White-hat hackers joined the white coats in a simulation of a hacked medical device during this year’s RSA Conference in an effort to demonstrate the very real cyber risk faced by healthcare organizations in securing medical devices.
“Our dependence on connected technology is growing much faster than our ability to secure it,” said Josh Corman, chief security officer and founder of cybersecurity firm PTC.
“Nothing’s going to change until someone dies, so we’re going to do what any good, self-respecting hackers would do and we killed people,” said Corman.
“We have to do better to try to make sure these devices are trustworthy,” said Corman. Healthcare organizations are already fighting an uphill battle against cyber risk, he explained, sharing the results of a survey PTC conducted in collaboration with the US Food and Drug Administration.
The study showed that 85 percent of hospitals don’t employ even one cybersecurity professional, showing a severe talent shortage. In addition, the systems hospitals are defending frequently run on Windows XP or older.
Additionally, a push by the federal government to shift to electronic medical records mean “has forced medical systems that were never meant to connect to anything to connect to everything.”
“The blast radius is typically the entire healthcare organization,” Corman said. With 1,000 or more vulnerabilities discovered in the typical medical device, he added, the threat is not just loss of records or a HIPAA violation, but the disruption of critical medical care.