What if a pacemaker or insulin pump is hacked?
Medical devices are designed to diagnose, prevent, and treat medical conditions, but a malfunction can disrupt the quality of care.
As part of this Internet of Medical Things (IoMT) security playbook, we have already discussed why medical devices are vulnerable to cyberattacks. Now, we look at the history of medical device hacking to explain how these security incidents can impact patient safety.
Gartner predicts that cyberattacks will have weaponized operational technology (OT) by 2025 to harm or kill humans. OT is part of the hospital device ecosystem, too. Think of elevators, ventilation systems, and automatic doors.
But IoMT devices bring risks on their own. In fact, the FBI has recently released a warning about the increasing number of vulnerabilities posed by unpatched and outdated medical assets. There’s a significant amount of legacy technology in hospitals given that medical equipment often has an extended lifecycle and, for this reason, may no longer receive support for patches and updates.
No wonder hospitals are one of the top cyberattack targets. In 2021, the healthcare industry suffered an average of 830 attacks per organization every week, a 71% surge in comparison to 2020, according to Check Point Research.
Here are some of the most notorious cases of medical device vulnerabilities:
Pacemakers are a market in expansion, with a compound annual growth rate (CAGR) of 3.4% from 2022 to 2030, as per Grand View Research. In 2021, more than 60% of this market is made of implantable pacemakers, which are placed inside someone’s body.
Thanks to remote monitoring, cardiologists can track how well these devices are functioning. However, these capabilities raise the concern that cyberattackers could send signals to the device, causing a cardiac arrest. In a 2012 episode of the TV show Homeland, the U.S. vice-president is assassinated after terrorists gain remote access to his pacemaker.
This is not only a matter of fiction, though. According to an interview with 60 Minutes, former U.S. vice-president Dick Cheney had the wireless feature of his defibrillator disabled to prevent attempts of hacking it. In 2017, the U.S. Food and Drug Administration (FDA), which regulates medical devices, issued a recall of 465,000 devices from Abbott, one of the leading healthcare device manufacturers. Attackers could change programming commands and, for example, cause battery depletion.
Infusion pumps are one of the most common medical devices because they are used for the fluid delivery of nutrients, insulin, hormones, antibiotics, chemotherapy drugs, and pain relievers. Attackers could gain unauthorized access to the device and tamper with its operation, for example, administering overdoses.
The concern with infusion pump hacks gained significant media attention in 2011 after a diabetic security researcher demonstrated at a Black Hat conference that he could remotely disable his insulin pump.
Since then, notorious cases involving infusion pump vulnerabilities include:
In 2019, the FDA recalled certain Medtronic MiniMed insulin pumps because attackers could alter the device’s settings. As a result, an attacker could overdeliver or stop insulin delivery to patients, which could lead to low or high blood sugar.
In 2021, Armis identified nine critical vulnerabilities in a solution for pneumatic tube systems (PTS) that is used in over 3,000 hospital worldwide, including over 80% of hospitals in North America. The vulnerabilities — dubbed PwnedPiper — could allow attackers to take over the Translogic PTS stations and launch a ransomware attack.
With the discovery of a vulnerability, the FDA may issue a “safety communication” informing about potential risks and recommendations for patients, hospitals and manufacturers. Even though the FDA has guidelines for medical device cybersecurity, those are recommendations.
Under the new proposed legislation known as the PATCH Act of 2022, manufacturers will be required by law to take a series of measures to increase device security.
Want to learn more about the latest medical device security requirements? Watch our webinar:
Navigating the Changing Medical Device Threat Landscape
Healthcare device ecosystem vulnerability management is critical to prevent medical device hacking. Hospitals need an agentless security solution that tracks not only medical devices but also OT, Internet of Things (IoT), and IT assets that are part of the patient experience and care delivery.
Comprehensive asset inventory and real-time passive monitoring enables better patching management, risk prioritization, threat detection, and automated remediation.
Organizations say they see 50% to 60% more assets using Armis. Here is a snippet of what Armis has found in hospitals:
These examples show the importance of a platform that offers holistic asset visibility. Armis provides comprehensive assessment including:
With Armis, you can see devices in use with outstanding FDA recalls and even understand if it’s a class 1 or 2 recall. These insights are critical to prioritize cybersecurity measures with the highest impact on patient safety.
Get started with a vulnerability management program to minimize the risks of medical device hacking. Book a demo with Armis now.
Many medical devices cannot have security agents installed due to FDA certification requirements or fear of destabilizing them. These vulnerabilities make them an easy prey for cyberattackers. By hacking medical devices, criminals can:
– Target individuals (for example, tampering with their implantable medical devices or health records).
– Disrupt healthcare operations or steal patient data, often part of a lucrative ransomware campaign.
– Use it as a backdoor to the hospital network, moving laterally to access sensitive health information and privileged data.
The U.S. Food and Drug Administration (FDA) classifies recalls of violative products according to their degree of risks:
Class 1 recall: reasonable probability to cause serious adverse consequences or death.
Class 2 recall: possibility to cause temporarily or medically reversible adverse effects.
Class 3 recall: not likely to cause adverse consequences.
The PATCH Act of 2022 is the Protecting and Transforming Cyber Health Care Act, which imposes a series of cybersecurity requirements for manufacturers applying for pre-market approval for their devices. One of the requirements is to patch devices throughout the lifecycle and add a software bill of materials (SBOM) for new devices. SBOM makes it easier to monitor vulnerabilities and manage risks and compliance.
Check out all IoMT Playbook Chapters:
Sign up to receive the latest news