Medical devices, involving those that are implanted within patients, are increasingly likely to be targeted by hackers and could pose a nightmare scenario if providers do not take measures to improve their defenses.
“The issue with security is that hackers always follow the path of least resistance,” claims Sam Rehman, the chief technology officer at security vendor Arxan, which serves multiple industries and has a large footprint in healthcare.
Like several other security vendors, Rehman says providers require conducting a comprehensive risk assessment and fixing vulnerabilities. In healthcare, medical devices security is a hot topic and for great reason, because providers mostly have hundreds if not thousands of devices in their facilities.
But providers also require increasing security levels for devices that are implanted in patients, and that is because several of those devices have wireless capabilities that enable hackers to interfere with them, Rehman says.
For instance, physicians can utilize hand-held medical devices to wirelessly collect data and even update an implant, for example to change device settings on insulin pumps, pacemakers and other devices. Although, a hacker in a hospital can do the same thing, which represents a potential risk to patient safety, Rehman cautions.
Many hackers might not need to intentionally cause harm, but others will do what someone pays them to do, which could involve causing injury to patients. Rehman says monetary motivation, particularly through blackmail, could rise as a potential risk.
Such hacking could involve efforts to affect the share price of a device manufacturer. Rehman says stock price manipulation could provide another financial motive for hacking. For imstance, if one person can make money by paying another person to cause harm, the instigator can make money when a company’s stock price falls.
A scenario similar to this has already occurred. Previously this year, the Food and Drug Administration confirmed cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and its Merlin@home transmitter. The vulnerabilities were originally declared by an investment group that threatened to make money by selling its stock short.
St. Jude Medical devices, the FDA stated, could be hacked by outsiders, leading to injury or death, and St. Jude’s share price quickly dropped by 10% as the company scrambled to make fixes. “If someone can make money, this absolutely will happen,” Rehman assumes.