But nobody’s died yet...
So often, we hear, “What’s the panic about securing connected medical devices? Nobody’s died yet and nobody can prove that insecure connected medical devices were vectors in an attacker’s botnet yet.”
The operative word is “yet,” as hackers are scheming to weaponize connected medical devices. You might have read how life-saving connected insulin pumps can be turned into lethal devices. We’ve read about devices like benign ultrasound machines that could be conscripted into a hacker’s army for botnet attacks.
Like many things, it’s not the objects themselves that pose risks, it’s how they’ll be used. And it's only a matter of time before these devices are leveraged in a range of attacks.
The firmware running on millions of connected medical devices is completely insecure. Most older and many newer connected medical devices were never built with security in mind. These devices are being used around the clock by the healthcare industry and individuals who rely on them for support, but they're also riddled with vulnerabilities that hackers are looking to exploit. When they find one viable security hole, they could launch a direct attack on an individual through a single device or exploit a group of devices as vectors in a coordinated attack.
It’s time for medical manufacturers and others take action:
- Build secure firmware on connected devices using secure coding practices.
- Reverse engineer compiled firmware images to check for security holes. It’s time manufacturers started thinking like the bad guys in order to stay ahead of them.
- Lock down or patch the code on connected medical devices before and after production.
- Rinse and repeat.
Insecure connected medical devices will continue to entice hackers who forge harmful and lethal schemes, day in and day out. Attackers don’t rest, so medical device manufacturers cannot be complacent when building (or patching) devices. They must take concrete and responsible steps to find and fix the holes on insecure connected medical devices - before it’s too late.