Hacking of medical devices rising as next threat

Register now

Medical devices, including those that are implanted within patients, are increasingly likely to be targeted by hackers and could pose a nightmare scenario if providers don’t take steps to improve their defenses.

“The problem with security is that hackers always follow the path of least resistance,” says Sam Rehman, the chief technology officer at security vendor Arxan, which serves multiple industries and has a large footprint in healthcare.

Like many other security vendors, Rehman says providers need to conduct a comprehensive risk assessment and fix vulnerabilities. In healthcare, medical device security is a hot topic and for good reason, because providers often have hundreds if not thousands of devices in their facilities.

But providers also need to increase security levels for devices that are implanted in patients, and that’s because many of those devices have wireless capabilities that enable hackers to interfere with them, Rehman says.

For example, physicians can use a hand-held medical device to wirelessly collect data and even update an implant, for example to change device settings on insulin pumps, pacemakers and other devices. However, a hacker in a hospital can do the same thing, which represents a potential risk to patient safety, Rehman warns.

Also See: Security of medical devices remains critical question in buying decision

Many hackers may not want to intentionally cause harm, but others will do what someone pays them to do, which could include causing injury to patients. Rehman says monetary motivation, particularly through blackmail, could rise as a potential risk.

Such hacking could include efforts to affect the share price of a device manufacturer. Rehman says stock price manipulation could provide another financial motive for hacking. For example, if one person can make money by paying another person to cause harm, the instigator can make money when a company’s stock price falls.

A scenario similar to this has already occurred. Earlier this year, the Food and Drug Administration confirmed cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and its Merlin@home transmitter. The vulnerabilities were originally announced by an investment group that threatened to make money by selling its stock short.

St. Jude Medical devices, the FDA said, could be hacked by outsiders, leading to injury or death, and St. Jude’s share price quickly dropped by 10 percent as the company scrambled to make fixes. “If someone can make money, this absolutely will happen,” Rehman predicts.

For reprint and licensing requests for this article, click here.