Hacking of “vulnerable” wearables and health devices could be fatal, warns report

Health technology such as pacemakers and wearable health monitors linked to the internet could be vulnerable to cyber attacks, which could have “severe consequences” for patient safety, according to the Royal Academy of Engineering.

A report titled Cyber safety and resilience: strengthening the digital systems that support the modern economy found that wearable devices, which are often provided as a health benefit to employees, could pose a risk to the health of their users if targeted by hackers.

They could also provide a gateway for hackers to introduce ransomware into computer networks used by healthcare professionals, it said.

Devices such as pacemakers and artificial hearts that have cybernetic elements could even be lethal to users if hacked, warned Evgeny Chereshnev, CEO at wearable tech security firm Biolink.Tech.

Chereshnev said: “The same goes for wireless insulin pumps that automatically inject insulin into people’s bodies. A hacker can break into these pumps and give a lethal dose of insulin, thus killing that person yet avoiding punishment as there is currently no such law as ‘kill via internet’.

“Any bionic implant, under-skin sensor or automated robot is a potential death trap when hacked. Cyber security is not something that is treated as a ‘by design’ obligation, but it must be.”

Dan Lyons, principal consultant at software firm Synopsis, said manufacturers of health devices were often slow to react to new cyber security threats because of long product development cycles. “The healthcare industry has to solve this problem at the system-of-systems level, as well as for individual products like MRI machines and patient monitors.”

Amir Abramovitch, security researcher at cyber security firm Cy-OT, noted that the technology is open to security threats from simple issues such as poor security of Wi-Fi passwords, to more serious problems including a hacker changing the dosage of a drug or making the device stop functioning altogether.

He said: “This poses a threat, not only to corporate businesses, but to human life.

“The good news is that there are possible mitigations for these attacks, and they are quite easy to implement. The problem is that the companies making these devices do not understand the security implications of their poor design.”