MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » FBI: Medical devices unprepared for new era of cyber attacks

FBI: Medical devices unprepared for new era of cyber attacks

By

Medical devices are unprepared for increasing cyber-attacks, FBI says

Medical devices and other hospital and healthcare systems need some serious security upgrades to weather the coming onslaught of malicious hacking, according to the FBI’s Cyber Division.

With an impending deadline to shift to electronic medical records, which fetch a high price on the black market, healthcare systems are an increasingly alluring target for cyber-criminals.

"The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the internet, generating a rich new environment for cyber criminals to exploit," according to an unclassified FBI report. "The health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures, much less against more advanced persistent threats."

No targeted medical device hacks have been reported outside of research settings, but security analysts have found that many U.S. hospitals and their medical devices have been infiltrated by malware. Many systems remain infected as hacks go undetected, according to a report released earlier this year by Norse.

Medical devices such as radiology imaging software and X-ray machines are vulnerable to attack even if they don’t contain sensitive patient information. The vast majority of networked medical devices in hospitals today have minimal security protections, and "once medical devices are compromised, malicious traffic is transmitted through VPNs and firewalls" to other systems, the FBI said.

Perhaps the biggest vulnerability is healthcare IT officials’ belief that their systems are secure enough already.

"The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," according to the federal memo.

Healthcare industry security reports released over the last year put the black market value of a partial electronic health record at $50 apiece, compared with $1 for a stolen credit card or social security number. Criminals can use EHR data to file fake insurance claims, get prescription drugs and "advance identity theft," and EHR fraud takes nearly twice as long to detect than normal identity theft.

Financial gains aren’t the only reasons that attackers may target healthcare systems. The infamous and inscrutable hacker group Anonymous made recent threats against Boston Children’s Hospital, calling on internet activists to bombard the hospital’s website with a flood of traffic to disrupt its online services. The group is demanding that BCH fire one of its doctors over the controversial detainment of a pediatric patient made ward of the state.

Cyber-attacks that attempt to overload servers with a flood of requests, sometimes called "denial of service" or DoS attacks, aim to disrupt an organization’s workflow by wiping out access to cloud-based tools and resources. Programmers can insulate their systems from such attacks by ensuring that servers and devices aren’t permanently knocked out after being bombarded, but recent testing has shown that many medical devices lack such protections.

Researchers at SecureState reported last year that their penetration testing found that devices such as IV pumps and X-ray machines are vulnerable to the fairly rudimentary form of attack. Earlier last year a pair of security researchers used a DoS hack to demonstrate that a Philips (NYSE:PHG) Xper hospital management system could be infiltrated and "owned" fairly easily.

Researcher and expert medical device hacker Florian Grunow told an audience at the European DeepSec conference last year that medtech vendors simply aren’t interested in security until they’ve been hacked or experienced some other digital dilemma that forces their hands.

Not many device makers have spoken openly about their interest (or lack thereof) in digital defenses, but industry titan Medtronic (NYSE:MDT) has said on more than one occasion that  medtech cybersecurity is a "high priority" for the company. Medtronic later reiterated its commitment in a manifesto on cybersecurity, promising to keep a close eye on its devices and take action on any new vulnerabilities it discovers.

In case you missed it

RSS From Medical Design & Outsourcing

  • How Boston Scientific is managing labor shortages with cobots and Spanish
    Boston Scientific (NYSE: BSX) executives said two labor-shortage strategies are paying off in a big way for the medical device maker, which has around 41,000 employees across the globe. Collaborative robotics and Spanish-speaking shifts are helping Boston Scientific deal with a global labor shortage that’s been especially acute in the U.S. That’s according to Global… […]
  • 6 power management considerations for developing and scaling smaller, smarter micromedical devices
    Supercharge every phase of micromedical device product development with these questions. Mitch Johnson, Intricon Some of the biggest considerations for designing, manufacturing and scaling today’s smaller, smarter medical innovations center on providing power to microelectronic systems. From mechanical functionality to data operations and wireless communications, effective power management drives continued device innovation. Addressing five fundamental… […]
  • Evonik, Coopmed agree on wound dressing distro deal
    Evonik announced today that it signed an agreement for medical technology company Coopmed to distribute the epicite wound dressing. Jena, Germany-based Evonik said Coopmed will distribute the epicite dressing made from biosynthetic cellulose exclusively to the German market for chronic wound care. Epicite represents part of the portfolio from JeNaCell, which Evonik acquired in 2021.… […]
  • Spartech hires Bosch VP Dan Gallo as chief operating officer
    Spartech today said it hired Dan Gallo as chief operating officer of the engineered thermoplastics and custom packaging manufacturer. Gallo started this month, according to his LinkedIn page. His career leading operations, supply chain and logistics functions spans more than three decades. He was most recently an operations VP at Robert Bosch. Before his time… […]
  • 3M launches Verify platform to spot counterfeit products
    3M (NYSE:MMM) announced today that it established a new 3M Verify platform to report potential counterfeit 3M products. The effort builds upon its anti-counterfeit efforts during the height of the COVID-19 pandemic. At the time, a number of sellers claimed to offer 3M respirators. Instead, many offered fake, defective and damaged N95 masks at inflated… […]
  • FDA will review fewer COVID-19 test EUA submissions
    The FDA is pushing COVID-19 test developers away from emergency use authorization (EUA) submissions in favor of more traditional pathways, the agency said today. The FDA said it intends to review “only a small subset” of new EUA submissions, encouraging test makers to seek regulatory approval through de novo classification or 510(k) clearance pre-market review… […]
  • Integra plans to shrink the C-suite after executive’s exit
    Integra Lifesciences (Nasdaq: IART) will eliminate the position of chief operating officer next week — though the office is already empty. Former COO Glenn Coleman’s last day at Integra was Friday, according to a separation agreement filed with the Securities and Exchange Commission that same day. Coleman was scheduled to start as the new EVP and… […]
  • Steris plans to build a new medical device testing facility
    Steris (NYSE: STE) plans to build a new packaging and microbiological testing facility for medical devices in Leipzig, Germany. The facility will offer packaging testing services such as accelerated and real-time aging, transportation and integrity testing. The new location will also offer microbiological testing in collaboration with the medical device manufacturer and sterilizer’s laboratory in… […]
  • 10 medical device startups you need to know
    Some of the most interesting medical device startups of 2022 are advancing a wide range of innovative medtech: robotics, catheter-delivered brain-computer interfaces and more. The editors here at Medical Design & Outsourcing and MassDevice are writing about medical device startups all the time. But there are some device companies starting out that have technologies that… […]
  • Steris stock downgraded as analysts expect lawyers to seek more ethylene oxide lawsuits
    Steris (NYSE: STE) stock was downgraded today by Needham from buy to hold following the $363 million jury verdict against its primary competitor, Sterigenics, over ethylene oxide (EtO) emissions. Needham analysts said they expect attorneys to target communities near EtO facilities with ads to find people willing to file more lawsuits against sterilization plant operators… […]
  • Researchers develop at-home device to track Parkinson’s progression
    Researchers at MIT and the University of Rochester Medical Center have developed a device to monitor a Parkinson’s patient at home. Collecting data at home could help provide a less subjective measurement than evaluations at the doctor’s office, which can be affected by outside factors. The technology could also help pharmaceutical and biotech companies developing… […]

Leave a Reply