5 tips to thwart medical device attacks

Medical devices can be an easy gateway for hackers to steal valuable information. This advice will lower the risk of that happening.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

From Trojan.Kwampirs to KRACK, the last year has seen no shortage of reminders that medical devices are subject to attack. On April 23, software provider Symantec reported that it had analyzed Kwampirs backdoor hacks from cybercriminal group Orangeworm: 39 percent were on healthcare equipment like x-ray machines, MRIs, and systems used to complete patient consent forms. KRACK, on the other hand, didn’t attack devices. Rather, it compromised Wi-Fi Protected Access II (WPA2) — the connection between devices.

“Prior to network connectivity, these devices were protected by physical security. Only authorized medical personnel were allowed in the room with the patient. If changes to the infusion pump operations were made, they were made by pressing buttons on the device,” says Michael Nowatkowski, information security professor at the Augusta University Cyber Institute. Now everything’s connected, leaving hospitals and healthcare systems scrambling. Research provider KPMG says 41 percent are turning to improved governance and policies while 33 percent outsource device security to third parties.

For those who do manage medical device security internally, experts offer this advice:

1. Get better at protecting everything

If you believe what you see on television, the goal of a medical device attack is to hurt the patient. Both “Sherlock” and “Homeland,” for example, show people being murdered by their pacemakers. KPMG cyber practice partner Michael Ebert says that’s not how these attacks work in real life: “Cyberattacks today have the potential to harm patients, but most of the attacks against medical device makers are aimed at stealing their technology so devices can be copied or product development dead ends can be avoided.”

In other words, device hackers want the same thing most hackers want: information. According to Nowatkowski, hackers may not even realize they’re in a device when they try to get it: “Many of these systems run operating systems similar to a normal computer, so the attacker may think they are just exploring a computer rather than a medical device.”

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.