Can somebody really hack into your Fitbit, pacemaker or infusion pump? Yes, that's possible. And hackers may even hold health data for ransom.
A new report by Forrester Research predicts that ransomware - a type of malware that restricts access to your systems until you pay up - will target medical devices and wearables next year.
"Medical device security is sadly lagging, offering hackers an easy entry point to steal massive numbers of records from healthcare provider's data systems."
Unfortunately, medical device security is sadly lagging, offering hackers an easy entry point to steal massive numbers of records from healthcare provider's data systems - or, if Forrester is right - an easy way to put your life in jeopardy.
There are have been reported incidents that give credibility to the Forrester prediction. For instance, in September, independent researchers studying medical device security reported that honeypots pretending to be medical devices attracted more than 50,000 successful logins and nearly 300 malware payloads. According to The Register, the two researchers also found that a "very large" U.S. healthcare organization had more than 68,000 medical devices exposed online. Online in this case means Shodan, dubbed "the world's first search engine for Internet-connected devices."
Protecting the Virtually Unprotectable
So, what can healthcare organizations do to protect their patients and systems from the weakest of links in their security chain? Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, said at a recent Healthcare Information and Management Systems Society privacy and security forum in Boston suggests that they first need recognize the real threat.
"I'm not saying [outside hackers] don't exist, but it often overshadows the really basic hygiene stuff: The guy you just let in the door because you have a contract with him, and he's spreading software throughout the hospital by accident," Fu says.
The Federal Trade Commission and Food and Drug Administration both give "basic hygiene" tips for healthcare organizations, including:
- Train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.
- Retain service providers that are able to maintain reasonable security and provide reasonable oversight for these service providers.
- Implement a defense-in-depth approach to mitigate significant risks in their systems. This approach should consider implementing security measures at several levels.
- Consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer's device, data, or even the consumer's network.
- Continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
- Make certain appropriate antivirus software and firewalls are up-to-date.
- Monitor network activity for unauthorized use.
- Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and Department of Homeland Security Industrial Control Systems - Cyber Emergency Response Team may be able to assist in vulnerability reporting and resolution.
- Develop and evaluate strategies to maintain critical functionality during adverse conditions.
In addition, we recommend that healthcare providers improve their own risk profiles by:
- Choosing devices with the best security features available;
- Pressing manufacturers to adopt security standards and come up with solutions for prompt security fixes and software patches;
- Segmenting networks to isolate devices from sensitive data sets;
- Training patients and staff to use devices in the most secure way possible.
The increase in cyberattacks over the last few years has shown us that data breaches are inevitable. It's also critical that healthcare providers track new threats as they happen, so that attacks can be identified and isolated quickly.
Device attack scenarios also need to be figured into risk management plans. For instance, what if a threat actor did attack individuals through devices? How quickly could such an attack be stopped without further endangering the people dependent on those devices? How quickly can they be notified and told how to protect themselves?