Jalal Bouhdada, Founder and Principal ICS Security Consultant for Applied Risk
It is perhaps no surprise that a new attack group, dubbed Orangeworm, has been discovered targeting the healthcare industry. There have been repeated warnings that healthcare systems are easy pickings for cybercriminals, and although there has been an understandable desire within the industry to press ahead and unlock the benefits of IoT technology, a lack of consideration regarding the security ramifications of this has begun to concern many.
While innovation in the healthcare industry is having a great impact on the quality of life for many people, what if the opposite is also true? While in the case of Orangeworm it seems the attackers were only looking to learn about the inner workings of a system, could this often life-saving medical equipment be turned against us?
There has been much speculation over potential scenarios in which devices such as insulin pumps are hijacked and held to ransom; or terrorists attack connected pacemakers en masse. Sadly, this is no longer the stuff of fiction, as made clear by the FDA’s recent warnings regarding exploitable flaws in connected cardiac pacemakers. Medical device manufacturers must come to terms with the idea that the security of the healthcare equipment itself is also a life and death issue.
Medical device manufacturers must now begin adhering to best practice security advice. New data privacy laws and strict FDA requirements mean the responsibility is now with the developers to ensure the protection of networks and systems, or they will face the consequences. To help meet these obligations, the security industry and medical device manufacturers must develop a closer relationship, ensuring that new devices are developed with security defences baked in. The ethos of “secure by design” must become entrenched within all product developers.