Cyberattacks on life-saving medical devices such as heart pacemakers present a very real threat and could come from terrorist groups or even nation states, according to a new World Economic Forum report on cyber risk.

Medjacking – the practice of hacking a medical device with the intent to harm or threaten a patient – has been called a “ticking time bomb” and the threat is considered so real that in 2015, the FBI felt compelled to issue a security alert warning.

Image: biosecruitymetrics.com

The Achilles heel

In 2015, researchers discovered safety flaws in a brand of infusion pump which was used to inject medications directly into the bloodstream of patients.

Deadly vulnerabilities were then found in dozens of devices, including X-ray systems, CT scanners, medical refrigerators and implantable defibrillators.

After the researchers’ discovery, the US Department of Homeland Security and Federal Drug Administration began warning customers not to use the devices due to the vulnerability. The announcement was the first time the government advised healthcare providers to discontinue the use of the medical device.

And authorities have been aware of the problem for much longer, as evidenced by the revelation by former US vice president Dick Cheney that in 2007 he had the wireless function of his heart defibrillator disconnected to protect him from the risk of cyberattack.

A wider issue

The World Economic Forum‘s whitepaper on Risk and Resilience: Understanding Systemic Cyber Risk, highlights the fact that information is the lifeblood of healthcare.

The healthcare sector acquires, stores and processes a vast amount of critical and sensitive information, such as bank account information, credit card data, social security numbers and health information, such as medical diagnoses, insurance claims and treatments.

Yet the healthcare sector has had a lack of comparative investment in cybersecurity, which has resulted in a lack of best practices to ensure the confidentiality, integrity and availability of critical and sensitive personal and health-related information.

This has applied to medical devices too. Until recently, security was not considered a high priority.

________________

________________

The source of the threat

Attacks on healthcare systems can emanate from anywhere in the world, according to the report. They could be from cybercriminals trying to extort money or terrorists groups, or even nation states trying to put lives in danger.

The report concludes that while such attacks have not yet publicly materialized, the danger is very real and could include the widespread disruption of network-enabled medical devices like pacemakers or medicine delivery systems such as the pumps used in hospitals around the world.