The Difficulty of Gauging Health Care Cybersecurity Risk
In 2016, the cybersecurity division of the U.S. Department of Homeland Security released a warning that a class of medical devices had a whopping 1,418 vulnerabilities. Admittedly, the devices in question were end-of-life versions of BD Pyxis SupplyStation health care inventory management system. But this extreme example points to the type of collision course that can occur when complex software and connectivity drive core medical device functionality. DHS reasoned that an adversary of low skill could successfully attack the aging Pyxis devices. And over the past decade, security researchers have proven dozens of medical devices, from pacemakers to infusion pumps, are at risk of a cyberattack. Austrian cybersecurity researcher Tobias Zillner, for instance, revealed that a St. Jude Medical pacemaker model produced until 2017 could be hacked using a 2000-era cell phone and the device could be incapacitated within three hours by draining the battery via a cyberattack. A firmware update was later made available to harden that device…