Medical devices at risk: 5 capabilities that invite danger
Medical device cybersecurity is lousy — beyond lousy.
Indeed, the word from security experts for most of the past decade (and certainly since those devices increasingly have become connected to the internet) has been that while the physical security of most is superb and the devices function flawlessly, possibly for years at a time, when it comes to security from malicious online attacks, these devices are frighteningly insecure.
The web is practically littered with recent reports confirming this:
- A study by WhiteScope IO released in May reported more than 8,000 vulnerabilities in the code that runs in seven pacemakers from four manufacturers.
- A report released in December 2016 on an investigation into new implantable cardiac defibrillators (ICD) found security flaws in the proprietary communication protocols of 10 of them.
- Trend Micro reported in May that more than 36,000 healthcare-related devices in the U.S. alone are discoverable on Shodan, the search engine for connected devices.
- Ponemon, in a survey sponsored by Synopsys, reported in May that, “roughly one third of device makers and HDOs (health delivery organizations) are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.”
The problem, which has existed since HDOs began connecting these devices to the internet, is that the majority are being trusted to do what they weren’t designed to do — protect patient information and the patients themselves — from cyber attacks.