These are some of the worrying stats gathered by Ponemon Institute in a report entitled Medical Device Security: An Industry Under Attack and Unprepared to Defend.
According to the report, sponsored by Synopsys, 31% of device makers are aware that patients have been affected by an insecure medical device and, of those respondents, 39% confirm these attacks were to take control of medical devices. Only a third of device makers say their organisations encrypt traffic among IoT devices and, of these respondents, only 39% use key management systems on encrypted traffic.
The report says manufacturers and users agree that medical devices contain vulnerable code due to lack of quality assurance and testing procedures, as well as time to market pressures on the product development team. Only 9% of manufacturers say they test medical devices at least annually. Instead, 36% of manufacturers do not test or 7% are unsure if testing takes place.
It is because of this attitude that, in July 2016, the European Commission classified the health sector as ‘a critical infrastructure requiring particular security measures against increasing cyber-attacks’.
Customers are left with medical devices vulnerable to attack, either to collect sensitive information on the patient or, even more dangerously, to modify the level of support the device provides.
At the recent Infosecurity event in London, Synopsys illustrated the problem with the example of a pacemaker: a hacker, it claimed, could tamper with the information flow, to change the rate of heartbeat for example.
Batteryless pacemakers are now under development and it may be possible to block the flow of power from an external battery, as well as the data being sent.
“We’ve talked about automotive fleet hacks, but what about medical device fleet hacks?” Adam Brown, manager of security solutions, wondered.
Someone who wishes to resolve the issue of baby boomers’ pensions perhaps? There are a couple of people in the New Electronics office hoping they don’t need a pacemaker anytime soon…
Luckily, there are companies out there on the case, with Infineon, Fritz Stephan and Wibu-Systems co-releasing a mobile respirator with heightened security technology they developed, tested, and produced themselves.
At last, the respirator shows how medical devices can be secured and retrofitted with hardware-based security to secure personal data and medical records – hopefully other designers will follow their lead!