conexus telemetry system, deemed by the DHS National Cybersecurity and Communications Integration Center to be vulnerable to “low skill level” hackers. An April 2021 medical advisory from the U.S.’s Cybersecurity & Infrastructure Security Agency (CISA) warns that Medtronic continues to use Conexus. A report on Healthline also includes a comprehensive list of other pacemakers susceptible to hacking.
2. MRI devices
MRI devices are at high risk of cyberattack, particularly because they are deeply interwoven with hospital networks, constantly exchanging images and other data. Ransomware attackers could use MRI devices to enter a wider hospital system and shut it down until a ransom is paid. Phishing is another risk with these devices, as a 2015 experiment by security researchers demonstrates. The researchers created software that posed as MRI and defibrillator machines. The fake machines drew thousands of attempts to login and 299 attempts to download malware, showing that many healthcare workers thought they were real systems — and entered their authentic, sensitive login information.
In another experiment, security researchers used the search engine Shodan, which finds IoT devices, to search for medical devices. It yielded many hits for radiology equipment and found that many of the devices were still set up with the manufacturer’s default password — a clear security risk.
In 2018, a group called “Orangeworm” hacked into x-ray and MRI machines in North America, Europe, and Asia. The hackers appeared primarily interested in learning how the machines work, but gained the ability to sabotage the devices.
3. Hospital networks
While not devices themselves, hospital networks are often the primary target of cyberattacks — even those that use medical devices to enter the network. Attackers might use ransomware to extort money from the healthcare system, harvest patient data and sell it on the black market, or blackmail individuals about their health information. Hospital networks tend to be easy targets because they often lack robust security compared with other sectors such as banking, defense, or corporate entities.
The American Hospital Association reports that ransomware threats to hospitals have changed in recent years, with cyber criminals becoming more organized and sophisticated in their approach. Ransomware shutdowns of hospital networks can indirectly result in patient deaths due to delays and machine malfunctions. In 2020, a ransomware attack on Universal Health Services, a major U.S. hospital chain, resulted in the complete shutdown of its computer networks. The chain’s 400 healthcare facilities had to revert to pen and paper for record keeping — including medication dosing, treatment plans, and other essential paperwork — until the system could be recovered. In 2021, a group of cybercriminals based in eastern Europe targeted multiple hospital networks in the U.S. with another ransomware attack, suspending surgeries and delaying care for patients in New York, New Jersey, and Oregon, among others.
4. Wearable health devices
A medical device category that’s continuing to see rapid growth and development, wearable health devices are also vulnerable to cyberattacks. Hackers typically have similar tactics and goals when going after these devices — ransomware, information harvesting, and blackmail among them. Hackers may target an individual device or use it as a back door to enter the wider system and affect other devices connected to the network. Still, in wearable devices such as heart monitors or fall detectors, there’s a lower risk of direct danger because the device cannot physically harm the patient — unlike implanted devices such as the pacemaker.
5. Insulin pumps
Hackers are most likely to gain access to an insulin pump through a mobile app that connects the device to a wider network. The app allows the patient to track blood glucose levels and shares that data with healthcare providers. The blood glucose sensor itself works on a network, connecting meter, sensor, pump, and mobile app. Any of these links could be a weak point, offering a backdoor for hackers to enter the system. Security researchers Billy Rios and Jonathan Butts discovered that radio communications from a popular brand of insulin pump were not encrypted, so they demonstrated how an open-source software app could easily intercept data and send commands to the pump.
6. Cochlear implants and hearing aids
Other devices with potential vulnerabilities are hearing-related devices like connected hearing aids and cochlear implants. While no cyberattacks targeting these devices have been documented to date, the potential for vulnerability exists because they’re connected wirelessly to an external device. Cochlear implants that connect via standard Wi-Fi or Bluetooth can be especially easy to hack.
Recommended reading: Wearable Healthcare Technology: 12 Incredible IoT Applications
Best practices for preventing medical device hacking and bolstering cybersecurity effectiveness
Medical device designers and healthcare leaders can minimize cybersecurity risks by following best practices for IoT security. In this section, we’ll look at several of those areas.
Upgrade operating systems, implement patches, and ensure network visibility
Whether at the device or network levels, keeping software up to date is an essential component of maintaining cybersecurity. The threat landscape changes very quickly and systems must keep ahead of hackers to remain protected against the latest malware and other threats. Make sure your software allows you to see every device on the network and monitor traffic to look for anomalies. Just having a newer system in place will reduce your risk profile, as hackers will perceive you are a more difficult target. Most of the time, hacking is not a personal attack on a person or company, but follows the path of least resistance. Simply not being on that path goes a long way toward protecting your devices and network.
Educate and spread awareness to healthcare providers
Because nurses, doctors, and other healthcare workers are the ones interacting with devices and systems on a daily basis, they must be trained in cybersecurity best practices. Hospitals and other healthcare organizations should hold regular training sessions on how breaches commonly occur — phishing schemes, sharing data over unsecured networks, and failure to change default passwords, for example. Conduct a periodic risk assessment to gauge how well your organization is doing.
While it can involve a cost investment and slow down connection speeds a little, encryption should be built into all communications to and from devices — making hacking a much more difficult feat. Encryption programs create a cypher that scrambles the data, ensuring it can only be decoded by the intended receiver. It’s still possible for hackers to intercept and decode encrypted data, but it makes their task much more complicated and time consuming.
Adopt multi-layered authentication
Patients and healthcare workers may balk at having to type in passwords over and over, but implementing a robust user authentication system goes a long way toward protecting devices and networks. And as technology advances, more authentication can be automated while maintaining the same levels of protection — for example, biometrics (fingerprints or retinal scans) can make this protection more functional. Making a patient and their doctor the only people who can adjust a medical device — as verified by biometrics — might be the ultimate medical device security feature.
How Hologram addresses security threats to connected devices
At Hologram, we take a multi-layered approach to IoT security, and we have a deep understanding of why it’s important. In the case of medical devices, security breaches can lead to compromised privacy and even physical injury. The most effective approach to IoT security starts with taking a close look at the history of cyberattacks and security vulnerabilities, identifying recurring themes, and creating a built-in IoT security plan for your device that addresses each common area of vulnerability. For more guidance, including a checklist for assessing your current IoT security protocol, check out our Ultimate Guide to IoT Security.