The medical field has changed for the better, with technology allowing people to live longer and lead healthier lives with fewer health complications. Unfortunately, as medical devices become more advanced with the Internet of Things (IoT) introduced into the picture, security concerns arise. It wasn’t just the recent WannaCry ransomware attack that demonstrated the vulnerability of medical systems. When UK hospitals were hit with WannaCry, it showed just how vulnerable hospitals are worldwide if they rely on IoT without considering the security implications. So in this blog post, we’ve complied five medical devices that are known to have security flaws.
The security research firm WhiteScole conducted a security assessment on cardiac devices and home monitoring devices from four major manufacturers in the healthcare sector. Within peacemakers devices alone, they discovered 8,000 vulnerabilities. A major reason why pacemakers and similar devices contain so many vulnerabilities is mainly due to the fact that many vendors purchase third-party components for their software or hardware. More often than not, these components have vulnerabilities that go undetected and unpatched.
2. Magnetic Resonance Imaging (MRI) machines
In a separate medical analysis by two security researchers, the verdict was the same: thousands of medical devices, from imaging machines to nuclear medicine devices, were found to be extremely vulnerable. Within an undisclosed healthcare organization in the US, the team found security flaws in 68,000 of their medical systems, which affected 97 MRI scanners. These security holes would potentially allow hackers remote administrative access to the devices. These devices were relatively easy to breach since many systems had maintained their default passwords or had no passwords set up at all. In fact, tens of thousands of login attempts were found to be made aimed at unauthorized access of the MRI machines.
3. Implanted defibrillators
In addition to pacemakers, implanted defibrillators have also been known to have security vulnerabilities. Used to monitor a heart’s electrical activity, they are important for sensing dangerous rhythms and delivering shocks. They can be monitored via radio transmitters. If a hacker is able to hack into the radio transmissions through the communication protocol for example, it’s just a matter of time before they gain complete control over the device, where it can even be reprogrammed. This can be disastrous if a hacker is successful in resetting the defibrillator clock and preventing the device from responding to cardiac/arrhythmic actions.
4. Insulin pumps
Pacemakers and defibrillators aren’t the only medical devices of hot debate; insulin pumps have also been found to be vulnerable to hacking due to major security bugs. As a medical device that’s commonly attached to patients’ bodies, these pumps inject insulin into the bloodstream through catheters. In fact, Johnson & Johnson was one of the first manufacturers to issue a security warning to its patients about the potential security vulnerabilities with its insulin pumps. Consequences can be unimaginable should a hacker gain access to these pumps such as overdosing a patient with insulin. The company, however, maintains its claims that the risk is extremely low.
5. Mammography equipment
Two security researchers discovered password vulnerabilities in medical devices like mammography equipment. These medical devices are managed by computers through a firmware, and only technicians who have access to the management can make adjustments including changing passwords. As such, all a hacker needs to do is gain access to the password and reprogram the device to provide inaccurate readings. In total, the researchers found 300 backdoor passwords for the medical devices they studied.
One of the major problems with medical systems is that many of the medical devices relying and operating on computers are likely running on Windows XP or some older operating system where security bug patches and vulnerabilities are not updated as frequently as we might expect. Furthermore, there may be a lack of IT security teams or administrators to implement basic security practices like installing basic antivirus solutions, thus allowing unauthorized access to the system. Because patients rely on these devices for their health, it’s important for healthcare organizations to practice the best security practices.