The Israeli national media is reporting on research from Ben-Gurion University which shows that “unpatched” medical devices whose owners and operators don’t download ongoing security updates may be vulnerable to attacks. In their paper “Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices,” the researchers show the relative ease of exploiting these “unpatched” medical devices. The devices include computed tomography (CT) and magnetic resonance imaging (MRI) machines. Hackers can also block access to medical imaging devices or disable them altogether as part of “ransom attacks.” Adam Brown, Manager – Security Solutions at Synopsys commented below.
Adam Brown, Manager – Security Solutions at Synopsys:
“Medical devices are not only open to cyber-attacks. In a survey Synopsys ran with Ponemon last year, it was found that in 38% of cases where a medical device has been breached, inappropriate health care had been delivered to the patient – and that could be lethal.
Medical device vendors really must start to address security in their code. A recent Building Security in Maturity Model (BSIMM) report shows that it is still evident that healthcare falls behind other industries when it comes to software security practices.
Speaking to buyers of this equipment, I have found that they are frustrated; in similarity to speaking to large software vendors, the response they get is woefully similar – a reluctance to change or justification that other large organisations don’t ask for security.
I would urge medical device manufacturers to take a long hard look at their software security practices and maturity, as there is a lot of work to do.”