Medical Devices and Security Issues
When cyber attacks are discussed and evaluated, a common underlying assumption is that the fallout of such an attack will be limited to the digital space. With recent attacks against government actors, this assumption has become somewhat shaky. However a separate field of technology exemplifies the real-world risks of cyber attacks even more strongly: Life-critical medical devices.
Insulin pump maker Animas Corporation - a Johnson & Johnson company - released a rare warning to its customers today informing them of a vulnerability discovered in one of their automated insulin pump by security research company Rapid7. The vulnerability would allow an attacker in the vicinity of a victim to repeatedly have the pump inject insulin into the victim’s blood stream - something that is potentially lethal.
Reflare’s analysis of the information released by Rapid7 assesses that an attack on the pumps would be trivial for an attacker with a basic understanding of radio transmission and the adequate equipment.
This by itself is not surprising. Severe flaws have been discovered in medical devices many times before. The technological knowhow required to build hardware in the health sector and the knowhow required for securing complex systems have very little overlap. What is new is the immediate acknowledgement and investigation announced by the device’s manufacturer.
Part of this is due to a changing mindset. The public has a better understanding of information security than ever before. This in turn gives vendors less and less leeway in the public eye to deal with security issues. While a death caused by an insecure insulin pump would have been blamed solely on the hacker just a few years ago, in today’s climate the device vendor would likely be the target of a large chunk of the fallout.
Inversely, vendors have also gained a better understanding of security. With public pressure intensifying and more information available to the average executive, the idea that insecure devices have to be fixed and that the cost of such fixes is part of the cost of doing business have gained traction. At the same time, the channels through which researchers can responsibly disclose vulnerability information to vendors have increased in number and reliability.
In the long run, this is good news. The openness of vendors such as Animas to acknowledge and address security issues in medical devices will improve the overall security of said devices and deserves to be commended. In the short run, the higher amount of information available to less-skilled attackers may lead to a number of high-profile cases of fatal cyber attacks with unknown political outcome.