US Govt. probes medical devices for cyber flaws

A report appeared today concerning an investigation launched by the US Department of Homeland Security into possible cybersecurity flaws in medical devices and equipment. Officials fear that some medical technology could be exploited by hackers, a senior official at the agency has told Reuters.

heartbeatDevices at risk of cyber attack

The products under review by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, would appear to include an infusion pump from Hospira Inc, and implantable heart devices from Medtronic Inc and St Jude Medical Inc, “according to other people familiar with the cases, who asked not to be identified because the probes are confidential” [Source: U.S. government probes medical devices for possible cyber flaws, Reuters, Reporting by Jim Finkle; Editing by Tiffany Wu].

Although it is believed that there are no instances of hackers attacking patients through these devices, the potential cyber threat is being taken seriously. The threat is that malicious actors may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity, Reuters sources have said.

Heart implants can be subject to malicious cyber attack

Pacemakers with a wireless home monitoring system can transmit critical information to your doctor via the Internet.

For patients who suffer from severe heart conditions, these devices give confidence and a new lease of life. If they relied on a conventional pacemaker without the Wi-Fi connection and it were to malfunction or stop working, only immediate action by trained medics would save their lives; 24/7 heart monitoring via the Internet is literally a life or death matter.

Read about the introduction of Wi-Fi-connected pacemakers at:First Wi-Fi pacemaker in U.S. gives patient freedom [Reuters].

The senior DHS official said that the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment. He declined to name the companies.

Homeland cyber attack on the President is “possible” 

“These are the things that shows like ‘Homeland’ are built from,” said the official, referring to the US television spy drama in which the fictional vice president of the United States is killed by a cyber attack on his pacemaker.

“It isn’t out of the realm of the possible to cause severe injury or death,” said the official, who did not want to be identified due to the sensitive nature of his work.

According to Reuters, Hospira, Medtronic, and St Jude Medical declined to comment on the DHS investigations. All three companies have said they take cybersecurity seriously and have made changes to improve product safety, but declined to give details.

Barnaby Jack death in Las Vegas link to implant story

Elite hacker Barnaby Jack’s death in July 2013 occurred shortly before he was due to demonstrate how heart implants could be hacked at the Black Hat security conference in Las Vegas.Now in its 17th year, Black Hat USA is a key event for information security professionals. To quote the organizer’s blurb, Black Hat “sets the benchmark for all other security conferences”.

Jack rose to fame as a hacker after a 2010 demonstration, in which he hacked a cash machine, making it give out money.

According to reports, he had said that one technique could kill a man from 30 feet away. In 2013, he also told the BBC about how he had discovered flaws in widely-used insulin pumps that allowed him to compromise the devices. The hack, Mr. Jack claimed, made it possible to control them [presumably using wireless signals] and administer a fatal level of insulin.

“My purpose was not to allow anyone to be harmed by this because it is not easy to reproduce,” he told the BBC during an interview in April 2012. [Source:Elite Hacker Barnaby Jack ‘overdosed on drugs’, BBC News, 3 January 2014.]

Securing the ‘Internet of Things’

It is now more important than ever for organizations to take steps in securing their products from hackers. Just this week we reported that there were potential flaws in Spanish utility meters that criminals could use to cut energy bills and cause an attack on critical national infrastructure.

The ‘Internet of Things’ – that is, any device connected to the Internet – will facilitate a fast-paced, interconnected modern world, but it brings potentially huge issues concerning cybersecurity.

At the moment, it seems that products and services are being developed so quickly that security is secondary to public necessity. Cybersecurity is an issue that transcends individuals, however, affecting large organizations and states.

Adopting the international information security standard ISO27001 can help enterprises protect the confidentiality, integrity, and availability of its assets. Not only does it showcase to your patients, customers, clients, and other stakeholders that you take cybersecurity seriously, it also provides a framework to support your adherence to many data protection laws, including FISMA, HIPAA, and Sarbanes-Oxley.

For further information on ISO27001 and how it can help you comply with cybersecurity legislation in the US, download our free guide.

How ISO27001 can help you comply with cyber security legislation in the United States