Medical Devices Remain Vulnerable to Cyber Attacks
August 2, 2016
When we talk about vulnerability, usually computing devices come to mind. Now, the scenario of threat is changing. Even the medical industry can be a new target of attackers. Wide use of medical instruments which are directly connected to the internet can work as a free path for attackers. These kind of attempts can cause serious damage to patient treatment and to security of healthcare instrument.The research work performed by Scott Erven and Mark Collao reflects that healthcare industries are not so much focused on instrument security as a first priority. I think there's not much awareness about online security of medical instruments. We see that all hospitals have MRI scan machines, X-ray machines, drug infusion pumps etc. connected to the internet for various kinds of operations. Additionally, they usually collect the patient’s current medical record and history and store it for future use. These records can be accessed by various doctors or technicians in hospital or any other location. I think the availability of these records is not specific to hospital location only. Easier availability raises question on confidentiality and integrity.If an attacker is successful in making a security breach to these online records, he can take control of these records and devices, too. The possibility of altering original records and a patient’s treatment plan can make this situation worse from the patient’s health treatment point of view. The attacker can take control of a device's working module and can change its working methodology completely or to some extent. This automatically puts patients in serious danger. The assigned physicians cannot directly recognize that the machine has been changed with different instructions without proper testing. They can use equipment with altered mechanisms continuously until someone tests it.In another case, if a patient himself is smart enough to attack equipment, he can make changes and alter his treatment or doses too. Drug infusion pumps are a perfect example for this kind of attack. Patients can trick the equipment with their own instructions. This can result in danger to that patient. If a patient himself is a focused attacker, you can imagine what he can do with equipment if it has really a very low security protection. Many times equipment comes with default logins and passwords. The default credentials are actually only for first time use of equipment, but in many cases, physicians never change the defaults. This can be lead to an easy attempt of attacking healthcare devices. Plus, if a manufacturer suggests never changing your default credentials in order to get continuous system support from them, it's likely the logins will remain. This is a serious flaw in equipment system security. If an attacker knows the default credentials, he can easily take control of these devices with little effort. It's also been observed that many different healthcare devices are using the same login and passwords from the the same manufacturer or different ones. This can be very harmful if attackers attack these devices under a systematic group attack. This puts the security of these all devices in jeopardy, which automatically affects patients and the whole healthcare system to a great extent.Stealing of confidential and personal medical records is another side effect of these hacking attempts. If any equipment system gets hacked, the attacker can obtain information about its host name, description of what the equipment does, exact physical location of the equipment, details of the physicians assigned to that equipment etc. This all is a very crucial information and hacker can plant phishing attacks with all this information in hand. Hackers can sell this information to any rival equipment manufacturing company. They can also decode the confidential instrument software or design, which is a violation of intellectual property and trade secret.Currently, there are no such cases where any attacks performed against healthcare devices resulted in severe loss. But, these vulnerabilities remain an alarming call for the healthcare industry to think about the security of their devices connected to a network. Manufactures should redesign their policies about the use of default credentials on their equipment. With the evolution of technology in healthcare, security must be an important priority. Attackers will continue their work and try every possible move to breach security. But, we have to see these acts as opportunities to improve current and future devices in healthcare industry - both technically and legally.