Hacking healthcare: A call for infosec researchers to probe biomedical devices
It is a brave new connected world out there and there is no shortage of cybersecurity risks associated with everything we do. We can’t even be sure that the technologies that keep as alive and healthy will work as intended if malicious actors set their sights on them.
The security challenges associated with healthcare
Flaws in medical data management systems and electronic health records can be exploited to steal or modify patient information, vulnerabilities in medical devices and equipment bugs could lead to substandard care and misdiagnoses.
Just recently, a group of researchers has demonstrated that it’s possible to create malware that would add fake tumours to medical scan images or remove real ones. An attack is possible because the files containing the images and scans are not digitally signed or encrypted.
“An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder,” the researchers noted.
Luckily for all of us, there are information security researchers that probe the security of biomedical devices and healthcare equipment, but there are still not enough of them in the medical industry, says Nina Alli, an infosec researcher herself and the Project Manager of the DEF CON BioHacking Village.
What are biomedical devices?
“There are numerous types of devices that can be categorized as biomedical devices: Electronic Medical Records (EMRs), radiology machines (MRI, CT, XR), heart monitors, pacemakers, fetal monitors, Patient Controlled Analgesic (PCA), Apple Watch and other heart monitoring wearables, ingestible sensors, insulin monitors, DaVinci Surgical Robot, etc. And new types of biomedical devices are constantly emerging,” Alli told Help Net Security.
“Numerous universities are working on Translational Medicine programs, which drive students to learn more about patient needs and encourages them to develop new biomedical devices that will help speed up prevention, diagnosis and therapy.”
Manufacturers must adhere to regulations and processes set out by the US Food and Drug Administration (FDA) in order for these devices to be approved for use in the US.
According to FDA’s numbers, the agency regulates more than 190,000 different devices manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide.
The current situation
With degrees in biomedical informatics and translational medicine and many years of experience in the healthcare field, Alli is dedicated to helping the ecosystem understand the security challenges associated with healthcare and collaborating to devise methods to solve those problems at mass.
Currently, the things she worries most about are biomedical device makers that still use hardcoded or default device passwords and don’t set devices’ Wi-Fi and Bluetooth to “off” by default.
Every device should automatically change its password once it’s activated and engaged, she maintains, and Wi-Fi and Bluetooth communication functions should only be activated as necessary by the therapist or physician.
On the other hand, she noticed positives changes. For example, medical device manufacturers have recently begun building security into their devices from the start, rather than bolting it on post build.
They are also more willing to talk openly about security challenges and address them, and understand that having true security researchers helping them develop and check their code can only benefit their product and data security.
Another good news is that the FDA has made great strides when it comes to improving the cybersecurity of medical devices and has defined plans to keep at it, especially when it comes to continuous security updating and patching, vulnerability disclosure and response mechanisms.
Also, earlier this year, the FDA and the DEF CON Biohacking Village have launched the #wehearthackers initiative.
“The goal of this initiative is to encourage healthcare ecosystem stakeholders to work collaboratively with security researchers to ensure their devices are secure. On the day the initiative launched, five major device manufacturers pledged to work with us: BD, Medtronic, Philips Health, Abbott, and Thermo Fisher,” Alli shared.
What to expect from the DEF CON Biohacking Village?
The DEF CON Biohacking Village is a multi-day biotechnology conference focused on breakthrough DIY, grinder, transhumanist, medical technology, and information security along with its related communities in medical/healthcare ecosystem.
The organizers celebrate the biohacker movement with a compendium of talks, demonstrations, and a medical device Capture the Flag contest, which challenges hackers to defend a hospital under siege.
The Biohacking Village, in collaboration with I Am The Cavalry, also runs a Medical Device Lab where security researchers can learn and build their skills alongside patients, medical device makers, hospitals, the FDA, and others. Medical device manufacturers, academic institutions, healthcare delivery organizations, and individual security researchers are invited to put medical devices in the hands of security researchers for security testing.
“Every year we look at the medical ecosystem and think about ways to make our village more encompassing to show the attendees new technology and methodologies,” Alli explained.
As far as the latest trends in the healthcare/biotechnology space, she says she has noticed that there has been quite a bit more DIYBio/Citizen Science emerging.
“People are looking to make their own devices to solve health challenges or tinkering with brand name devices to ensure their security. Patients are asking for more control of their data and devices,” she noted.
“In recent years, patient healthcare technology literacy has increased, and they are now able to ask great questions about the handling, care, and underlying technology of their medical devices.”