News Feature | October 14, 2014

How Cybercrime Can Impact Medical Devices

By Chuck Seegert, Ph.D.

cybercrime

Concerns have been raised by European law enforcement about the hijacking of digital information, which could include computer-driven medical devices. The FDA also recently instituted cybersecurity guidelines in response to what is perceived as a growing threat.

Cybersecurity for medical devices is a major focus for regulatory bodies that govern patient safety. The FDA recently released cybersecurity guidance for medical devices, a segment of the healthcare sphere that many consider to be the weak link in the information technology backbone of hospitals and other institutions.

In a move that adds urgency to the growing concerns, Europol, the European police office, issued its 2014 Internet Organized Crime Threat Assessment (iOCTA), according to a press release. The report, developed by Europol’s European Cybercrime Centre (EC3) describes a “Crime-as-a-Service” environment that has been developing and becoming more sophisticated in a far-reaching, virtual underworld.

"The inherently transnational nature of cybercrime, with its growing commercialization and sophistication of attack capabilities, is the main trend identified in the iOCTA,” said Rob Wainwright, Director of Europol, in the press release.

The more than 300-page report describes numerous scenarios involving organized schemes to defraud and efforts by criminal organizations to essentially outsource hacking services online. As applied to medical devices, equipment that can be used to maintain a patient’s life, the implications become unsettling. Hacking a system and changing the performance of a device could literally become a scenario where a patient’s life is held hostage.

Another, concern involves extortion where a hacker could gain control of data, and then demand money in exchange for its return. In addition to financial pressures, sensitive medical documents and records could also become the focus of espionage. Depending on who the patient is, the data could be valuable to cybercriminals with political motivations, or even a foreign state.

In addition to issuing cybersecurity guidelines, the FDA is developing a laboratory specifically for testing medical device cybersecurity. The capabilities of the lab will be centered around a test method called “fuzzing,” which is a technique designed to discover unknown vulnerabilities of a device’s software system.

“Fuzz testing, or fuzzing, is the process of sending intentionally malformed inputs to software for the purpose of locating vulnerabilities. When failures are found, they can be fixed which makes the software more robust and more secure,” the FDA stated in its announcement.

Image Credit: “Credit Card Theft,” Don Hankins, 2007, CC BY 2.0: https://creativecommons.org/licenses/by/2.0/