Report warns of cyberattacks against medical devices to extort money

Medical device cybersecurity concerns were aroused when a baddie in the show Homeland hacked into the vice president's pacemaker and initiated a fatal heart attack. Now, a report by Europol's European Cybercrime Centre warns of the real rise of similar "ransomware" attacks, although financial gain, not murder, would be the goal.

Ransomware involves disabling an electronic device until a fee or other reward is paid to enable it once again. The ransomware program CryptoWall has infected more than 600,000 computers this year and enriched its creators to the tune of $3 million, PC World reported in August.

The reports warns of a "rise in the number of people and organizations hit by this type of attack but also novel variants emerging such as ransomware-affected intelligent devices such as found in transport or even medical devices."

No wonder GE Healthcare ($GE) has started engineering against the "malicious use" of its devices, in addition to privacy and patient safety concerns, according to Steve Abrahamson, the director of product security engineering and privacy at GE Healthcare, who spoke about medical device cybersecurity at the annual AdvaMed conference.

And the FDA said last year it is developing a cybersecurity laboratory to test devices' safety against hackers. The laboratory will deploy so-called fuzz testing to probe devices for software bugs and vulnerability against cyber attacks. Other FDA regulatory actions taken partnerships with other agencies and non-governmental organization and the recent finalization of a draft guidance on cybersecurity; there is also an FDA meeting on cybersecurity scheduled for Oct. 21.

The cybersecurity panelists at the AdvaMed conference stressed the unique challenges posed by medical devices when it comes to cyber security. The stakes are high. After all, a ransomware attack on a device could prove fatal if the reward is not paid out. At the same time, a patient on the operating room table cannot afford to wait 5 minutes while a doctor struggles to remember a password.

In other other words, physician and patient usability is key when it comes to medical device cyber security. The panelists predicted differentiation between traditional cybersecurity specialists in IT and those with knowledge of healthcare and medical devices.

- here's the report
- here's RAP's take
- read the final guidance (PDF)
- read about the cybersecurity lab plans