Cybersecurity vulnerabilities in medical technology pose significant risks, as demonstrated by a Swiss hospital’s assessment revealing easy breaches in infusion pumps. These flaws can lead to life-threatening scenarios, yet manufacturers often downplay the seriousness. The healthcare sector’s lack of cybersecurity awareness, regulatory hurdles, and the growing threat of ransomware highlight the urgent need for action. Experts stress the importance of educating patients and raising awareness to address the potential dangers associated with connected medical devices.
Cybersecurity Risks in Medical Technology
What initially appeared to be a standard assignment for the Zurich-based cybersecurity firm Scip turned into a significant revelation. Tasked by a Swiss hospital, the company was to evaluate the security of twenty medical devices against potential digital intrusions. However, Marc Ruef, the head of research at Scip, soon realized that this would lead to three years of relentless efforts and legal discussions to address a critical security vulnerability.
The findings from their assessments were deeply concerning: Scip’s team discovered they could easily breach the programming codes of infusion pumps that dispense pain medication to patients. Ruef warned, “An attacker could administer a fatal overdose to bedridden patients within moments. Additionally, we could manipulate monitoring systems to display misleading vital signs, effectively concealing any foul play.”
Awareness and Accountability in Healthcare
Hospitals typically rely on hundreds of infusion pumps and monitoring devices, which are considered standard medical tools. After identifying the security flaws, Scip promptly notified the manufacturer to rectify the vulnerabilities. Unfortunately, the German company responded defensively, threatening legal action against Scip if they pursued the issue further. Ruef noted, “It’s disheartening to see companies downplay the severity of security risks.”
According to Ruef, the medical technology sector suffers from a lack of cybersecurity awareness. “Often, engineers—rather than computer scientists—develop these devices, and they usually lack the expertise to comprehend hacker threats,” he explained. Furthermore, regulatory hurdles complicate matters: once a medical product is approved, it cannot be modified. Unlike consumer electronics, which receive frequent updates, any change to a medical device requires a new approval process.
This oversight leaves pacemakers, infusion pumps, and wearable devices open to cyberattacks, Ruef asserts. Unlike traditional surgical implants like artificial hips, these devices are connected to networks. If a pacemaker is compromised, it could be rendered inoperative, potentially leading to fatal consequences. As more implants and prosthetics become smarter and capable of transmitting body data, the risks grow.
Despite these warnings, the industry reaction has been underwhelming. Medtronic, a leading manufacturer, declined an interview but assured in writing that they are committed to safeguarding their medical devices against external threats. “Patient safety is our priority, and we design our products to withstand cybersecurity challenges throughout their lifecycle,” they stated. Yet, many professionals in the medical field, including cardiologist David Duncker, remain skeptical about the actual risks, with Duncker dismissing the threat of cyberattacks as virtually nonexistent.
Ruef frequently encounters the misconception that no one would target medical devices. He believes this perception is misguided. Digital expert Johannes Rundfeldt, representing the independent expert group AG Kritis, identifies potential motives for attacks on medical devices, including targeted strikes against prominent individuals. He cautions, “It’s unwise to claim that hacker attacks on medical technology don’t happen. The evidence is often obscured, especially if a patient with a pacemaker dies from a cardiac incident.”
Extortion and data theft are also significant threats. A 2023 study by the European Cyber Agency Enisa highlighted that the healthcare sector has become a prime target for cybercriminals. Hospitals and health organizations frequently face ransomware attacks, where hackers encrypt sensitive data and demand hefty ransoms for its release. Often, victims remain silent to mitigate damage to their reputations, particularly if their defenses were inadequate. Surveys indicate that nine out of ten organizations opt to pay the ransom to restore operations.
The attack on the Evangelical Johannesstift clinics in Berlin in October 2024 serves as a stark reminder of these vulnerabilities. Staff reported a regression to outdated processes, resorting to paper documentation as electronic health records became inaccessible. Even patients’ electronic health cards were temporarily unreadable. Rundfeldt notes that until recently, cybercriminals avoided the healthcare sector due to moral taboos, but that has since changed.
Devices like insulin pumps and pacemakers pose significant risks as cybercriminals see opportunities for exploitation. These mass-produced devices can endanger lives if disabled and could lead to extortion attempts against manufacturers. In the United States, there is heightened awareness of these risks, particularly after IT specialists demonstrated the ability to hack into Abbott Laboratories’ pacemakers, originally developed by St. Jude Medical. The FDA swiftly intervened, offering security updates to hundreds of thousands of patients to prevent potential exploitation.
Research conducted by the German Federal Office for Information Security revealed numerous vulnerabilities across various medical devices, including easily cracked access codes on insulin pumps, which could allow an attacker to administer dangerous doses. Despite these alarming findings, awareness of digital vulnerabilities remains low. Rundfeldt recounted an experience during his hospital stay where he was able to manipulate a pain pump’s settings using its factory code, demonstrating the ease with which security can be compromised.
Stefan Schulz from the University of Trier emphasizes that, despite knowing about these digital vulnerabilities for years, insufficient action has been taken. He calls for heightened awareness and targeted education for patients in 2024, underlining the need for individuals to understand that their lives and well-being are at risk due to these vulnerabilities.