Core medical equipment including CT and MRI machines remain vulnerable to cyberattacks, researchers have warned.
It was first back in 2012 when a security researcher highlighted the importance of securing not only our PCs but also our connected medical devices after it was found that bugs in transmitters could be exploited to deliver lethal shocks to pacemakers.
In the following years, thousands of medical devices have been found to be open to exploit online, and it was only last year that the US Food and Drug Administration (FDA) issued a "voluntary recall" for Abbott pacemakers, formerly of St. Jude, to update firmware against attacks which could drain battery life, allow changes in programmed settings, or even change the beats and rhythm of the device.
Now, researchers from Ben-Gurion University in Beersheba, Israel, have issued a new report warning medical professionals that this issue is not being taken as seriously as it should -- especially as vulnerable devices can place patient health, and potentially lives at risk.
The report (.PDF), published earlier this month, explores how Medical Imaging Devices (MIDs), such as Magnetic Resonance Imaging (MRI) or Computed Tomography (CT) systems are becoming increasingly vulnerable to cyberattacks.
These devices are commonly connected to hospital networks, and with this connectivity, an avenue is carved for cyberattackers to exploit vulnerabilities in outdated firmware.
Vulnerable MIDs may result in attacks which "target the devices' infrastructure and components, which can disrupt digital patient records, and potentially jeopardize patients' health," according to the researchers.
The team believes that attacks on MIDs are going to increase as vulnerabilities are uncovered in more and more medical devices, and as we've already seen, attackers have no qualms when it comes to targeting hospitals.
The paper includes a survey of organizations in the healthcare industry and their risk of compromise due to cyberattacks. The researchers concluded that MID machines "face the greatest risk" due to their "pivotal role in acute care imaging."
Ransomware remains a key issue, according to the paper. Hospitals in the UK and US have already fallen prey to this malware and in many cases, will pay the blackmail demand rather than disrupt services further.
Ransomware attacks have proven to be successful against hospitals, and it may be that in the future, MIDs will become blocked or disabled as part of ransomware campaigns.
Ransomware is not the only issue at hand, however, as the team believes there are more attack vectors which could pose a serious risk to patient health.
These include tampering with parameter values to alter radiation levels, changing the pitch of machines to disrupt MID mechanics, disrupting scan signals to manipulate scans, and denial-of-service (DoS) attacks that can prevent machines being used at all.
"In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal," says Tom Mahler, one of the authors of the paper. "However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing antivirus protection is insufficient for preventing cyberattacks."
"The MID development process, from concept to market, takes three to seven years. Cyber threats can change significantly over that period, which leaves medical imaging devices highly vulnerable," Mahler added.
Hospitals and regulators must come together to prevent what may be fatalities in the healthcare sector one day, should attacks continue.
According to Nader Henein, regional director of advanced security assurance advisory at BlackBerry, the FDA has done "moderately well" in providing cybersecurity guidance to hospitals, but "the onus is also on product manufacturers, and software providers, to ensure that their offerings are up to scratch, and resilient to all forms of cyber-attacks."
Previous and related coverage
Heart patients will have to visit their doctors to have their pacemakers patched for the "voluntary" recall -- but there are risks.
Updated: Opinion: A security expert says the dragons need to start breathing fire to keep patients safe from medical device security flaws.
Can "digital birth certificates" defend medical devices against cyberattacks?