It sounds like something out of a thriller: a hacker sneaks into the hospital room of a high-profile target and installs a device on their medical equipment. With it, the attacker is able to send fake vital signs to the monitoring systems used by the patient’s doctors, convincing them that the target is experiencing a severe medical incident.
The doctors rush in and deliver a treatment that the patient would need if they really were having the incident the monitors believe they are. But the patient is, in reality, stable, and the treatment instead proves deadly.
Last weekend, the vulnerability that makes this scenario genuinely possible was detailed onstage at security conference Def Con 26 by Douglas McKee, a security researcher for McAfee.
It is a concerning scenario, adding to the growing pile of worries surrounding medical device security. But it shouldn’t make anyone who wouldn’t otherwise be a possible assassination target worried.
The fake vital signs attack shouldn’t be cause for concern
The notion of someone turning medical equipment against their user is undoubtedly shocking – and probably will show up on a TV show sooner or later – but this fake vital signs vulnerability is not going to see the average citizen inadvertently killed by medical professionals.
“This attack requires physical access to the patient and the installation of an additional device for this attack to be successful. So, from a broad risk perspective, there isn’t necessarily a large impact as it’s not an attack that can be conducted remotely,” said Javvad Malik, security advocate at AlienVault.
“Attacks against medical devices that require direct access to the patient or, at an absolute minimum, physical access to a network are highly unlikely due to their complexity and the extremely high risk of being caught executing them,” agreed Lee Munson, security researcher at Comparitech.com.
In theory a very powerful or wealthy individual could be the target of this type of attack – if someone were trying to kill them anyway. However, these types of individuals typically employ impressive security, significantly lowering the chances of a fake vital signs attack being effective.
“The average citizen should have no concerns whatsoever, while high profile individuals, wary of a theoretical attack that is likely to offer no more than a degree of inconvenience, should be aware of medical establishments with a lack of physical security, something that is unlikely to be an issue considering their status,” added Munson.
But we should be paying close attention to the security of medical devices
While this fake vital signs attack is far more likely to emerge on our favourite procedural crime drama than in our lives, it does draw attention to the importance of medical device security – and the fact that there is far more to do in this area.
“This is another example of recognising the importance of security as it plays a role in maintaining the safety and effectiveness of medical devices,” said Garrett Sipple, managing consultant at Synopsys.
“Medical devices often move through long product development cycles that can make them slow to react to new cybersecurity threats, especially if cybersecurity wasn’t even a key consideration in the development process.”
In particular, there has been an attitude that cybersecurity can conflict with the primary goal of saving lives.
“With medical devices in particular, security is often viewed as high friction,” added Malik.
“The argument being that in life-or-death scenarios, medical staff shouldn’t be slowed down by excessive security controls. Which, on their part is correct – however, it only means that security controls need to be viewed differently, and implemented in a way that ensures security without interfering with processes.”
For the healthcare industry, it is important to take greater charge of the issue.
“There is an element of shared responsibility that healthcare organisations need to accept with regard to connected devices,” said Malik.
“Even if a manufacturer implements adequate security controls, the healthcare organisation will likely still need to ensure it remains secure in their environment.
“Additionally, healthcare organisations should ask the question of manufacturers around security, requiring them to provide evidence of secure manufacturing processes and independent 3rd party testing of security. Along with these steps, it is vital that healthcare organisation have adequate monitoring controls in place to detect when a device is inappropriately accessed.”