"When you hear hoof beats in the hallway, think of horses, not zebras.”
A popular medical proverb. (Zebra is medical slang for a surprising diagnosis.)
A diabetic on an insulin pump suddenly gets hypoglycemic. A cardiac patient with an internal defibrillator abruptly descends into uncontrolled ventricular fibrillation. Will your employees consider a hacked device on the list of possible causes?
How many hackable medical devices are in your hospital? Log on to www.shodan.io, the search engine for finding Internet-connected devices. The site collects information on about 500 million connected devices and services each month.
Cyber researchers on Shodan found a variety of unsecured connected medical devices, including insulin pumps, narcotic pumps and other drug infusion pumps, and even MRIs. These hackable devices and tests can be often sensed and accessed remotely through existing hospital computer system mainframes.
Making it worse, hacked medical devices that cause patient harm are tough to detect. Even a coroner might not find any evidence of a hacked medical device because the proof could be thousands of miles away on a foreign computer server.
The Internet of Things
The “Internet of Things” (IoT) is the network of physical objects or “things” embedded with electronics, software, and sensors enabling these objects to collect and exchange data. IoT allows objects to be sensed and controlled remotely across existing network infrastructure like home automation systems for remote security or temperature adjustments. Many of these IoT devices in medicine lack encryption or defensive mechanisms.
The American global computer security software company McAfee, Inc., recently showed a security conference how to reverse-engineer a pacemaker transmitter using a laptop located 50 feet away from the victim. In one scenario, the laptop remotely hacked a pacemaker and delivered a 830-volt shock. In another, the hackers depleted the battery and rendered a wireless device inoperative.
Look for the Zebra
Cyber hacking has become a fact of life in the IoT as hospitals increasingly connect medical devices to the Internet. Often, medical equipment use the default logins and passwords that the manufacturers provided. Hackers can then easily access, intercept and alter wireless signals to a medical device.
Altering the device setting is not all the damage they can do. Hackers may be after bigger game. Unsecured medical devices can be used as back door access to the wider hospital network. From there, the hackers could steal large blocks of financial or identity information that they can sell on the black market.
No one has yet developed a foolproof defense against hacking medical devices, or a method for detecting those hacks. The risk cannot be eliminated, but it can be managed.
A new LAMMICO White Paper by a U.S. Defense Department cybersecurity expert suggests methods for better hospital data protection. To download this exclusive White Paper visit www.lammico.com/DODwhitepaper.