Headlines all around the medical community are decrying connected medical devices and the inherent danger from hackers. 

But is there any truth to the concern? Should we be worried that nefarious keyboard cowboys are going to hack into our pacemakers and medical tablets and insulin pumps and cause us serious harm? Are connected medical devices more trouble than their worth?

Today we’ll take a look at what kind of medical device is hackable, how it’s done, and whether or not the threat is real and can be mitigated or eliminated completely. 

How Can You Hack a Medical Device?

Sadly, anything connected to a larger network is capable of being hacked or subverted by malicious code, to some extent. This applies to admin PCs and computers on wheels as much as it does to implanted defibrillators and heart monitors.

Infusion pumps, connected implants (pacemakers and brain implants), monitors, and robotic surgery suites are some of the devices most at risk to malicious interference. And, of course, the very properties that make them so vulnerable are the properties necessary to protect patients. These devices benefit greatly by being not only monitorable from a distance by doctors, nurses, and patients, but in being programmed and adjusted from afar.

And obviously, if a beneficial party can access it, it won’t be long before a hacker can, too. 

Most devices can be hacked the same way as a computer: the hacker either obtains the login or password to the connected network portal through brute-force hacking, phishing, or social engineering, at which point they have the same access as the physician or patient. In the case of a pacemaker, they can administer or withhold the necessary shocks, or alter the frequency in a harmful way. With something like an insulin pump, the blood sugar of the patient could be drastically altered, leading to injury, coma, or even death. 

A pair of cybersecurity pros from Whitescope and QED Secure Solutions actually demonstrated in a live session the weaknesses in a certain brand of pacemaker, hacking through a doctor’s system until they could access and even reprogram the device. 

It’s no surprise this topic gets so much media attention: it’s undeniably scary. But how often have these kinds of attacks happened, and who has been hurt by them? 

How Much Damage Has Been Done?

Despite all of the (completely valid) concerns, there actually haven’t been any reported instances of medical devices being hacked and harming anyone. 

Of course, that doesn’t mean there is no chance of it happening, simply that it’s either been too difficult to hack, required too much effort, the vulnerabilities haven’t been discovered yet, or its simply a matter of there being nothing to gain by doing so. The FDA has released warnings to that effect, not only outlining the potential risks but actively pointing out vulnerabilities in popular medical devices.

Most hacking is done for financial gain: think about the recent spat of widespread and well-reported identity fraud leaks. And hacking an insulin pump doesn’t exactly lead to a huge cash windfall. However, there’s no denying that while the majority of hacks are done in self-interest, there is always a small but dangerous group of hackers who do things just to cause damage and chaos for entertainment. 

What this really means is that while it’s great that no one has been hurt at the time of this writing, it’s still not a risk to be taken lightly. And there are ways to reduce the chance of these kinds of cyberattacks in the future. 

Managing the Threat

One of the most common ways to deal with vulnerabilities is for the manufacturer to release a software or firmware patch that plugs the hole. Unfortunately, software patches come with their own issues: they can often create new flaws while plugging old ones, which can lead to unpredictable behavior or shut down.

With a laptop or a phone, a little unpredictability after a patch is irritating but workable. Unpredictable behavior from a pacemaker or a robotically-controlled scalpel is slightly more unpleasant, which is why a quick patch for a new vulnerability isn’t a viable avenue of manufacturer-based cybersecurity. 

Instead, it’s up to the hospital IT department to ensure it’s using the most secure methods for all network activity and to eliminate the use of legacy devices and legacy software in the system. 

Securing the Network

If the device is difficult to secure, then the responsibility of security moves onto the network these devices connect to. 

The first step is to make sure that all of these medical devices aren’t on the same network, or at least on the same level of the network. There’s no reason for the computers being used for everyday internet purposes to be on the same network as a medical device. They should either have their own separate network or at the very least a sealed-off version of the network through segmentation. Plus, network segmentation tends to boost performance in the subnetworks anyway, so there’s really no downside beyond the initial time cost to set it up. 

Another way to secure medical devices over the network is by deploying an NBAD system. NBAD stands for “network behavior anomaly detection,” and it’s an extremely important part of network cybersecurity. NBAD works by having a control sample of how a device (in this case a connected medical device) normally behaves and functions. Something like a pacemaker or an insulin pump has a pretty normal set of usage parameters that don’t change very much from day to day. An NBAD system monitors all of the medical devices connected to their subnetworks and will detect any deviations from that preprogrammed “normal” behavior. 

So, if a hacker gets control of an insulin pump and tries to dump all of the insulin into a patient — which is likely to kill them — the NBAD program detects this as abnormal usage and shuts the command down. It would also inform all relevant HIT and possibly even the relevant physician to the abnormal behavior, alerting them to potential hacking. 

A well-calibrated NBAD is just as important these days as a solid firewall, and absolutely cannot be neglected in the world of healthcare IT and connected medical devices. 

First Do No Harm

It’s the job of everyone in the medical industry to protect vulnerable patients, from doctors and nurses to HIT and medical device manufacturers. Connected medical devices have saved countless lives and improved the lives of countless more, so there’s no need to throw the baby out with the bathwater because of a few hypothetical bad actors. 

To learn more about top-of-the-line medical devices, medical computers, and how to best implement current network security practices, contact the experts at Cybernet today