Hackers Have No Heart: Your New Pacemaker Could Be a Ticking Time Bomb
Shocking as it may sound, attacks on health devices do occur, and they could threaten your personal security. Unfortunately, in recent years hospitals became one of the biggest cybercriminals' targets as the statistics revealed such institutions experienced 88 percent of all ransomware attacks in 2016. Unlike other institutions, hospitals are more vulnerable because in the event of an attack the organization may not only tarnish its reputation or experience financial losses but also put their patients' lives at risk. As you see, ransomware application can encrypt various data found on affected systems, and if the target is a hospital, it could lose access to all patient records and other vital information. However, recently cybersecurity specialist are more concerned about hackers being able to attack health devices like pacemakers or insulin pumps as such incidents could threaten the personal security of a patient. Additionally, anyone with malicious intentions could take over the control of various health devices as hackers discover methods to hack them.
What makes it possible for hackers to hack health devices
Let us start with how cybercriminals can learn about the equipment they could hack. According to Trend Micro researchers, the Internet of Things, or IoT in short (a network that allows connectivity between various devices), might be to blame. While it might provide wireless connectivity and remote monitoring that can help adjust and tune implanted health devices without invasive procedures, it also makes it possible to detect such devices. The search engine called Shodan can locate internet-connected devices. In fact, the search engine can even show what operating system is being used, IP addresses, hostnames, and so on. As the mentioned paper states, it does not mean all discovered devices can be hacked as for it to be possible the targeted machine would have to have an exploitable vulnerability, but the search application could make it easier to detect such equipment. Some devices are still vulnerable to Heartbleed. The vulnerability discovered in 2014 was the cause of many data breaches including the attack on Community Health Systems hospital from which hackers managed to steal approximately 4.5 million patients records.
Another problem mentioned in the research was that there are still hospitals that use one of the top exposed operating systems like Windows XP that is no longer being supported. Old operating systems have known vulnerabilities that could be used to hack into computers and possibly devices connected to them. Moreover, a lot of medical devices use default login credentials issued by the manufacturers, which also makes it easier to hack them. Apparently, by using sites like Datarecovery.com or Defaultpasswords.com, the cybercriminals could learn whether the targeted device's login credentials are default or were changed.
Why pacemakers might be the next target
A pacemaker is a medical device used for creating electrical impulses to regulate the electrical conduction system of the heart. As you realize, stopping the machine or changing how it works could threaten patient's personal security. We think it is necessary such devices would be secured and so do cybersecurity specialists Billy Rios (Whitescope) and Jonathan Butts (QED Secure Solutions) who have researched pacemakers and other relevant devices created by Medtronic. They made a conclusion some of the equipment might have potentially life-threatening weaknesses. The problem is there seem to be specific bugs in Medtronic's software delivery network. It does not communicate with pacemakers directly, but it is used for bringing updates to the programmers of such equipment and could be exploited to hack the devices in question. The software does not have digital code signing that would prevent attackers from installing malicious updates on it and then spreading them onto implanted pacemakers. There was also a cloud vulnerability that could have allowed cybercriminals attack pacemakers remotely, but it looks like Medtronic managed to remove it. However, the specialists are disappointed the company took so long to fix the issue and did not make an effort to remove all of their identified vulnerabilities.
What could happen if someone hacked your pacemaker
Billy Rios and Jonathan Butts not only believe that hackers could take over control of medical devices like pacemakers or insulin pumps, but also demonstrated such attacks at the Black Hat conference. Apparently, the specialists warned anyone watching the demonstration with an insulin pump to leave the room. Afterward, they hacked the test device and disabled the command that delivers the needed dose of insulin to the patient. Next, they hacked into the system that doctors use to program a pacemaker. They did not make the device stop sending the needed shock or issue an additional electrical impulse, but rewriting the machine's system and replacing its background picture was enough to prove that hacking pacemakers is possible and their weaknesses could be a threat to the patient's personal security.
What could be other consequences of hackers hacking health devices
Taking control over health devices may prevent attacked hospital's staff from using various equipment and, as a consequence, put their patients' lives at risk. Besides endangering the patient's personal security, cybercriminals could invade his privacy, steal his identity, commit tax fraud or obtain drugs prescribed for the patient, and so on. Healthcare institutions keep not only medical records but also various other sensitive information about their patients that could fall into the hacker's hands during a data breach. Thus, unsecured equipment used at hospitals could lead to a lot of sensitive information being compromised.
To conclude, for a long time cybercriminals concentrated on computers, mobile phones, and other devices alike, but nowadays they target almost anything if it is possible to hack it, for example, smart TVs. Sadly, since many health devices are unsecured and can provide access to lots of valuable information, they are now targeted as well. The only hope is that medical equipment manufacturers acknowledge the problem and take serious actions to ensure the security of their created health devices. Of course, a lot depends on the efforts of hospitals themselves as they have to learn how to prevent cybercriminals from taking control over their systems and equipment.