According to the 2015 SANS Institute Healthcare Cyberthreat Report, a whopping 94 percent of healthcare organizations have been victims of cyberattacks. But surprisingly, only 38 percent of patients said they would “…be wary of using a hospital associated with a hacked device.”
Perhaps if the other 62 percent of patients understood the potential of such attacks, they might change their tune. To this point, security researcher Jerome Radcliffe hacked his own insulin pump and discovered he could maliciously interfere with the device to administer a lethal dose from up to 200 feet away.
To be sure, this type of attack belongs more in the pages of a spy thriller than in the list of things hospital patients should be worried about. After all, surgical complications and infections are far more common problems than medical device hacking.
That said, with the growing digitization of healthcare technology and record-keeping, anyone who ignores the cyberthreat landscape in the healthcare sphere does so at their own risk. For example, leaked data from activity trackers (Fitbit, etc.) might be particularly appealing to unscrupulous insurers who could then selectively raise premiums on less-active individuals in attempts to force them out of their insured pool.
Since both black hats (and white hats) often pursue areas of untapped potential, it’s worth noting that according to PriceWaterhouseCoopers, the economic value of Internet-connected healthcare devices is expected to be close to $285 billion by the year 2020.
As such, it would behoove security researchers, device manufacturers, cyberthreat experts, and healthcare consumers at large to all be aware of this market segment. To this end, the banking industry may offer a model from which important practices can be implemented, such as securing data protocols, focusing on how to design security into each product (rather than being added onto afterwards), and limiting connectivity options for devices.
The impacts of these actions may mean a change in business strategy for healthcare vendors, a change in behavior for healthcare consumers and changes in functionality to devices. However, all of these will be necessary to safeguard data.
For more information on medical device attacks, please see the infographic below based on this resource for protecting healthcare IoT.