Healthcare – Breaching a medical training mannequin raises new cyber security concerns

Cyber attacks against healthcare systems are likely to increase and students investigated the feasibility of breaching a medical training mannequin.

Let me start with the scene from a popular TV series titled Homeland, it is a pacemaker hack.

Security experts are warning the medical industry about the hacking of any medical equipment implanted in the human body such as pacemaker and insulin pump.

Do you believe that this his a work for skilled hackers? It could be if the device is properly designed, anyway a group of students at the University of South Alabama demonstrated the contrary by hacking iStan, one of the most sophisticated wireless patient simulator on the market.

The group of undergraduate students at the university recently spent a few hours in the attempt to hack iStan, and they succeeded. Be aware, the students are not skilled hackers and had been taking a cybersecurity class for a semester.

This research conducted by the group examined the feasibility of breaching a production-deployed medical training mannequin, the findings demonstrate that it is possible to breach a medical training mannequin in a live environment.

The group of students published a detailed paper with the intent to inform medical industry on possible consequences of such kind of cyber attacks.

iStan has an internal robotics that mimics human cardiovascular, respiratory, and neurological systems, it costs about $100,000.

“The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient,” Mike Jacobs, director of the simulations program at University of South Alabama, told to Motherboard. “It’s not just a pacemaker, we could do it with an insulin pump, a number of things that would cause life-threatening injuries or death.”

The group was able to gain access to various systems in iStan which resulted vulnerable to various attacks, including denial of service attacks and brute force attacks.

“We did this because we were wanting to beef up security on our end and put some safeguards in place. It may not be totally possible to prevent hackers, but, knowing these can easily be hacked increases your awareness of vulnerabilities,” he said. “It’s definitely concerning—if there’s a high profile individual with a medical issue, it certainly makes them vulnerable.”

Another element of concerns for medical equipment is represented by the data traffic, the group of students is now investigating it is possible to tamper it in a way to create serious problems to the medical devices.

Modern medicine heavy depends on the technology, this means that medical staff must be prepared to deal with cyber attacks and hackers.

“The increasingly aggressive pervasive integration of technology into medical arenas creates new frontiers for malicious attacks with potentially serious, long-run cyber physical consequences. A recent Federal Bureau of Investigation (FBI) Cyber Division public notification states that “the health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics” (Federal Bureau of Investigation 2014). ” states the paper.

Last yeast the FBI observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).

“These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data,” stated the FBI in a document obtained by Reuters agency.

Intrusions and data breach are likely to increase against healthcare systems but unfortunately the majority of medical devices still lack of security by design and medical staff is not trained to detect and respond to cyber attacks.

According to the U.S. Food and Drug Administration (FDA), there are currently no specific patient injuries or deaths associated with cyber attacks on medical equipment, but let me add that it could be question of time.

Pierluigi Paganini

(Security Affairs – iStan, healthcare)