Next wave of cyberattacks could target health devices

Connected medical devices are potentially vulnerable to cyberattacks, and former federal officials say the financial sector could provide a security model.

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

There are few high-tech scenarios more nightmarish than attacks on connected medical devices. Imagine a pacemaker held for ransom by a foreign hacker or a medical center spoofed into giving patients toxic doses of drugs.

But the proliferation of connected devices and the easy availability of spy-grade hacking tools is potentially a recipe for disaster. A group of former officials from the Department of Homeland Security and the intelligence community suggests the U.S. financial services sector might make a good model for health care vendors and institutions looking to protect themselves.

Connected medical devices implanted in patients offer a huge upside in cost reduction and patient benefits and will become a key to health care in the coming years, said Leslie Saxon, chief, division of cardiovascular medicine and professor of medicine at the University of Southern California's Keck School of Medicine.

Saxon and representatives of medical device manufacturers said the threat of a hacking attack on the 15 million devices in the U.S. that would kill the wearer were "highly unlikely" at present. But hacks could be used to gain access to health care networks and a trove of increasingly valuable data, Saxon said at a June 28 event hosted by the Bipartisan Policy Center.

However, such devices will present a big target for ransomware and data exfiltration and potentially lead to physical dangers to patients, former CIA Deputy Director Michael Morell said.

"If I was still in the CIA, and I learned an ISIS leader had an internet-connected pacemaker, I'd ask my guys how we could use that to get him," said Morell, now a senior counselor at Beacon Global Strategies.

That possibility, said Michael Chertoff, former DHS secretary and founder of the Chertoff Group consultancy, means device makers have to take a page from the financial services sector and collectively address security concerns sooner rather than later.

Chertoff released a white paper on June 28 urging the group to share, collaborate and use the guidance offered in May by the Food and Drug Administration on internet-connected medical devices.

That agency recommended information-sharing forums that manufacturers could join to share details about security risks and responses as they occur, much like the Information Sharing and Analysis Centers sponsored by DHS.

The study said the National Health ISAC lays the foundation for the type of trusted community the FDA recommended. It offers device manufacturers a forum for sharing cyber and physical security threat indicators, but it warned that the health forum is less mature than other ISACs because of the relatively fresh threat to the health care industry.

Morell said the industry has to become more proactive with its cybersecurity efforts and actively seek help from federal cybersecurity experts.

The financial services sector, he said, has been particularly bold in that area. He said that sector was concerned about reports of the cyberattack that took out the Ukranian power grid in 2015.

That sector, he said, reached out to DHS and asked, "What can you tell us?" DHS told the sector it could participate in a daily unclassified conference call it convened with various security agencies to discuss developments, according to Morell.   

"No one had ever done that before," he said.

NEXT STORY: Writing the Rules of Cyberwar