Patient death from hacked medical devices plausible, says top Kaspersky security researcher

A leading cyber security analyst at Kaspersky Lab has warned there is a viable danger of hacked medical devices resulting in patient deaths.

David Emm told Digital Health News that, if left vulnerable to cyber attack, invasive devices such as pacemakers and insulin pumps could have deadly consequences for those who use them. Emm is one of the internet security firm’s principal researchers.

A recent report from the Royal Academy of Engineering urged medical device manufacturers and those who use them to make cyber security a thoroughly considered part of the design process.

It warned that – unless designers of digitally-connected medical systems enforced more rigorous risk management procedures – health devices could have “severe consequences” for patient safety, including physical harm to patients themselves.

While there have yet been no instances of death as a result of a medical equipment being hacked, it’s a threat that’s being increasingly considered in healthcare IT circles.

When asked about the likelihood of a such an incident actually occuring, Emm said: “While such headlines are alarming, such a scenario is possible if a device is insecure. There have already been cases of manufacturers alerting people to vulnerabilities. Clearly, it would need to be worth someone’s while to do this.”

But hacking for financial purposes remains a far more plausible motive in Emm’s eyes.

“I think the theft of data sent or received by medical devices, or the threat of interfering with such a device as part of a ransomware attack, are probably more likely – since they are an easier way to monetise an attack of this kind,” he said.

Speaking to Digital Health News in December, Rusty Carter, vice president of product management at Arxan Technologies, warned that the medical community was particularly vulnerable to cyber attacks due to the wide range of largely unprotected entry points it presented to hackers.

However, Dan Lyon, a principal consultant at Synopsys, downplayed the notion of Homeland-style assassination attempts. “Patients should keep in mind that the real risk to them through a hacked pacemaker is low,” he told Digital Health News.

“Pacemaker systems do not rely on the same technologies that we hear about in the news in every day, and as a result are not susceptible to attacks like SQL injection.

“To put it in perspective, the risks of things like getting in a car crash are something people accept every day and are much, much more likely.  The risks of driving or riding in a car are accepted because of the benefits that using a car provides.”