What would happen if you went to the doctor and they suggested you get a CT scan for that cough you haven’t been able to get rid of for months ?
What if the scan came back showing cancerous nodules ?
What if you were then told by the hospital three weeks later they found malware on the CT device which had placed the faked cancerous nodules there ?
Seems like science fiction or a Tin Foil Hat conspiracy ?
Think again.
Researchers in Israel say they have developed this malware to draw attention to serious security weaknesses in critical medical imaging equipment used for diagnosing conditions. While the threats are nothing new and hospitals, rehab centers, nursing homes and other medical facilities have been seeing press about its potential, these researchers tried to bring a theory into a real life scenario.
Yisroel Mirsky, Yuval Elovici and two others at the Ben-Gurion University Cyber Security Research Center in Israel created the malware as a POC (Proof of Concept) to show just how possible this is. While the example above may cause unneeded and dangerous treatment, think about other devices such as implanted defibrillator which could be hacked and possibly be used to kill someone without approaching them.
Just as we can attack machines thousands of miles away, through the use of the WiFi network, hackers may have the ability to one day launch an “attack” on someone and cause harm, including death.
If I was inclined to seek revenge on a nursing facility which I thought didn’t take care of my relative the way I thought they should have, there may be a way to get revenge from the privacy of my own home. Now, this is not to say that it will be simple for me to do so, but if we take a page out of the playbook from Denial of Service attacks, we can see that this method can be employed.
So what can our organizations that use medical technology do ? Here are just a few common sense tips that should start you off. Remember that obtaining a full cyber security audit which includes HIPPA and NIST Cyber Security Framework (which the FDA’s policy leverages) reviews will probably be needed sooner or later, sooner being the opportune way to go.
- Make sure the medical devices you are buying were designed with cyber security in mind
- Make sure you assess the risk of those devices to you and your patients. If there needs to be a backup plan due to failure of a “hack” of the device, know how you are going to handle it prior to the event.
- If your device has default IDs and Passwords, make sure those are changed to strong complex passwords before you introduce them onto the network.
- Make sure you know where to look for security patches for your devices. It is a good idea and should be a mandatory step where the device is used to support life, to test the patches before placing them on your devices.
- Network with your peers to see if they use your products and have seen any issues previously. There are sharing organizations which you can join that may discuss cyber security and new findings which will assist you in patching your devices.
Unfortunately, there are unscrupulous people who would hold your organization hostage if you don’t pay them a ransom. Imagine what would happen if a hacker were to send you an email that he was going to inject malware into a specific device you use. How would you handle the situation ?
It’s time to start thinking about these scenarios since if history is any indicator, we will be seeing cyber security incidents on devices taking center stage in the very near future.
Mitch Zahler is currently Chief Information Security Officer at Proactive Cyber Security, a security & risk firm which focuses on SMB’s. If you have any questions on this or any other cyber security issue, you can email Mitch at mzahler@procybersecure.com