FBI Warns on Medical Device Hacking Risk

Posted in Medical Software by Stephen Levy on April 30, 2014

Earlier this year, Business Week proclaimed: “Medical Hacking Poses a Terrifying Threat, in Theory,” which observed that lethal hacking of medical devices is a real possibility, albeit still an abstract threat at this point.  

According to a recent Reuters article, FBI agrees that hacking of medical devices and hospital equipment is a very real risk. The article cites a private notice from the agency that alleges that “[th]e healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."

Reuters also says that the FBI has warned healthcare providers about the problem and adds that health data “is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.”

Cybersecurity firm Dell SecureWorks told Finkle that cyber criminals were getting paid $20 for health insurance credentials on some underground markets, compared with $1 to $2 for US credit card numbers prior to the Target breach.

Wired's Kim Zetter conducted an in-depth interview with an information security expert who found that “It’s Insanely Easy to Hack Hospital Equipment,” after a two-year study at a large Midwest healthcare network. Zetter spoke with Scott Erven, who works as head of information security for Essentia Health, which operates about 100 facilities.

“We tested every single device in our environment ... We tested all of our lab systems, surgery robots, fetal monitoring, ventilators, anesthesia,” Erven told Zetter.

One of the main problems they found involves the embedded web services that allow devices to communicate with one another and feed data directly to patients' Electronic Medical Records.

Erven says that vendors must do more to improve the security of medical devices with encryption and authentication before they sell them to customers, and should fix the ones that are already in the field. He told Zetter that FDA guidelines for medical devices now place the onus on vendors to ensure that their systems are secure and patched.

Zetter reports, “(A)lthough vendors often tell customers they can’t remove hard coded passwords from their devices or take other steps to secure their systems because it would require them to take the systems back to the FDA for approval afterward, Erven points out that the FDA guidelines for medical equipment includes a cybersecurity clause that allows a post-market device to be patched without requiring recertification by the FDA.”

Stephen Levy is a contributor to Qmed and MPMN.