Hacking

Next cyberattack target? Medical devices

Posted by

0


Enemies of the United States who seek to take down the country in a cyberattack could soon target the health care industry.

New reports warn that, following a spate of localized cyberattacks against health care facilities, federal officials and health systems are concerned that the next cyberattack target will be medical devices, including those in hospital rooms, at imaging centers and even inside patients’ homes.

“Hackers have especially targeted health systems for their valuable troves of patient data and in some cases have temporarily knocked systems offline, disrupting patient care,” Axios reported about the matter.

“But there are also a range of medical devices – such as MRIs, ventilators and pacemakers – that are potential targets, particularly when it comes to aging devices with outdated software.”

Though the cyberattack threat to medical devices is still largely theoretical, experts like Toby Gouker, an executive at privacy and security firm First Health Advisory, believe that it is only a matter of time before hackers figure out a way to break them virtually.

“It’s a real Achilles’ heel and a blind spot for health systems,” Gouker is quoted as saying. “What makes more money in a hospital than anything else? If you bring an MRI down, you can take a lot of health systems to their knees.”

(Related: Some people believe that communist China is planning a cyberattack to take down America.)

Government watchdog calls on FDA to expand cybersecurity of medical devices

The U.S. Government Accountability Office (GAO) is calling on the U.S. Food and Drug Administration (FDA), which oversees medical devices, to work more closely with the Cybersecurity and Infrastructure Security Agency to coordinate cybersecurity and medical devices in advance of a potential attack.

Both agencies have responded to the GAO’s call positively, stating that they, too, believe more needs to be done to protect medical devices from hacking attempts.

The GAO produced a report that says the vulnerabilities inherent to medical devices “still pose risks to hospital networks – and patients.”

As of last March, a new law requires all medical device manufacturers to submit plans for how to address any cybersecurity vulnerabilities inherent to their products. That law does not, it is important to note, affect any connected devices that are already on the market.

“Everything from your hospital bed to your infusion pump next to the bed, to the monitor next to the bed that’s measuring, monitoring your vitals, they’re all connected,” said Chelsea Arnone, director of federal affairs for the College of Healthcare Information Management Executives.

“Everything is online … so they’re all ostensibly hackable.”

Because many medical devices incorporate off-the-shelf software that, like all other software, is vulnerable to threats like viruses and “worms,” it is important that medical device manufacturers pay mind to this threat early on to avoid potential hacking problems later on down the road.

Up until the new law took shape and was signed into law, most medical device manufacturers offered little to no support in providing patches or other cybersecurity solutions to their customers, especially for older medical devices that no longer hold “blockbuster” status.

The name of the game for the medical device industry, just like with the pharmaceutical industry, is profits. And providing constant software support for older products means fewer profits, hence the need for legislation to force these companies to do the right thing.

One recent incident that illustrates the problem occurred in Russia after a hacker found a backdoor into a hospital’s medical device. The hospital was unable to take the product offline in order to isolate the problem, and when its employees contacted the company for assistance, they were told there is no fix.

“It’s just old school,” Arnone said about the incident. “You’re calling someone on the phone and waiting and trying to get the right person who can help you. It’s like the worst kind of customer support.”

Disturbing New WikiLeaks Dump Shows Just How Vulnerable We Are to Hacking

Posted by

0


Article Image

Okay, so maybe Big Brother is watching you.

It turns out that even apps like WhatsApp, Signal, Confide, and Telegram, which are all seen as strong for privacy and encryption, are vulnerable to hacking. In a disturbing new revelation, we are learning that hackers may have the capability of capturing audio and messaging date before the encryption takes place.

Can you hear me now? (Yes.)

WikiLeaks logo (Fair Use)

In what may become the largest release of top-secret CIA information, WikiLeaks just released 8,761 documents and files that detail the agency’s extensive hacking tools. This initial data dump, referred to as Year Zero, is the first installment in what is being nicknamed Vault 7. If WikiLeaks’ assertions are Vault 7 are correct, the release would be a greater amount of information than gleaned from Edward Snowden.

Credit: Getty Images

While the CIA has not confirmed Vault 7’s authenticity, it has not currently issued a denial of its veracity. We also do not know if the stockpile derived from a former CIA employee or contractor, it whether Vault 7 itself derives from hacking by a foreign government.

Vault 7 is showing us just how vulnerable we are to hacking.

The long-term ramification from this latest WikiLeaks revelation could be an erosion of faith that our popular tech tools are secure. Whether it be using an iPhone or watching a show on a smart tv, we may become more skeptical that our tools are not being used against us.

Credit: Getty Images

There has been a low-running tension between consumers, the government, and the tech industry. Each group has their own interests, and they are often at odds.

The general public has a desire not to be hacked, and the government has a desire for hackable tech. The tech industry has a desire to make money, which typically involves ensuring consumers that their products will not be hacked.

This initial release by WikiLeaks showcases the tremendous amount of resources that the CIA has put into ensuring that our popular devices, whether they be Android or Apple, have certain back-door vulnerabilities. While it is generally understood that the government works with major tech companies to notify the company when a vulnerability has been found, this data dump by WikiLeaks implies that the CIA is not only not telling companies about vulnerabilities, but has also been actively pursuing to find and purchase additional flaws.

“Governments should be safeguarding the digital privacy and security of their citizens, but these alleged actions by the CIA do just the opposite. Weaponising everyday products such as TVs and smartphones – and failing to disclose vulnerabilities to manufacturers – is dangerous and short-sighted.” -Craig Fagan, policy director for the World Wide Web Foundation (speaking to the BBC)

Credit: Getty Images

The problem, of course, is what happens when bad actors exploit vulnerability flaws? The initial release of Vault 7 (Year One) seems to represent a playbook of sorts. That playbook is now out of the proverbial locker room.

“Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world. Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”-Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, speaking to The New York Times

While companies like Apple are already asserted that they have patched the problems listed in WikiLeaks, it is our faith that our products are secure that may be more difficult to fix.

Yes, You Can Hack a Pacemaker (and Other Medical Devices Too).

Posted by

0


On Sunday’s episode of the Emmy award-winning show Homeland, the Vice President of the United States is assassinated by a group of terrorists that have hacked into the pacemaker controlling his heart. In an elaborate plot, they obtain the device’s unique identification number. They then are able to remotely take control and administer large electrical shocks, bringing on a fatal heart attack.

Viewers were shocked — many questioned if something like this was possible in real life. In short: Yes (except, the part about the attacker being halfway across the world is questionable). For years, researchers have been exposing enormous vulnerabilities in Internet-connected implanted medical devices.

There are millions of people who rely on these brilliant technologies to stay alive. But as we put more electronic devices into our bodies, there are serious security challenges that must be addressed. We are familiar with the threat that cyber-crime poses to the computers around us — however, we have not yet prepared for the threat it may pose to the computers inside of us.

Implanted devices have been around for decades, but only in the last decade have these devices become virtually accessible. While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place. Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates. One of the greatest constraints to adding additional security features is the very limited amount of battery power available.

Thankfully, there have been no recorded cases of a death or injury resulting from a cyber attack on the body. All demonstrations so far have been conducted for research purposes only. But if somebody decides to use these methods for nefarious purposes, it may go undetected.

Marc Goodman, a global security expert and the track chair for Policy, Law and Ethics at Singularity University, explains just how difficult it is to detect these types of attacks. “Even if a case were to go to the coroner’s office for review,” he asks, “how many public medical examiners would be capable of conducting a complex computer forensics investigation?” Even more troubling was, “The evidence of medical device tampering might not even be located on the body, where the coroner is accustomed to finding it, but rather might be thousands of kilometers away, across an ocean on a foreign computer server.”

Since knowledge of these vulnerabilities became public in 2008, there have been rapid advancements in the types of hacking successfully attempted.

The equipment needed to hack a transmitter used to cost tens of thousands of dollars; last year a researcher hacked his insulin pump using an Arduino module that cost less than $20. Barnaby Jack, a security researcher at McAfee, in April demonstrated a system that could scan for and compromise insulin pumps that communicate wirelessly. With a push of a button on his laptop, he could have any pump within 300 feet dump its entire contents, without even needing to know the devices’ identification numbers. At a different conference, Jack showed how he reverse engineered a pacemaker and could deliver an 830-volt shock to a person’s device from 50 feet away — which he likened to an “anonymous assassination.”

There have also been some fascinating advancements in the emerging field of security for medical devices. Researchers have created a “noise” shield that can block out certain attacks — but have strangely run into problems with telecommunication companies looking to protect their frequencies. There have been the discussions of using ultrasound waves to determine the distance between a transmitted and medical device to prevent far-away attacks. Another team has developed biometric heartbeat sensors to allow devices within a body to communicate with each other, keeping out intruding devices and signals.

But these developments pale in comparison to the enormous difficulty of protecting against “medical cybercrime,” and the rest of the industry is falling badly behind.

In hospitals around the country there has been a dangerous rise of malware infections in computerized equipment. Many of these systems are running very old versions of Windows that are susceptible to viruses from years ago, and some manufacturers will not allow their equipment to be modified, even with security updates, partially due to regulatory restrictions. A solution to this problem requires a rethinking of the legal protections, the loosening of equipment guidelines, as well as increased disclosure to patients.

Government regulators have studied this issue and recommended that the FDA take these concerns into account when approving devices. This may be a helpful first step, but the government will not be able to keep up with the fast developments of cyber-crime. As the digital and physical world continue to come together, we are going to need an aggressive system of testing and updating these systems. The devices of yesterday were not created to protect against the threats of tomorrow.

Source:Forbes