There’s a rule about software that many security engineers will tell you is unassailable – if you leave vulnerabilities in your software, someone will exploit them.
Machinery gets hacked all the time, including everything from government databases to video game systems, but when vulnerabilities exist in devices that provide life-saving or -sustaining medical technology, the stakes reach much higher.
"The scenarios that may derive from this may very well look like crime movies," chief security researcher for anti-virus and internet security provider Bitdefender, Alexandru Balan, said in a company blog. "Hackers can perform attempts at patients’ lives, steal information about high profile or public figures, and use them as a beachhead for other social-engineered targeted attacks."
There are as yet no reports of malicious hacks on personal medical devices, such as pacemakers or insulin pumps, but many security experts will tell you it’s just a matter of time, and viruses and malware have already caused trouble in hospitals-based machines.
At Boston’s Beth Israel Deaconess Medical Center, 1 or 2 devices are taken down each week for software security "cleaning," chief information security officer Mark Olson earlier this month told attendees of the National Institute of Standards & Technology Information Security & Privacy Advisory Board meeting.
"An unspoken law of IT security is that any vulnerability will eventually be exploited," chief security researcher for anti-virus and internet security provider Bitdefender, Alexandru Balan, said in a company blog. "Patients risk losing their personal data, and systems within the hospitals may slow down and even become unresponsive if infected."
Other security experts have voiced similar concerns. Computer science professor Kevin Fu, who was part of the 1st research team to demonstrate that implantable defibrillators are vulnerable to software hacking, makes the rounds at health and security conferences, talking about the importance of developing strategies to protect medical devices.
"I equate it to automobile security," the pacemaker hack study’s lead researcher, Kevin Fu, told MassDevice when we initially spoke with him earlier this year. "We are essentially driving around in cars where nobody’s locked the doors. Now is the time to figure out security before the risk becomes a threat."
Earlier this month Microsoft’s U.K. office offered some tips on good cybersecurity "hygiene" to better protect medical devices from malware, viruses and other threats, including realigning priorities to bump cybersecurity in the top tier and shelling out for updated software when possible.
It was fitting that the software giant would address the growing concern, given that many hospital devices run on older version of Windows operating systems.
Bitdefender this week offered some tips of its own, including getting protection for the "common flaws in Windows:"
Bitdefender advised healthcare providers to:
- Tighten security measures, by keeping their operating system, and their anti-virus software, updated.
- Monitor their bring-your-own-device, or BYOD, policies in hospitals and dispatch centers to prevent data breaches.
- All communication through VPN services should have strong encryption, as basic virtual private networks can be hacked for a few dollars.
- Medical devices can also be hacked through common flaws in Windows, the operating system used by most of them.
- Keep any and all WiFi networks outside of the main network, as WiFi hacking is common knowledge for anyone with a tool just downloaded from the Internet.
- Place Intrusion Detection Systems absolutely everywhere and get warnings whenever attempts are made to access the network or a medical device.