The FDA is concerned about medical device vulnerability as per this article, Ilia Kolochenko, CEO of web security company about security and healthcare commented below.
Ilia Kolochenko, CEO & Founder, ImmuniWeb Chief Architect at High-Tech Bridge:
“I think we should distinguish three different hacking activities. The first problem is ransomware, which usually does not target hospitals or insurance firms in particular, however targeted attacks against healthcare institutions may increase in the near future as the victims usually have no other choice but to pay without a delay.
The second problem is theft of personal medical records (both PHI and PII) for resale on the Dark Web – this is a skyrocketing activity, but all other industries are prone to it – from SME e-commerce to the financial sector. Just keep in mind that hackers are just the executors – they hack and steal because [unethical] businesses are ready to pay for stolen data, and actually are paying for it. Demand creates supply.
The third risk is hacking of connected medical devices (i.e. IoT), which are usually manufactured and built without any precaution in terms of information security. It’s not true that any medical device can be easily hacked, as many of the attacks require the attacker to be near the device or at least inside of the hospital wireless network. However, potential hacks are foreseeable and expectable.
The problem is aggravated by the very low level of cybersecurity at hospitals in general – lack of segregation and access rights, missing security patches and updates, missing or weak encryption, insecure authentication, default or weak passwords – are just few examples. Connected medical devices should be strictly and severely regulated by governments, and their manufacturers should bear the liability for any negligence or carelessness during the manufacturing process – otherwise medicine will become an extremely dangerous activity within the next decade.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.