For medical devices, protecting against hacking software could save lives

LAS VEGAS, Nv. — Medical devices like pacemakers and insulin pumps keep people alive, so they must be secure.

That’s why security researchers at the hacker conference DEF CON in Las Vegas told Channel 2 understanding how they work and what potential flaw exist is key.

Ted Harrington is an executive partner with Independent Security Evaluators in Baltimore.  He helped organize IOT Hacking Village—an area of DEF CON set up for researchers to dig into connected devices of all kinds.

“If an attacker was to compromise a connected medical device that is doing something to a patient, such as administering a drug or manipulating your heartbeat, that could have a really serious outcome for patient,” Harrington explained. “[It could] harm or potentially in extreme cases cause fatality to that patient.”

Ken Munro and his team from Pen Test Partners in Bletchley, England said the best place to start looking at any connected device isn’t always the Wi-Fi or Bluetooth.

"The most interesting place is starting with a screwdriver," Munro said. "Take it apart, see how it works, see how the chips operate and see if you can grab the firmware from it. Now that's the software that runs on the chips and once you've got that, you know everything."

If vulnerabilities are found, researchers present the findings to the companies that make the device, which allows them to apply a fix. Munro said collaboration at events like DEF CON is invaluable.

"Getting together and sharing information is just the best, no one can know everything," said Munro said "We're very happy to share with people."

While events like the medical ransomware attack earlier this year are scary, Harrington believes good can come from them.

"The aftermath that follows something like that and is currently happening in health care right now is a good thing where organizations now have some talking points for the security lead," Harrington said.