European law enforcement authorities are predicting a dark, nefarious future for the cybersecurity of products, including medical devices, which could eventually lead to patients being held hostage from afar.
The prediction, made in Europol's 2014 Internet Organized Crime Threat Assessment (iOCTA), comes amid growing concern about the cybersecurity of devices. In the US, in particular, regulators and researchers have sounded the alarm over the lack of inherent security protections in many devices, saying it's surprisingly easy to hack into life-supporting devices like pacemakers.
The concerns have been enough to lead the US Food and Drug Administration (FDA) to issue recommendations that all Internet-connected devices should undergo threat and vulnerability testing prior to approval or clearance. Those recommendations were finalized in October 2014. The agency has also announced that it will conduct its own threat assessment testing through the use of a new "fuzzing" lab, which will barrage devices with assorted inputs in an attempt to find defects.
Ransomware a Major Threat
But according to Europol, the EU's law enforcement agency, defensive measures will only serve to mitigate—not eliminate—risk.
While the report is mostly focused on traditional cybersecurity threats, among the most interesting potentialities raised in the broad-based report is a new form of ransomware affecting medical devices. Though the use of ransomware has been around for several years—hackers generally commandeer a system, and often encrypt files until the user pays a ransom for the encryption key—Europol said it envisions a day when "novel variants" of ransomware might also affect medical devices.
Given the potential for device malfunctions to kill patients, this might very well be the digital equivalent of a hostage situation. And since many devices are implanted into a patient, simply swapping out an infected device for a new one isn't quite so easy.
Alternatively, hackers might also seek out medical information from patients and providers, which is often contained in medical devices and medical information systems, the report notes.
"Although the motivation for most data thefts is largely financial gain, the proportion of attacks for the purpose of espionage is steadily increasing," the report observes.
And in an era of increasing connectivity, patients may soon find themselves unwittingly in the firing line of both hackers looking to exploit them for money and those who would do them harm to make a statement.