The risk of attacks on medical devices such as defibrillators, pacemakers, insulin pumps, and other software-controlled medical equipment is rising as cyber-criminals improve hacking techniques, according to Bitdefender, provider of antivirus solutions.
Following a previous investigation into NHS IT cyber-security vulnerabilities, the US Government Accountability Office has also warned about vulnerabilities in computerised medical devices because of outdated software and firmware. Bitdefender believes targeted attacks on medical equipment and hospitals pose an even greater degree of risk because there is never enough security in place when it comes to this type of attack. Some of the most common types of medical cyber-attacks include Wi-Fi hijacking, spyware installed through network plugs in hospitals, and malware that can overwrite or damage data.
"An unspoken law of IT security is that any vulnerability will eventually be exploited. NHS patients risk losing their personal data, and systems within the hospitals may slow down and even become unresponsive if infected," said Alexandru Bălan, Chief Security Researcher at Bitdefender. "The results can be devastating, resembling events previously only found in movie scenes. Hackers can perform attempts at patients' lives, steal information about high profile or public figures, and use them as a platform for other social-engineered targeted attacks. Another likely money-making scenario is to simply harvest the hospital's database and use it to spam the patients with drugs and fake cures."
Software-controlled dispatch centres are prone to hacking and spying through their Command and Control Centre, which contains video and audio information, and also hazard, and Automatic Resource Locations maps. Bitdefender advises hospitals and medical centres to:
- Tighten security measures, by keeping their operating system, and their security software, updated.
- Monitor their bring-your-own-device (BYOD) policies in hospitals and dispatch centres to prevent data breaches.
- All communication through VPN services should have strong encryption, as basic virtual private networks can be hacked for a few pounds.
- Medical devices can also be hacked through common flaws in Windows, the operating system used by most of them.
- Keep any and all Wi-Fi networks outside of the main network, as Wi-Fi hacking is common knowledge for anyone with a tool just downloaded from the internet.
- Place Intrusion Detection Systems absolutely everywhere and get warnings whenever attempts are made to access the network or a medical device.