Next Big Cybersecurity Threat To Medical Devices: Ransomware
By Jof Enriquez,
Follow me on Twitter @jofenriq
A cybersecurity report from research and advisory firm Forrester Research warns of ransomware attacks perpuated against users of wearables and medical devices in the not-so-distant future. The report’s dire prediction is that, in 2016, more people could be targeted by hackers who disable devices’ functionality using malware and other nefarious means — until the user pays a ransom to re-enable the device.
“That’s a bold specific prediction,” Joshua Corman, founder of I Am the Cavalry, a cybersecurity non-profit organization, told Motherboard, speaking of the report. “I hope it doesn’t happen as they say it will, because that would shatter our confidence in these lifesaving medical devices.”
Ransomware is a type of malware that generally infects Windows machines run by businesses. A file-encrypting ransomware program called CryptoWall last year infected over 600,000 computers and held 5 billion files hostage, earning its hackers more than $1 million, according to PC World. Now, medical devices and equipment could be the next easy targets by hackers, who typically demand bitcoin ransom worth thousands of dollars from users, according to a report from the International Business Times. Hackers threaten users with having their data deleted, or worse, trigger a device malfunction, unless they pay.
Unlike the business and financial sectors, the healthcare industry is perceived as relatively lacking in safeguards against cyberattacks. While steps have been taken to bolster cybersecurity in the medical field, these have been slow in coming. Unfortunately, hackers are beginning to exploit inherent vulnerabilities in health IT systems and medical devices, many of which run outdated and vulnerable software.
“It’s definitely feasible from a technical standpoint,” medical device security researcher Billy Rios told Motherboard. “Given the urgency associated with these devices, I could see it as something that could happen next year. All that would be required from an attacker standpoint is small modifications to the malware to make it work.”
While the U.S. Food and Drug Administration (FDA) has yet to confirm a case where hacking harmed a patient directly, the agency did issue in August its first cybersecurity-related alert for a specific device—an infusion pump system that could be hacked to under- or over-dose patients remotely. In its final cybersecurity guidance issued last year, FDA states, “Manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks. Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis.”
The Federal Trade Commission (FTC) also has released similar recommendations for companies making medical devices and Internet of Things (IoT) devices on how to mitigate hacking attempts. Also, the Department of Homeland Security last year investigated a number of cybersecurity cases related to medical devices.
Industry stakeholders acknowledge that integrating cybersecurity into the medical device development process is critical. However, traditional developers may not necessarily possess the required security training and expertise to implement cybersecurity measures, and may need help from IT experts.
“While we’ve been doing this for 15-25 years in cyber, this is year zero or one for them [the healthcare industry],” Corman told Motherboard. “We can’t give them 15-25 years to catch up, although it’s not reasonable to get there overnight…. We’re trying to approach this with teamwork and ambassador skill, not a pointing finger, but a helping hand.”