Synopsys Questions Cyber Safety Of Medical Devices

The safety of equipment used by the medical profession has been called into question, after a fresh study revealed some alarming developments.

The ‘Medical Device Security: An Industry Under Attack and Unprepared to Defend‘ research from Synopsys found that while most medical device manufacturers and healthcare delivery organisations (HDOs) expect an attack on medical devices in the next months, they are doing little to prevent it.

The Synopsys report mirrors a warning from 2015 by two white hat researchers, who said that commonly used medical equipment was vulnerable to online hackers. Those researchers found that devices such as MRI machines, infusion systems, and pacemakers were vulnerable to attack.

Medical Risks

The Synopsys study however was conducted by the Ponemon Institute and it reveals a worrying degree of complacency within the medical community.

Its research found that 67 percent of medical device manufacturers and 56 percent of HDOs believe an attack on a medical device built or in use by their organisation is likely to occur over the next 12 months.

To make matters worse, only nine percent of manufacturers and five percent of HDOs say they test medical devices at least once a year. And unbelievably, 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.

It seems that only 51 percent of device makers and 44 percent of HDOs follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.

The study surveyed approximately 550 individuals from manufacturers and HDOs, whose roles involve the security of medical devices, including implantable devices, radiation equipment, diagnostic and monitoring equipment, robots, as well as networking equipment designed specifically for medical devices and mobile medical apps.

“The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organisations,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

“According to the findings of the research, attacks on devices are likely and can put patients at risk,” he said. “Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”

Vulnerability Reasons

For its part, the medical community (80 percent) believes that it is very difficult to secure medical equipment.

And it seems that the reasons why medical devices remain vulnerable includes accidental coding errors, lack of knowledge/training on secure coding practices, and pressure on development teams to meet product deadlines.

“These findings underscore the cybersecurity gaps that the healthcare industry desperately needs to address to safeguard the well-being of patients in an increasingly connected and software-driven world,” said Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group.

“As we saw with the past two studies on the Building Security in Maturity Model (BSIMM), the healthcare industry continues to struggle when it comes to software security,” said Ahmadi. “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

This is not the first time that there has been warnings about the threat to medical equipment from hackers.

In 2012, researchers from McAfee showed that they could take control of insulin pumps implanted inside diabetes patients.

Scientists at the University of Massachussetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.

Quiz: Are you a security pro?