On the 12th of May of 2017, the National Health Service (NHS) of the United Kingdom suffered one of the greatest cyber-attacks in his history. Wannacry affected up to 70,000 devices, including MRI scanners and other medical equipment. Due to the inoperability of these systems, NHS had to turn away non-critical emergencies.
These attacks were an inflection point and show the vulnerability and criticism of medical equipment.
But Wannacry has not been the unique incident related to cybersecurity of medical devices and facilities. Back in 2011, Barnaby Jack shows the first real attack affecting insulin pumps, https://www.cso.com.au/article/404909/lethal_medical_device_hack_taken_next_level/. He could control the device and the doses administrated by the device.
Now in 2019, a new vulnerability has been disclosed affecting implantable cardiac defibrillators, https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01. The vulnerability was already discovered in 2016 by KU Leuven, University of Birmingham and University Hospital Gasthuisberg, https://dl.acm.org/citation.cfm?id=2991094. But to make a responsible disclosure, all the information has only been made public in 2019.
Similar to what happened in 2011 with insulin pumps, these medical devices use wireless proprietary controls with no authentication enabled. Even though a proprietary protocol is implemented, an attacker could reverse-engineer this protocol and attack the device, security by obscurity does not offer security.
Someone could think that a solution is to disable all wireless communication in some medical devices, like Vice-president of the United States Dick Cheney did in 2013 https://edition.cnn.com/2013/10/20/us/dick-cheney-gupta-interview/index.html
But wireless protocols are necessary for these devices because these enable doctors to modify treatments and collect telemetry data without having to perform surgery.
This shows that cybersecurity has a critical role in medical devices production. One solution presented by the discoverers of the vulnerability is based on a key agreement protocol instead of a proprietary non-secure communication protocol. It is possible to perform wireless secure communications, but it is necessary to implement this technology in the design and manufacture of medical devices.
All those issues and incidents prove that cybersecurity is needed. To support this, ProTego Project is working on a toolkit for health care organizations to better assess and reduce cybersecurity risks.
This blog post was written for the ProTego project by Carlos Cilleruelo Rodríguez.
