I've been writing about various security risks in the health sector for many years now. Usually my articles cover patient privacy, data protection and health provider network insecurity issues. Occasionally, they spill over into darker territory where the cyber risk morphs into a very real one as far as the health of the patient is concerned.
Take my story at SC Magazine a couple of years ago which reported how researchers at Rapid7 had uncovered vulnerabilities in an insulin pump that had the potential to change the dosage supplied. Sure, the actual risk of exploit was low given that an attacker would have to have close proximity to the pump, and be armed with the hardware and knowledge to make the changes. Yet the fact that the pump was vulnerable to hacking is enough, in my never humble opinion, to demonstrate the dangers that life-saving technology can pose if security isn't built in from the ground up. That it wasn't can be evidenced by the fact that the same Rapid7 researcher had uncovered vulnerabilities in another brand of insulin pump some five years earlier. But what about now, has the security of healthcare devices improved?
The scary answer is not so much. As well as drug pumps, another medical device that has hit the insecurity headlines in the distant past has been the pacemaker. Ten years ago, in March 2008, The Register reported how some 'implantable cardiac defibrillators' which included pacemaker functionality, were vulnerable to an attack methodology that could turn the device off or deliver electric shocks to the patient. Fast forward to now, and those two risks are still with us and impacting another pacemaker manufacturer according to an article in Wired.
Security researchers Billy Rios from Whitescope and Jonathan Butts from QED Secure Solutions have revealed that malware can apparently be installed directly upon implanted pacemakers from Medtronic. Billy Rios is something of an expert when it comes to revealing vulnerabilities in medical devices, having installed a Donkey Kong game on a radiation delivery device a few years back. He also once stated that he had never left an investigation of a medical device without finding at least one serious security issue. Now he's been instrumental (every pun intended) in finding problems with Medtronic devices. Specifically these revolve around vulnerabilities in the Medtronic software delivery network that, courtesy of it being lacking in digital code signing, enable the installation of maliciously altered updates to give the attacker control of pacemaker programmers and ultimately the implanted pacemakers themselves.
While Medtronic has said, in a statement to Wired reporters, that all such devices "carry some associated risk" and that it strives "to balance the risks against benefits our devices provide" it hasn't fixed the problem of code signing. Which, Rios points out' is somewhat frustrating when you consider that a competitor in the same market that has a pacemaker programmer using the same OS (erm, yep, it's Windows XP) has implemented code signing to mitigate the risk.