Medical devices such as pacemakers, infusion pumps, and other monitoring systems are commonly used in hospitals and at home to aid in keeping their patients healthy. These devices are capable of transmitting real-time data to the hospital staffs that monitor their patient’s health.
However, medical devices being hacked are becoming a legitimate concern nowadays. In recent years, various security vulnerabilities linked to medical devices have been exposed by cybercriminals, such as syringe pumps allowing remote access without any authentication.
If you want to learn more about the Internet of Medical Things (IoMT) hacking, then continue reading this article, as we will be covering most of it.
What are the risks?
In 2016, a Hollywood Presbyterian Medical Center suffered from a ransomware attack, leaving their computers offline for at least a week. And in the same year, another hospital was attacked, disabling their email systems and pushing their employees to use papers and fax machines.
These attacks are efficient and effective, hospital records and systems must be urgently restored in order for hospitals to operate normally, as this can cause not just financial loss, but also the impairment of critical assets used to keep patients alive.
How does it happen?
Connected wearable medical devices and home health monitoring equipment that use wirelessly connected blood pressure and heart rate monitors, glucometers, and scales are now commonly used in both hospital and home healthcare. Unfortunately, a wide variety of these devices are predominantly vulnerable to attacks. For example, a new generation of implantable cardiac defibrillators were found with a security flaw in their proprietary communication protocols. Cybercriminals then exploit these vulnerabilities to benefit their own interest, such as holding vital hospital data for ransom.
Medical equipment with features such as near-field communication technology and remote monitoring allows health professionals to fine-tune or adjust these devices without the need for invasive procedures. While those conveniences are a good thing, it also creates potential exposure points for hackers to utilize. And for everyone else, except for the manufacturer, assessing the security and discovering the flaws of these devices can take a lot of painstaking reserve-engineering because of their proprietary codes.
Given the popularity nowadays of connected medical equipment, there’s plenty of targets for hackers to expose. While the most attention goes to implanted devices, the long list of medical care equipment creates potential danger and extensive exposure in the healthcare industry, as hospitals in the US currently have an average of 10 connected medical equipment per bed.
For the past few years, the healthcare industry has suffered more cyber attacks than the financial sector, and the numbers of these attacks targeting medical equipment are increasing daily. And that’s somewhat because of the increasing number of easy targets, as a significant number of healthcare-related equipment are discoverable on the internet by using Shodan — a search engine for connected medical devices.
Unlike computers that run anti-virus software and security checks, this medical equipment comes in varieties and usually lacks network security making them easy to compromise. MedJack, one of the latest exploits hackers use to inject malware into medical equipment can quickly spread across networks. The valuable medical data exposed in these attacks can be utilized by hackers for identity theft or tax fraud, and can also be used to get active drug prescriptions, allowing them to order prescription drugs online to sell into the dark web.
And these attacks are also continuously evolving. MedJack, for example, has become more sophisticated nowadays. MedJack attackers are intentionally utilizing old malware to target various types of medical equipment running on operating systems such as Windows Server 2003 and Windows XP.
By attacking these outdated systems, cybercriminals can easily avoid detection, since newer operating systems in their main networks won’t be able to flag these malicious activities. As patches were already done to prevent these older malware, more modern operating systems can only classify them as minor threats.
Once a hacker gets a foothold in your system, they can then expose it with various types of network assaults. And a popular way for hackers to do this is to set up ransomware attacks against large hospitals, this allows them to have a considerably large payout in one attack.
Fortunately for us, the Food and Drug Administration — the federal agency responsible for controlling and supervision of medical devices — has been seriously considering to include a product approval criteria for evaluating medical device cybersecurity. Although it’s not enforceable, it’s still a good start in developing a more secure and more trustworthy digital healthcare system. However, even with added security measures in place, the healthcare industry and its patients are still highly exposed to these attacks.