Medical Device Hacks: When Cyber Risk Becomes Deadly

Posted by Mark Greisiger

Insulin Pump HiResA Q&A with Benjamin Caudill of Rhino Security Labs
With every advance in the Internet of Things comes more risks, and nowhere is this more true than in the field of medical devices, which, if seized by the wrong hands, have the potential to do bodily harm. I spoke with Benjamin Caudill, founder and CEO of Rhino Security Labs, about the exposures created by embedded systems in medical devices and what risk managers, corporate leaders and the general public might need to know.

Why is there concern now about devices with embedded systems?
Every day new products are coming out onto the market but unlike, say, a new version of Windows, these products haven’t been subjected to any formal security testing. In fact, IT security is often the last box to check. Security should be integrated from the very beginning of the life cycle of product development, but many of these companies don’t have the incentive to do things correctly the first time.

Security should be integrated from the very beginning of the life cycle of product development, but many of these companies don’t have the incentive to do things correctly the first time.

What makes these devices vulnerable?
There’s a number of factors, but wireless devices as a whole tend to be higher impact. They are easy to exploit because there are more attack vectors. There’s not one technology across the board that is more susceptible but the smaller, cheaper wireless devices in general are going to be much easier for hackers.

What are the biggest risks out there?
We saw Jerome Radcliffe give a presentation on hacking insulin pumps—he basically hacked into his own pump and demonstrated how with a few simple components you could prompt the pump to arbitrarily reject or restrict insulin production. So this is of real concern because situations like this directly affect human welfare and health. You can imagine that if someone wanted to perform an assassination this would be the way to do it in the future—interrupting the signal and sending the wrong communication to the heart center or the brain. It would certainly be hard to prove if something like that happened. Without a logging system in place—and many of these devices don’t have them—we don’t have the technology to determine the cause; heart attacks or strokes look very similar, whether from high blood pressure or a buggy medical device.

Have there been any known cases of harmful attacks on medical devices?
None that I know of, but that doesn’t mean much either. An attack on the human SCADA would cause panic and it’s likely the general public would not hear about it.

What can be done to mitigate the risk?
By far the most important thing is to establish a secure development life cycle (SDLC) with all code and high level designs thoroughly vetted with penetration testing. Security is a process, not an objective. Many people start out with an app or device that’s secure but forget to prioritize security as each new version is released.

There is no magic bullet but as with all cyber security issues, it’s about a layered defense strategy. You can’t predict attacks and methodologies so you have to go about it from every angle. We have worked with hospitals, medical organizations and manufacturers to perform penetration testing on medical devices. Right now there is no gold standard for medical device security, but over time we expect to see this become a more prominent subject with baselines and standards for manufacturers to follow.

In Summary…
We want to thank Rhino Security Labs and Mr. Caudill for his insights into this emerging topic of cyber risk that is catching the attention of both corporate risk managers and the cyber liability insurance carriers. It seems with so many personal, household, and work devices now connected to the internet it’s only a matter of time before significant—and possibly systemic—risk bubbles to the surface.

—###—

NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.