Can a hacker break your heart? Apparently, the answer to that question is “YES” and on more than one level.

Recently, researches at the University of Birmingham in the UK and at the University of Leuven in Belgium uncovered vulnerabilities in the software that communicates with implanted medical devices, such as implantable cardioverter defibrillators. The software is used to update the devices or collect data readings on patients.

By exploiting these medical device security vulnerabilities, the researches found they had the ability to alter device settings, shut devices down entirely or even deliver an unnecessary shock to a patient, which could be lethal. In addition, the researchers discovered the devices could also be hijacked to steal sensitive patient medical data.

To top it all off, the researchers announced that this reverse engineering was carried out using “inexpensive Commercial Off-The-Shelf (COTS) equipment”. “We demonstrate that reverse-engineering is feasible by a weak adversary who has limited resources and capabilities without physical access to the devices,” they reported.

While news of this dangerous medical device security vulnerability is sobering, it isn’t the first time that technology is being turned against the very people it was designed to help.

“We demonstrate that reverse-engineering is feasible by a weak adversary who has limited resources and capabilities without physical access to the devices.”

Research team – University of Birmingham and University of Leuven

Government weighs in on shambolic state of IoT security – medical device security a top concern.

Recently, prominent cybersecurity experts addressed Congress to explain that the growing number of poorly secured devices connected to the Internet of Things (IoT) poses a serious threat to both life and property.

At a hearing in held in November by the House Energy and Commerce Committee, Bruce Schneier, a noted security scholar and lecturer on public policy at Harvard, explained how the massive DDoS attack against Dyn, which shut down much of the web for the East Coast, highlighted the “catastrophic risks” that could result from the mass proliferation of insecure IoT devices.

While no fatalities resulted from the attack on Dyn, Schneier explained that the same inadequate security found in the devices, such as security cameras, that were used to carry out this DDoS attack, could also be found within the technology making its way into hospitals.

According to Kevin Fu, a University of Michigan professor of computer science and engineering specializing in cybersecurity, insecure IoT devices in “sensitive places that have high consequence, like hospitals,” are easy to hack and recruit into massive armies of zombie computers that can then be used to attack organizations. Fu added his concern that without a “significant change in cyber hygiene” the Internet can’t be relied on to support critical systems.

The Obama Administration has taken these warnings seriously and on December 2nd, the White House’s Commission on Enhancing National Cybersecurity released the results of a nine-month study focused on America’s growing cybersecurity issue. Among many recommendations, the report proposes addressing the complete lack of security for IoT connected devices such as routers and webcams and re-organizing responsibility for the cybersecurity of federal agencies.

In follow up, President Obama acknowledged that pushing these recommendations through is, for the most part, out of his control. “As the Commission’s report counsels, we have the opportunity to change the balance further in our favor in cyberspace—but only if we take additional bold action to do so,” Obama wrote in a statement. “Now it is time for the next Administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change—both in the United States and around the world.”

It remains unclear whether the incoming Administration will follow through with commission’s advice, as Trump’s cybersecurity policy remains largely unknown. During the campaign, Trump’s approach to cybersecurity consisted of his remark in one debate that the “security aspect of cyber is very, very tough.” More recently, in a YouTube video concerning his plans for his first 100 days in office, he broached the issue of cybersecurity stating that that he would ask the Department of Defense to “develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks, and all other form of attacks.”

“As the Commission’s report counsels, we have the opportunity to change the balance further in our favor in cyberspace—but only if we take additional bold action to do so.”

President Barack Obama

NIST urges manufacturers to build security directly into all IoT connected devices.

Separately, the National Institute of Standards and Technology (NIST) has taken its own steps to address the disturbing state of IoT security. It recently released voluntary guidelines for engineering more secure connected systems and strongly recommended that security systems be built directly into IoT connected devices.

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems highlights why the need for secure systems has become even more critical as cybersecurity threats continue to evolve. The guidelines provide the basic foundation for a disciplined approach to engineering secure systems.

In particular, the healthcare industry could benefit by building security directly into medical devices from the get go, rather than adding them on later as an afterthought. In an October interview with HealthITSecurity.com ICIT Co-founder and Senior Fellow, James Scott stated that healthcare organizations cannot continuously rely on “Frankensteined” medical devices.

If you are concerned about medical device security and protecting your organization’s IoT connected devices, contact us today.