Hacking Health Care: When Cybersecurity Can Mean Life or Death

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.natlawreview.com/article/hacking-health-care-when-cybersecurity-can-mean-life-or-death

Millions of Americans rely on implantable medical devices to stay alive.
These battery-operated devices communicate through wireless transmissions —
and can be hacked like any other wireless device. For example, a wireless
pacemaker regulates a person’s heartbeat and records the heart’s activity,
and then transmits this information to doctors who can reprogram the
pacemaker. The interconnectivity between medical devices and clinical
systems leaves wireless medical devices vulnerable to security breaches.

Cybersecurity no longer just applies to computer networks and financial
data; modern implantable medical devices have the same vulnerability and
also require cybersecurity. In fact, in a span of six months, hackers
attempted to log into MRI and defibrillator machines over ten thousand
times and attempted to download malware approximately 300 times. Had these
hackers been successful, they could have accessed patients’ personal
information or reprogrammed the defibrillators to deliver deadly jolts of
electricity to patients’ hearts.

The government is already taking action. In 2014, the U.S. Food and Drug
Administration (FDA) responded to these threats with guidance on how
medical device manufacturers could improve the safety of implantable
medical devices. The FDA advised manufacturers that their failure to
develop cybersecurity controls could lead to repercussions including
“compromised device functionality, loss of data (medical or personal)
availability or integrity, or exposure of other connected devices or
networks to security threats. This in turn may have the potential to result
in patient illness, injury, or death.”

Further, as manufacturers well know, when a device malfunctions and causes
bodily injury, consumers typically allege product liability claims.
Patients whose devices are hacked could raise claims for design defects and
failure to warn of the risk of cyber-vulnerabilities. These potential
victims likely never considered their life-saving medical devices could be
used as a weapon. For most people, the idea that someone would attack a
medical device seems unfathomable.

So, what motivates attacks on implanted medical devices? According to Dr.
William Maisel, “[m]otivation for such actions might include the
acquisition of private information for financial gain or competitive
advantage; damage to a device manufacturer’s reputation; sabotage by a
disgruntled employee, dissatisfied customer or terrorist to inflict
financial or personal injury; or simply the satisfaction of the attacker’s
ego.” Medical data can be worth ten times as much as a credit card number.
Added to that, the medical device market was a $25.2 billion industry in
2012 and is expected to be a $33.6 billion industry by 2018. That’s a vast
market of potential victims.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!