- Neurostimulators have cybersecurity vulnerabilities that could be exploited by hackers to get access to the devices, manipulate them, and steal data transmitted by them.
This was the conclusion of a report prepared by security firm Kaspersky Lab and the University of Oxford and released this week. The researchers even go so far as to warn that hackers might be able to steal memories from those devices in the not too distance future.
The cybersecurity vulnerabilities reside in the devices themselves as well as the associated software. The devices can be used to send electrical impulses through implemented electrodes to specific parts of the brain to treat movement and neuropsychiatric disorders.
In a blog post, the Kaspersky researchers said they uncovered existing and potential risk scenarios, each of which could be exploited by attackers. These include:
- Exposed connected infrastructure: Researchers found one serious vulnerability and several misconfigurations in an online management platform popular with surgical teams.
- Insecure or unencrypted data transfer between the implant, the programming software, and any associated networks: This could enable malicious tampering of a patient’s implant or even groups of implants connected to the same infrastructure. Manipulation could result in changed settings causing pain, paralysis, or the theft of private and confidential data.
- Design constraints: Patient safety taking precedence over security. For example, a medical implant needs to be controlled by physicians in emergency situations, including when a patient is rushed to a hospital far from their home. This precludes use of any password that isn’t widely known among clinicians. It also means that by default such implants need to be fitted with a software backdoor.
- Poor security practices by medical staff: Programmers with patient-critical software are being accessed with default passwords, used to browse the internet, or have additional apps downloaded onto them.
The researchers explained that within five years, some scientists expect to be able to record brain signals and enhance or rewrite them before putting them back into the brain. In ten years, member boosting brain implants could be available commercially. In 20 years, technology might enable control over memories.
While this could provide healthcare benefits, it could also open patients to attackers intent on exploiting vulnerabilities that inevitably appear in new technology.
“New threats resulting from this could include the mass manipulation of groups through implanted or erased memories of political events or conflicts; while ‘repurposed’ cyberthreats could target new opportunities for cyber-espionage or the theft, deletion of or ‘locking’ of memories (for example, in return for a ransom),” the blog post related.
To forestall this dystopian future, the researchers recommend that healthcare and IT security collaborate to address current risks and build security into technology as it develops. Also, users of this technology need to be educated about the risks.
“Healthcare professionals, the security industry, the developers and manufacturers of devices and associated professional bodies all have a role to play in ensuring emerging devices are secure,” the researchers wrote.
“We believe that collaborating to understand and address emerging risks and vulnerabilities, and doing so now while this technology is still relatively new, will pay off in the future,” they concluded.
Certainly, medical device security is top of mind among regulators. For example, HHS this week opened its Health Sector Cybersecurity Coordination Center, which will serve as a healthcare cybersecurity threat analysis and incident response partner to the private sector. One area of focus for the center will be improving medical device security.
In addition, the FDA has recently unveiled a number of initiatives to improve medical device security. It recently signed an agreement with the Department of Homeland Security to implement a new framework for increased coordination and cooperation between the two agencies on medical device security. The agreement is meant to encourage greater coordination and information sharing about potential or confirmed medical device security vulnerabilities and threats.
Second, the FDA has issued a draft update to its premarket guidance on medical device security for manufacturers The guidance includes recommendations on how manufacturers can protect against significant risks, such as ransomware campaigns that disrupt clinical operations and exploits involving a remote, multi-patient attack.
This spring, the FDA laid out a comprehensive medical device safety action plan to improve medical device safety and reduce vulnerabilities in those devices.
“Medical device safety is a key priority for the FDA. We’re committed to protecting American patients by minimizing avoidable risks and advancing device technologies that are delivering growing benefits,” FDA Commissioner Scott Gottlieb said in releasing the action plan.