Protecting Medical Devices from Cyberharm | Stephanie Domas | TEDxColumbus
Summary
TLDRIn this talk, ethical hacker Stephanie discusses the increasing connectivity of medical devices and the associated cybersecurity risks. She clarifies that while hacking medical devices isn't a common threat to the average person, the real danger lies in data breaches and accidental cyber harm. Stephanie emphasizes the importance of designing cybersecurity into medical devices from the ground up and shares how ethical hacking can help ensure the safety and reliability of these life-critical technologies.
Takeaways
- 🔗 Medical devices are becoming increasingly connected, including to hospital networks, smartphones, and the internet.
- ⚠️ One in four medical devices is now connected, and patients may encounter up to 10 connected devices during a hospital visit.
- 🛡️ While the idea of hackers harming people through devices like pacemakers is scary, such attacks are generally not remote or scalable, meaning they're not common or easy to perform.
- 💳 Hackers are targeting medical devices not to harm patients but to access valuable personal data, such as electronic health records, which are more valuable than credit card information on the black market.
- 🏥 67% of data breaches in the U.S. last year were in healthcare, with medical records being used for identity theft, fraud, or illicit drug procurement.
- 💻 Cyber harm is not always intentional; accidents can happen. For example, antivirus software interrupted a heart procedure by making a medical device unresponsive.
- 📱 Simple actions, like a nurse charging her phone through a USB port on an anesthesia machine, can cause devices to malfunction unexpectedly, highlighting the importance of robust design.
- 🤖 Ethical hackers help test and improve the security of medical devices by attempting to hack them in a controlled environment, ensuring they're safe from real-world attacks.
- 🔒 Designing security features into medical devices from the start, such as rejecting unnecessary Bluetooth connections, can make them more resilient to current and future threats.
- 🌍 Despite the risks, connected medical devices provide significant benefits, including remote patient monitoring, better care coordination, and the ability for patients to lead more independent lives.
Q & A
Why are medical devices becoming more vulnerable to cyberattacks?
-Medical devices are becoming more vulnerable because they are increasingly connected to other devices, hospital networks, smartphones, and the internet. This connectivity opens new opportunities for cyberattacks.
What type of cyberattacks do hackers prefer when targeting medical devices?
-Hackers prefer remote and scalable attacks. Remote attacks allow them to operate from a distance, and scalable attacks enable them to target multiple devices or people simultaneously, making them more efficient.
Why aren't hackers primarily interested in harming people directly through their medical devices?
-While it’s possible to harm someone via a medical device, such attacks are not common because they are not easily remote or scalable. It typically requires close physical proximity and specialized equipment, which makes other methods of attack more attractive to hackers.
Why are electronic health records more valuable than credit card information on the black market?
-Electronic health records are more valuable because they contain much more sensitive information than credit cards, including social security numbers, addresses, and insurance details. This data can be used for identity theft, taking out loans, or obtaining medical drugs, making it difficult for victims to fully protect themselves.
What is an example of accidental cyber harm in medical devices?
-An example of accidental cyber harm occurred when an antivirus program on a medical device started running during a heart procedure, causing the device to become unresponsive. The software locked up data that the device needed to function, illustrating how unintended consequences can cause harm.
How do ethical hackers help improve the security of medical devices?
-Ethical hackers test medical devices by attempting to hack into them in approved circumstances. They find vulnerabilities, suggest improvements, and ensure the devices are robust against potential attacks. This testing happens in controlled environments to avoid harm.
What steps can be taken during the design phase of medical devices to improve security?
-During the design phase, developers can make conscious decisions that minimize risks. For example, in one case, designers chose not to allow incoming data over Bluetooth to prevent potential attacks. Designing security features from the start makes systems more resilient to both known and future threats.
What are the risks of connecting smartphones or other personal devices to medical equipment?
-Connecting personal devices to medical equipment can disrupt its function. In one case, a nurse plugged her phone into a USB port on an anesthesia machine, causing the machine to shut down. Even though the shutdown was unintentional, it highlights how unexpected interactions can lead to dangerous situations.
Why did former Vice President Dick Cheney have the wireless feature of his pacemaker disabled?
-Dick Cheney had the wireless connectivity of his pacemaker disabled because, for someone in his position, it was considered a realistic security threat. Although such attacks are unlikely for the average person, high-profile individuals may be at higher risk.
What benefits do connected medical devices offer despite the security risks?
-Connected medical devices provide numerous benefits, such as enabling remote surgeries, offering real-time patient monitoring, and improving the quality of care. For instance, devices like pacemakers or insulin pumps allow patients to live more independently while ensuring their caregivers can monitor and respond to health issues promptly.
Outlines
🔗 The Connectivity of Medical Devices
The paragraph discusses the increasing connectivity of medical devices, which are now more frequently linked to each other, hospital networks, patient smartphones, and the internet. It highlights that one in four medical devices is estimated to be connected, and during a hospital visit, a patient might encounter up to 10 such devices. This connectivity makes them a target for hackers, although the speaker clarifies that while hacking medical devices is a concern, it's not the most common way hackers might harm individuals. Instead, they often target medical devices for the valuable personal information they contain, which can be used for identity theft and fraud. The speaker also introduces the concept of 'accidental cyber harm,' where software or systems unintentionally cause harm, such as an antivirus causing a medical device to malfunction during a procedure.
🛠️ Ethical Hacking for Medical Device Security
In this paragraph, the speaker introduces herself as an ethical hacker working to enhance the security of medical devices. She explains that ethical hackers are individuals who study and practice hacking to test and improve system defenses, but only in authorized situations. The speaker's role is to collaborate with medical device manufacturers to ensure that devices are designed with security in mind from the outset. She gives an example of a Bluetooth-enabled inhaler system that was designed to resist attacks by not accepting incoming data over Bluetooth. The speaker also discusses the importance of testing existing devices through ethical hacking to identify vulnerabilities and improve security. She emphasizes that while connected medical devices carry risks, they also offer significant benefits, such as improved patient care and real-time monitoring, and that ethical hackers are dedicated to ensuring these devices are trustworthy.
👏 Conclusion and Acknowledgment
This is a concluding part of the script where the speaker receives applause from the audience. It signifies the end of her presentation on the importance of cybersecurity in medical devices and the role of ethical hackers in ensuring their safety and reliability.
Mindmap
Keywords
💡Connected Medical Devices
💡Hackers
💡Cyber Security Breach
💡Electronic Health Record (EHR)
💡Remote and Scalable Attacks
💡Ethical Hacker
💡Cyber Harm
💡Robust System
💡Bluetooth Connection
💡Cyber Security Testing
💡Benefit vs Risks
Highlights
Medical devices are increasingly connected to hospital networks, smartphones, and the internet.
It is estimated that one in four medical devices is now connected, with the average hospital visit involving 10 connected devices.
Hackers are beginning to target medical devices due to their connectivity, although direct physical attacks are not common.
Remote and scalable attacks are more appealing to hackers than targeting individual devices like pacemakers.
Former Vice President Dick Cheney had the wireless connectivity of his pacemaker disabled due to concerns over remote hacking.
Healthcare data is a prime target for hackers because electronic health records are significantly more valuable on the black market than credit card information.
67% of identity records breached in the United States last year were from healthcare, highlighting the vulnerability of medical data.
Cybersecurity breaches in healthcare can lead to identity theft, bank loans taken out in someone’s name, or fraudulent use of medical insurance.
Accidental cyber harm can occur, as demonstrated by an antivirus program causing a medical device to become unresponsive during a heart procedure.
Medical devices can malfunction due to unexpected actions, such as when a nurse plugged her phone into an anesthesia machine's USB port, causing the machine to shut down.
Ethical hackers, like the speaker, work to test the security of medical devices to identify and fix vulnerabilities before they can be exploited.
Cybersecurity should be built into medical devices from the design stage, making systems resilient to unknown and unexpected threats.
An inhaler system’s Bluetooth connectivity was limited to sending data out, not receiving it, to mitigate potential cyber threats.
Medical devices that already exist can be tested by ethical hackers to discover vulnerabilities and suggest improvements.
Connected medical devices offer significant benefits, such as enabling specialists to assist remotely in surgeries and monitoring patients in real time during recovery.
A connected pacemaker or insulin pump can provide critical independence for patients by monitoring health and allowing remote intervention.
Despite the risks, the speaker believes the benefits of connected medical devices far outweigh the potential threats.
Transcripts
[Music]
hi medical devices are becoming more and
more
connected they're more connected to each
other they're more connected to the
hospital's networks they're more
connected to patients smartphones and
they're more connected to the internet
it's it's estimated that one out of
every four medical devices is now
connected if you were to go to the
hospital today it's estimated that you
would encounter 10 medical devices
during your
visit it's because of this increased
connectedness of medical devices that
hackers are starting to Target medical
devices now when I say hackers are
targeting medical devices everyone
always immediately jumps to the
assumption that hackers are trying to
hurt you through your medical
devices so while won't say it's not
possible it actually is what I will say
is in general there are easier ways to
hurt people than through their medical
device so take for example a pacemaker
this is something that people often
think of when they're thinking of a
medical device harming
someone if I wanted to change the
configuration or the codes on your
pacemaker I would have to stand right
next to you I would have to hold
specialized electronic equipment up to
your chest for several minutes
that's really not the type of thing you
can do to someone without them noticing
and it's it's not what we call a a
remote or scalable attack so it's not
remote in the sense that an attacker
can't do it from the comfort of their
couch and it's not scalable because they
can't use it to simultaneously hurt
numerous people so attackers generally
want remote and scalable attacks so for
your average person this isn't a threat
you need to worry about but that being
said former Vice President Dick ch
did have the wireless connectivity to
his pacemaker disabled because for him
it was potentially a realistic
threat so if attackers aren't trying to
hurt you through your medical device why
are they attacking medical
devices well it seems like every week we
hear about some new cyber security
breach that affects individuals we all
heard about Target the DMV and I'm sure
there's a number of you in this room
that those
affected but what you may not know is
that last year 67% of the identity
records breached in the United States
happened in
healthcare today on the black market
your credit card number is worth only
about
$2 where your electronic health record
is worth anywhere from 10 to 20 so why
the big difference well if you were to
notice a fraudulent charge on your
credit card today you could have the
charge reversed the card closed and a
new card in your hand in a matter of
days it's really not that big of an
inconvenience
but your electronic health record that
has not only your credit card number but
your address your social security number
your employer and your insurance
information so with that kind of
information I could use the credit card
number but I could also open new credit
cards in your name I could potentially
take out a bank loan I could get high-
price narcotics on your medical
insurance so how do you protect against
that how do you change your name your
address your
employer well you can't and that's what
makes that information so much more
valuable so we've talked about hackers
going after medical devices but there's
actually another category of cyber harm
that we see more commonly and it's
accidental cyber harm a lot of cyber
security is just making a system robust
to the unknown or the unexpected malice
is not always a prerequisite for harm so
take for example something that happened
earlier this year there was a medical
device that's used in a heart procedure
that became unresponsive and unusable
mid heart
procedure now later after investigation
it was found that what happened was the
antivirus software running on this
system started to run mid heart
procedure and in doing so it locked up
access to data that the medical device
needed in order to operate so the device
became
unresponsive but think about that
antivirus softwares sole purpose for
existence is to stop malicious things
from happening on a system so while that
that antivirus was trying to stop
something malicious from happening it
accidentally did something malicious No
Malice intended now in this particular
case the doctors were able to get the
device back up and running while the
patient was still sedated and finish the
surgery but it's so easy to imagine how
this could have gone so much
worse or another example that happened
last year a nurse plugged her cell phone
into one of the USB ports on the front
of an anesthesia machine trying to
charge her phone when she did that the
anesthesia machine shut
down now I know you're thinking why
would you plug your cell phone into an
anesthesia machine we probably shouldn't
do that and while I agree with you we've
all been in those situations where our
cell phone is about to die we either
need to make a call or we're expecting
one and you're looking around
desperately trying to find somewhere to
plug into
charge now that that nurse there was
there was no malice there she was simply
looking for somewhere to plug in her
phone and in that case the anesthesia
machine was not in use so nobody was
harmed but again malice is not a
prerequisite for harm that system was
not robust to the unknown or the
unexpected so who am I and why am I here
talking you about this well my name's
Stephanie I'm an ethical hacker and I'm
here to help so what is an ethical
hacker well ethical hackers are people
who study hacking we practice hacking
and then yes we hack stuff um but only
to test the defenses of that system and
only in approved
circumstances but what am I specifically
doing well my job is to work with
medical product manufacturers to help
them designed medical devices worthy of
our trust the best way to make a system
secure is to design it in from the
beginning
cyber security is not simply a feature
we can add to a system It's actually an
emergent property of a well-designed
system a lot of cyber security recall is
making things robust to the unknown or
the
unexpected so take for example an
inhaler system I've been working on this
inhaler system has a Bluetooth
connection to the patient's smartphone
so the patient can monitor how many
doses they have remaining in their
inhaler now that Bluetooth connection is
a threat to that device an attacker
could try to manipulate or steal
information from you through that
Bluetooth
connection so at design time we said
well we do have a need to send data out
over Bluetooth but we don't really have
a need to take any data back so we made
the conscious decision at design time to
simply not accept any incoming data over
Bluetooth by doing that we made
ourselves resilient to any known
Bluetooth attacks and any future ones
robust to the unknown or the
unexpected but what if your past design
time so you have a physical device it's
either prototype device or a medical
device that's already out in the field
well then that's when we try to hack it
we're going to try to hack into it see
how can we get into it once we're into
it what can we change what can I access
what can I manipulate having an ethical
hacker attack your device is a great way
to test its defenses they're going to
tell you what type of attacks they tried
what worked they'll offer you advice on
how to make it better and they'll do it
all under safe circumstances when it's
not hooked up to a patient and it's not
hooked up to the hospital Network so
take take for example that anesthesia
machine I talked about earlier that
couldn't handle a cell phone connection
that's the type of thing that could have
come up in cyber security testing and
then we would have made conscious
decisions of what to do so maybe we
would have decided there's really no
need for us to accept cell phone
connections and if we saw one we'd
simply reject the connection or maybe we
would have decided to gracefully handle
it but we would have handled it in a
manner that was
safe now I don't want to leave you with
the impression that connected medical
devices are all doom and gloom the truth
is connected medical devices allow us to
provide a better quality of patient care
if I were to suddenly have a need for
Unique surgery a Surgical Specialist
halfway across the world could either
assist in the procedure or perform it
when I'm in the hospital recovering the
connected medical devices that are
monitoring me are able to allow my
caregivers to see a realtime picture of
how I'm doing so if something starts to
go wrong in my recovery they know right
away when I'm out of the hospital my
electronic health record can help look
for potential drug interactions for
prescriptions I may fill at different
pharmacies connected medical devices
like pacemakers allow someone who may
have lived a very dependent life to now
live an independent one that connected
pacemaker can now potentially call for
help if that patient becomes
unresponsive think of a diabetic child
who's able to go to her very first
sleepover because she now has a
connected insulin pump that allows her
parents to remotely monitor her glucose
levels and deliver insulin if she needs
it I feel confident in saying that the
benefit of connected medical devices
outweighs the risks and myself and other
ethical hackers are working really hard
to make sure that the connected medical
devices out there are worthy of our
trust thank you
[Applause]
Посмотреть больше похожих видео
¿Cual es el SO de Movil más seguro? Android vs iOS
أنا مكتشف ثغرات...
Persuasive speech- Cybersecurity
the CHEAPEST path to becoming an ethical hacker
"Hack ANY Cell Phone" - Hacker Shows How Easy It Is To Hack Your Cell Phone
Cybersecurity Expert Answers Hacking Questions From Twitter | Tech Support | WIRED
5.0 / 5 (0 votes)