Cybercrime is damn scary – but if you thought you had heard the worst of it, what with people spying on you through your computer’s camera or your family finding out you are having an affair via a mass data leak, you have no idea.

Thanks to the Internet of things, medical devices are at just as much risk of infiltration as, say, your mobile device.

Just picture these scenarios, courtesy of Wired:

Dick Cheney ordered changes to his pacemaker to better protect it from hackers. Johnson & Johnson warned customers about a security bug in one of its insulin pumps last fall. And St. Jude has spent months dealing with the fallout of vulnerabilities in some of the company’s defibrillators, pacemakers, and other medical electronics.

Talk about shivers up the spine.

You see, although all the warnings have been there for an age and a half, medical device companies have yet to make a change and, due to this, will probably learn the hard way – because hackers are increasingly taking advantage of the historically lax security on embedded devices.

Because of this lack of action, defending medical instruments has taken on new urgency on two fronts:

There’s a need to protect patients, so that attackers can’t hack an insulin pump to administer a fatal dose. And vulnerable medical devices also connect to a huge array of sensors and monitors, making them potential entry points to larger hospital networks. That in turn could mean the theft of sensitive medical records, or a devastating ransomware attack that holds vital systems hostage until administrators pay up.

Of course, what makes the hacking of medical devices all the more kak, is that it’s ultra personal – check these stats:

US hospitals currently average 10 to 15 connected devices per bed, according to recent research from IoT security firm Zingbox. A large hospital system, like Jackson Memorial in Miami, can have more than 5 000 beds.

“We tend to think healthcare is very conservative, healthcare is very slow because of regulations and liabilities, but because of the huge benefits they’re seeing by using IoT devices hospitals are deploying more and more of them,” says May Wang, chief technology officer at Zingbox.

“For the past three years the healthcare sector has been hacked even more than the financial sector. And more and more hacking incidents are targeting medical devices.”

That’s partly because there are so many easy targets. More than 36 000 healthcare-related devices in the US alone are easily discoverable on Shodan, a sort of search engine for connected devices, according to a recent Trend Micro survey.

More than 3 percent of exposed devices still used Windows XP, the retired Microsoft operating system that no longer receives security updates.

So, what can you do? Well, nothing really.

Although countless security researchers have recommended change comes quickly, Pwnie Express, a Boston-based cybersecurity company whose technology is used by local experts, NEWORDER, note that recommendations are not regulations.

They also have their own ideas of what the medical device industry needs now:

More aggressive action by government agencies would be welcomed, but security researchers wonder whether disparate government institutions can take comprehensive action to regulate an industry. Dan Kaminsky has gone as far as to suggest that, as far as networked devices are concerned, a dedicated organization with far-reaching powers akin to the National Institutes of Health might be the best solution.

Definitely some “Black Mirror” shit.

In the meantime, it should be high priority for you to sort out whatever cybersecurity you can. Start by talking to NEWORDER, who take hacking and industrial espionage checks to another level.

[source:wired]