Well if that isn’t depressing ….
Experts warn that medical-device security is a chronic problem, now exacerbated by COVID-era healthcare challenges. Hospitals have been forced to prioritize budgets and staffing to focus on lifesaving care – meaning that IT security often takes a back seat. Adding insult to injury, hackers are aware of this, and are also now capitalizing on these healthcare strains with a barrage of ransomware and phishing attacks and more.
Many hospitals and healthcare services were hit by ransomware in 2020. Universal Health Services was one of the larger ones with an attack paralyzing 400 facilities.
Right now, attacks on medical devices are rare, but think about it this way. If a hacker sends you an email that says “I have hacked your pacemaker (or insulin pump or whatever device) and if you don’t pay me x Bitcoin, I will turn it on/off/change the settings. Would you pay the ransom?
One of the challenges is the medical device regulator itself. The FDA, like most government agencies, make snails look agile. That might have been acceptable in 1848 when the FDA was founded, but not in 2021. Hackers don’t move at FDA speed. Hospitals and medical device makers are not even allowed to install patches to known, actively exploited bugs, in many cases, without FDA permission.
There are a number steps that folks can take like inventorying all of their medical devices and trying to get vendors to tell them what ingredients are in their devices.
An example of one IoT (called IoMT for Internet of Medical Things) defect is a bug called Ripple20. It is *thought* that Ripple20, a bug in the device’s Internet communications software, affects around 53,000 medical device models.
A study of 5 million Internet of medical things that lasted for a year found that 86 percent of healthcare deployments had more than 10 FDA recalls inside their network. Recalled IoMT devices can be considered either defective or posing a health risk, or both. Credit: Threatpost