McAfee Warns Of Cybersecurity Weaknesses In Medical Devices

As part of a new laboratory demonstrating potential cybersecurity weaknesses in medical devices, McAfee researchers recently hacked into a central patient monitoring station. 

The demonstration occurred last month at Defcon, a large annual hacker convention in Las Vegas, Nevada. Researchers showed they could alter patient vital signs, simulating a patient whose heartbeat had flatlined.

The demo was not done remotely, however, the researchers warned that it could be done from a great distance away if the hospital’s system was connected to the internet.

The security weakness was highlighted ahead of the opening of a new McAfee laboratory in Oregon, the McAfee Advanced Threat Research Lab, which will also be used to demonstrate potential cybersecurity threats to all types of new technology.

Two years ago, a number of U.S. hospitals were hacked, at which time the systems were infected with malware that stopped staff from being able to communicate with their computers. The hospitals had to pay ransom to regain control through bitcoin.

In at least one case where a hospital refused to pay, part of the facility had to be shut down until control could be regained. As a result of the cybersecurity problems, some hospitalized patients had to be moved, which may have impacted care.

The United States isn’t the only country facing medical device cybersecurity risks. Health trusts have been hacked in the U.K. and Germany as well, and in most cases, the hospitals have to pay ransom through bitcoin, which few understand. Some have even hired law firms to buy bitcoin in case they are hit by the malicious software, which is becoming known as ransomware.

That same year, the FDA issued new guidance on medical device cybersecurity. The guidance indicated that manufacturers should monitor and detect potential cyber security vulnerabilities in their devices, research to understand and assess the level of risk and vulnerabilities to patients, and establish a process of cyber security information sharing among manufacturers to prevent hacking risks.

The agency called for manufacturers to design medical device software with the capability of being upgraded, so that it can combat newly found vulnerabilities for the duration of the device’s life span. A product that cannot be upgraded could put patients at risk and become obsolete quickly. This approach allows manufacturers to ensure the safety and effectiveness of the medical devices at all stages and encourages continuous quality improvement, the FDA indicates.

Medical Device Cybersecurity Concerns

Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.