I read two articles recently that gave me pause. First, the Washington Post summarized a recently released Verizon report detailing the increase in breaches, and the poor prognosis for following years. The only silver lining in the article was the admonition that data sharing and monitoring are keys to recognizing breaches early…nice to know MiddleGate is on the right track according to others as well.
Then Business Insider published an article explaining the results of a medical equipment security audit done at a Midwest hospital system. This article described in detail the types of hacks possible on implantable, or networked medical equipment. One paragraph in particular caught my eye:
“Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.”
Unfortunately, I disagree with this statement as targeted attacks are possible if you have specific information on your target (i.e. a stolen medical record). Pretend for a moment that you are a member of your family receives the following email:
“Hello. You don’t know me, but I feel as if I know everything about you. I have a copy of your medical records here, and it has been an interesting read. I especially liked the part about you having gotten a “SuperTech Pacemaker IV” last Fall…great choice considering that near-death scare you had with an AV heart block. Of course, I also think it was a great choice because it so happens that I can hack your pacemaker from all the way over here in Europe…small world huh?! Now, don’t panic…I don’t want to hack your pacemaker…that would ruin your day. However, I do want you to wire $5,000 to the account below to keep me from being tempted (sometimes I have a bad day and lash out.
Is it really that unlikely that people who have stolen your medical records won’t be tempted to at least blackmail you, even if they don’t have the capacity to hack your implanted medical devices? Is it really that unlikely that a few pacemakers won’t be hacked and shut off to kill a person and make this type of blackmail more credible?