Cybersecurity expert and medical device hacker Florian Grunow has faced more hurdles than help in trying to get medical device companies interested in putting security measures into their network-connected devices, he told an audience at last year’s European DeepSec conference.
Vendors aren’t thinking about security and they’re not interested in discussing it with the hackers who uncover problems, Grunow said in a talk where he demonstrated a live hack on an EEG system from an unnamed vendor.
In a 15-minute demonstration at the end of his talk, Grunow was able to access the device, take it off of its network, and clone fake data that would appear at a nurse’s station and on the device’s own monitor to conceal actual readings.
"Vendors have little interest to cooperate," according to Grunow, a security analyst for German IT security company ERNW. "What is interesting is that vendors that do had an issue [sic], like a patient has been harmed by an exploding patient monitor, something like that, then they are interested."
The roadblocks to investigating device security are reminiscent of other industries that gained network communication prior to medical devices, Grunow said. Other industries, spanning everything from email to keyless vehicle industry, were similarly ambivalent about security until something happened that forced them to made digital defense a major part of their development model.
"The vendors have to go through the pain of losing something, or breaking something, to make them see that they have to invest in security," Grunow said, warning that the ramifications of medical device digital vulnerabilities are different from security holes in cars or banks. "We are not talking about critical infrastructure that could cost a lot; we are talking about critical infrastructure that could cost lives."
There are at least a few companies who have openly expressed their interested in keeping their devices secure, among them medtech titan Medtronic (NYSE:MDT). CEO Omar Ishrak told MassDevice.com last year that medtech cybersecurity is a "high priority" for the company. The company later reiterated its commitment in a manifesto on cybersecurity, promising to keep a close eye on its devices and take action on any new vulnerabilities it discovers.
"Medtronic is actively engaged with security research firms and regularly conducts and uses independent assessments to improve the security of our systems," the company said at the time. "We continuously monitor the security of our devices and if new vulnerabilities are revealed, Medtronic will assess whether additional security measures can be implemented without compromising the therapy that the device is designed to deliver to patients."
The company has in the past made public statements about its cybersecurity focus, but the proclamation appeared to come without provocation. The medical device cybersecurity front had been relatively quiet since last summer’s hacking conferences and the sudden death of high-profile researcher Barnaby Jack.
The manifesto coincided with the airing of an in-depth 60 Minutes interview in which former vice president Dick Cheney revealed that his doctors had switched off the wireless communication capabilities in his implanted defibrillator out of fear that Cheney’s high-profile persona may draw the attention of malicious hackers. Medtronic’s statement didn’t directly reference the interview and neither Cheney nor his doctors revealed the manufacturer of the former VP’s implant.
Researchers have proven in lab experiments that implanted, active cardiac devices are vulnerable to cyber-attack, as are other wireless-enabled medical devices such as insulin pumps and hospital management systems. A Medtronic implantable defibrillator was the subject of the 1st published medical device hack (conducted in 2008) and researcher Jay Radcliffe made headlines when he hacked his own insulin pump live on stage during a conference in 2011.
Although the FDA has taken a greater interest in medtech cybersecurity, even so far as releasing new guidelines and building a "cybersecurity laboratory," no real-world instances of malicious medical device hacking have yet been reported. Security researchers have warned, however, that the lack of reports are likely due to a lack of proper monitoring and reporting mechanisms.