A report by the Royal Academy of Engineers has found that the vulnerabilities of medical devices to cyber-attacks could have ‘severe consequences’ for patient safety.
The ‘Cyber safety and resilience: strengthening the digital systems that support the modern economy’ report listed devices such as pacemakers, heart pumps and MRI scanners as at risk.
Vice provost at Imperial College London and lead author of the research Professor Nick Jennings said: “Improving cyber safety and resilience requires all stakeholders to act together at scale and in a coordinated way, including government, the engineering profession, system operators and industry leaders. This report will help each of these groups to better understand the new systems that are being created, the emerging vulnerabilities and how to address them.”
Commenting on the report, Amir Abramovitch, security researcher at Cy-OT, said: “We know that a lot of Internet of Things (IoT) devices are insecure, and healthcare devices are no exception. In the last couple of years we have seen multiple vulnerabilities published for a variety of medical IoT devices. The main problem is that the worst-case scenario here is not data theft or malware infection, but death, and the scariest part is that some of these attacks can even happen remotely, where the attacker does not need to gain physical access to the device.
He added: “The vulnerabilities span from simple vulnerabilities such as insecure storage of the Wi-Fi password and hard-coded secret credentials for remote maintenance, to more severe vulnerabilities such as communication interception, for example changing the dosage of a drug, and full-on denial-of-service such as making the device stop functioning at all.
“This poses a threat not only to corporate businesses but to human life. The good news is that there are possible mitigations for these attacks, and they are quite easy to implement. The problem is that the companies making these devices do not understand the security implications of their poor design, and I hope they will learn it before it is too late.”
The report adds to an increasing amount of research suggesting that the safety of medical technology needs to be improved. Researchers from the Ben-Gurion University of the Negev, Israel, released a paper proving the relative ease of exploiting medical technology which uses out-of-date security software. In addition, the American College of Cardiology’s Electrophysiology Council also confirmed that individual patients’ medical devices could be at risk of hacking.