Life-saving medical devices could be held hostage by ‘ransomware’ as early as next year, according to a report from Forrester Research, Inc.
Ransomware is effectively digital extortion – malicious programs that control user devices and files until the user ponies up, usually in the digital currency Bitcoin.
This year has seen significant growth in ransomware cases, and the malicious programs are expected to expand into other fields as more and more devices pick up connectivity to enable an ‘Internet of Things.’
“Ransomware grew rapidly in 2015 thanks to the popularity of ransomware families like CTB-Locker, Teslacrypt, and CryptoWall. Motivated by the rise of virtual currencies and the number of victims who have demonstrated a willingness to pay to regain access to their data, cybercriminals are embracing cyber extortion,” Forrester Research, Inc wrote in its report.
Unlike ransomware cases involving files and devices held hostage, holding medical devices, such as connected pacemakers or drug infusion pumps, could create a much more serious issue with a risk of serious injury or death.
“Thats a bold specific prediction. I hope it doesn’t happen as they say it will, because that would shatter our confidence in these life-saving devices,” grassroots cybersecurity and public safety group I Am The Cavalry founder Joshua Corman told Vice’s Motherboard in an interview.
“People who say ‘oh but no one would ever do that’ fail to understand that on the internet, every sociopath is your next door neighbor,” Corman told Motherboard. “Assuming that no one would do this is naive, and assuming that organizations are capable of stopping it is unmerited trust.”
An increase in connected devices, data-driven patient analytics a move to electronic health records is making medical devices, and electronic health records themselves, more attractive targets for such activity.
Stolen health credentials can sell for $10 each, roughly 10 to 20 times what stolen credit card numbers go for, but that’s not much compared to the value of a full EHR on the black market.
Full electronic health records are the Cadillac of stolen data, fetching upwards of $300 for a complete file, according to the Infosec Institute. That’s more than any other piece of data from any other industry, making it a highly valuable target.
The FDA has been vigilant on warning the medical device industry about issues associated with hacked device and hospital cybersecurity issues. In August, the federal watchdog warned about a flaw in Hospira‘s (NYSE:HSP) Symbiq drug infusion pump that hackers could exploit to take over the device.
The Agency said the Symbiq pump can potentially be accessed remotely through a hospital’s network, potentially opening the door to unauthorized changes to the dosage delivered by the pump, according to the federal safety watchdog. The flaw was confirmed by Hospira and an independent researcher. Although no adverse events or unauthorized access in a healthcare setting have been reported, according to the FDA and Hospira, the agency encouraged hospitals and facilities to disconnect all Symbiq devices from their networks. Hospira began phasing Symbiq out in May after the FDA warned on cybersecurity vulnerability issues with its remotely-programmed LifeCare PCA3 and PCA5 devices.
Malicious hackers have already used unprotected medical devices to break into hospital IT systems in at least 3 instances discovered by a cybersecurity firm in July, as medical data becomes a holy grail for organized crime “medjacks.”
In October 2014, the FDA issued pre-market submission guidance advising companies to pay closer attention to cybersecurity issues during the development and design phases of their products. Areas of concern included malware, password protection, the timely issuance of software patches and updates, and potential security flaws in off-the-shelf software. The Agency also asked companies to submit cybersecurity risk assessment for their products as part of their premarket application process. Companies should also detail how they plan to provide validated software updates during the lifecycle of the product.
The industry has been gallant in responding to the threat. Last month at a seminar held by the Mass. Medical Device Industry Council (MassMEDIC), medical device executives, regulators and security experts discussed which systems and devices were most vulnerable to malicious hacking and what could be done to stop it.
MassMEDIC President Thomas Sommer said his group decided to hold the seminar in response to reports that hacking is on the rise, particularly the theft of patient data.
“It’s something that small and mid-sized companies are now focusing on. The larger companies have had robust plans in place for some time,” Sommer told MassDevice.com. “The medical device industry is now joining other tech-based industries in developing security plans for their devices.”