Medical Device Cybersecurity: The Risks to PatientsEthical Hacker Stephanie Domas Discusses Real-World Threats
Although cyberattacks on medical devices that could potentially harm patients so far have only been demonstrated in lab settings, there have been actual cases involving the hacking of devices to gain access to patient data, says security engineer and ethical hacker Stephanie Domas.
"There have been verified attacks in the wild of attackers attempting to steal patient data through medical devices," Domas says. While potential medical device attacks specifically targeting the safety of particular patients "may have a monetizable avenue to it, what you traditionally see is attackers looking to profit, and right now that's through [breaching] patient data."
In an interview with Information Security Media Group, Domas notes, however, that the breach of patient data or disruptions of hospital information systems can also potentially lead to harm. For instance, in one real-world incident, a cardiac catheterization unit shut down in the midst of a procedure because the system's anti-malware software started to run, she says.
"While that was not a cybersecurity attack by traditional [definition], it was a cybersecurity issue on the system that caused it to lock up mid-heart procedure because the virus scan was not supposed to run while the device was in use."
Fortunately, in that case, doctors were able to get the medical equipment back up and running and finish the procedure, she says. But the incident highlights what can happen if systems have inadequate security configurations.
In the interview (see audio link below photo), Domas also discusses:
- How healthcare organizations and medical device makers can better address cybersecurity risks;
- Why cyber threats to medical devices will continue to grow;
- Her participation in an upcoming medical device cybersecurity workshop at the University of Michigan Archimedes Research Center for Medical Device Security that will, among other topics, examine the motivation and approach of hackers targeting these products.
Domas is lead security engineer for research and development firm Battelle's DeviceSecure Services unit. In this role, she works with medical manufacturers on design, architecture, verification, testing and execution of security best practices in the development of new medical devices, as well as penetration testing and cybersecurity risk mitigation of legacy systems. She also a certified ethical hacker and serves as an adjunct faculty member at the Ohio State University College of Computer Engineering.