Just this last week yet another alarming story was released regarding the continuing problem of medical devices with inadequate security. If you did not see it, the article discussed how Barnaby Jack -- the same security analyst/ethical hacker who last year demonstrated how you could exploit the transmissions of a Medtronic insulin pump, take control of it and administer a lethal dose of insulin to the unsuspecting victim -- demonstrated a new hack involving heart pacemakers.
Jack again demonstrated how several pacemaker models that rely on wireless transmissions to send and receive information and commands can be commandeered and directed to deliver an 830 volt shock to the patient, again a potentially lethal event.
Both of these attacks were directly harmful to patients and raise safety alarms.
Earlier this year an attack of a different variety, but one that also took advantage of poor security practices, happened in Illinois to a five-physician practice that had their network hacked, and their patient data encrypted and then ransomed by the hackers. The danger here of course is the total loss of the patient’s medial records and history. The physicians refused to give in to the extortion attempt and contacted the authorities, which was the right thing to do, but the data was gone and they had to explain this to all of their patients.
The point here is that data security is not just about privacy or confidentiality, it is about protecting the business, limiting liability and ensuring patient safety.
The threat is prevalent and the risk is real, and there are several things we should be doing to limit our exposure and to protect the ones we care for.
- Conduct a risk analysis and periodic vulnerability testing to ensure vigilance in identifying and addressing weaknesses in the technical environment.
- Ensure systems are hardened and patched regularly.
- Make sure that antivirus protection is deployed on all devices and at the perimeter and kept up to date on its signatures.
- Employ solid perimeter security with a Unified Threat Management appliance.
- Back up and encrypt patient information.
Last, but not least, educate users and patients to the risks associated with mobile devices. The slightest malfunction or unexplained change to performance should be reported immediately. These subtle, but sometimes noticeable changes could signal a device has been compromised. Discipline, maintaining awareness and recognizing anomalies in your network or with systems could help avoid an incident or save a life.