Manufacturers that are building greater accessibility and interconnectedness into their devices are playing with fire when it comes to cyber-security, security experts told MassDevice.com last weekend at the Def Con hackers’ conference in Las Vegas.
The intersection between cyberspace and the physical world – the so-called “Internet of things” – presents a host of dangers as well as opportunities.
Cyber-criminals with the skills and motivation can steal private health information and alter the treatment programming of life-saving devices, possibly harming or even killing someone from a distance.
Connected devices transmit data to digital health records, mobile apps and physicians who can better monitor the data and cut down on office visits. But those conveniences come with risks, especially for an industry that’s fairly new to interconnectivity. Medical device companies have only just begun to build wireless access into their devices and aren’t addressing the risks posed by malicious hackers, the experts told us.
Stay tuned for more healthcare hacking coverage at Def Con from MassDevice.com
"They’re not employing enough experts to do the security testing before these things are put on the market," Juniper Networks chief security architect Chris Hoff told MassDevice.com in an exclusive interview during the 4-day Def Con hacker conference in Sin City last weekend. "It’s important to talk about devices that produce that information; it’s equally important to protect the databases that house them."
Juniper Networks is a network infrastructure services provider that also offers firewalls and intrusion detection systems. Hoff said his interest in consumer devices stems partly from the wealth of health-related, wireless-capable products in his home, including a wireless scale, digital nutrition tracker and mobile blood-testing and health monitoring applications.
Hoff spent much of his time at the conference at Def Con Kids, where children as young as 6 learned about Internet security, online privacy and how to find weak points in digital systems. Along with a health dose of ethics, the kids learned to break into commonly used security protocols provided by Def Con Kids. But if a 6-year-old kid can hack into something with relative ease, maybe it’s the hacked rather than the hacker who’s to blame, Hoff argued.
Although devices such as pacemakers and insulin pumps have been hacked by researchers in clinical or research settings, there have been no reported cases in which a consumer-facing medical device was hacked with nefarious intent. But many here said they worry that it’s just a matter of time. The data contained within such medical devices isn’t as obviously alluring as credit card or Social Security numbers, but the day when that data is worth cash is fast approaching, they warned.
"Today healthcare information is interesting but harder for a criminal to monetize. I mean, what would you do if you had my blood results?" Hoff explained. "When the monetization becomes interesting and important, [criminals] will shift their focus."
Most of the hacker community, especially the flavor that attends the annual Def Con conference, is benignly, albeit keenly, interested in exploring security vulnerabilities and finding ways to patch them. That may involve something as simple as creating parameters for account passwords to make them harder to break.
That’s why medical device companies should stay ahead of the digital black market and start building security into device transmissions now, he said. And there’s a wealth of expertise and resources available to any industry looking to bulk up its defenses around sensitive information or technology, Hoff added.
"You’re talking about devices that put people’s lives at risk," Hoff said. "There’s enough expertise and availability, whether at a conference like this or from professional firms, that there’s really no excuse for designing crappy and insecure systems."
Watch for more of MassDevice.com’s coverage of hacking healthcare at the Def Con hacker conference