Following the news about Pharmaceutical firm Johnson & Johnson that has warned one of its insulin pumps for diabetics is at risk of being hacked, causing an overdose. IT security experts from ESET, NSFOCUS, Tripwire and prpl Foundation discuss how medical suppliers can better secure their products.
Mark James, Security Specialist at ESET:
“Quite often the problem with security in the medical or health industry is financially driven; cost is a major factor both in running and supplying the equipment used. In these instances the biggest factor is often making the equipment attainable for the masses who need it. The security of these products has to be factored into the cost and may even in some cases not be a factor at all. As we work towards an IoT environment where everything has to be connected, securing those devices in some cases is a secondary concern.
When older equipment was originally designed, the idea of “hacking” those devices was probably not even a factor. As connected devices develop it’s much harder to introduce techniques to make them secure and usually requires a redesign which again has a serious cost impact.
Quite often securing the information passed between devices may be as simple as using industry standard encryption. If the data is compromised it’s near useless to the average opportunistic hacker and at least shows a basic level of client protection.
Medical suppliers of equipment should understand the potential risks of being compromised; if successful the results could potentially be catastrophic. If the wrong measurement of a given drug is dispensed or the patient decides to not use their equipment because of concerns regarding its security it could be life threatening.
Cost will always be a factor but nowadays security is just as important, the public need to feel safe using quite often the very things that keep them alive.”
Richard Meeus, CP of Technology, EMEA at NSFOCUS IB:
“Ever since the TV series “Homeland” depicted terrorists hacking into the Vice-President’s pacemaker, bringing the security of medical devices to the public’s attention, there has been a fear of actually how easy the manipulation is and how can it be possible with instruments that control whether we live or die. As has been shown in the research the communication between the pump and the remote, whilst not over the internet and therefore not in the same vein as recent IoT hacks, was still unencrypted and this would allow hackers within the vicinity of the user to manipulate the dosage. Encrypting the communication between medical sensors and tools should be a first step in any new product”
Art Swift, President of the prpl Foundation:
“Healthcare is an industry that is coming to rely on connected devices and smart sensors to help medical professionals provide more effective patient care. However, this latest case is yet another example of how the Internet of Things, praised for convenience and connectivity, is also vulnerable to cyber attack; and therefore presents a tangible risk to human lives. With the healthcare IoT market set to be worth $117bn by 2020, according to MarketResearch.com, there’s an increasing need for manufacturers to reengineer vital systems to ensure they can’t be misused to overdose patients with potentially devastating effect. This means making sure security is baked in at the most basic level, the hardware.“
Tim Erlin, Senior Director of IT Security and Risk Strategy at Tripwire:
“Devices that support commonly available technologies like Wi-Fi and Bluetooth will be attacked, period. When it comes to connected devices that directly affect a human being, the threshold for risk has to be lower that it would be for a laptop or smartphone. It appears that there are some mitigating actions that users can take to limit the risk, but these actions don’t directly address the vulnerability itself.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.