This month’s cybersecurity for health IT round-up covers the security risk of “brainjacking” ie brain implant hacking, the need for firmware updates after the Food and Drug Administration found potential cybersecurity vulnerabilities associated with St. Jude Medical’s cardiac pacemakers and the reveal of SC Magazine’s 20 Women of Influence in cybersecurity in the UK.

Brainjacking, does it exist?

The security of implanted medical devices is paramount to patient care.

According to a group of researchers, neurosurgeons, and doctors of philosophy from Oxford Functional Neurosurgery, implants have the potential of being switched off or made to function in undesired ways by hackers, leading to tissue damage, increased pain, altered impulse control, unwanted mental conditioning.

“The current risk of brainjacking (brain implant hacking) is low,” the group has noted, but “it is better to consider this issue seriously now, rather than in a several years’ time when the sophistication of these implants is far greater, as would be the harm that an attacker may cause by subverting them.”

The issue of brain implant hacking is explored in the group’s recently published paper. According to the website helpnetsecurity.com, they address a number of attack scenarios that might be pulled off even now, but added that there is no evidence that any of them has ever been attempted.

“Wireless exploitation of implants is also likely to be subtle – device failures are a somewhat common eventuality and post-failure device diagnostics are rarely performed. Even if an attack were detected, tracking down the attacker would be a highly challenging task,” they noted.

Firmware update to address cybersecurity vulnerabilities in implantable cardiac pacemakers

The Food and Drug Administration (FDA) has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s radio frequency enabled implantable cardiac pacemakers. It has confirmed that these vulnerabilities, if exploited, could allow an unauthorised user (someone other than the patient’s physician) to access a patient’s device using commercially available equipment.

“This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing”, the FDA stated.

The devices identified by the FDA are: Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure.

The FDA confirmed this communication does not apply to any implantable cardiac defibrillators (ICDs) or to cardiac resynchronization ICDs (CRT-Ds).

Patients using one of these several types of implantable radio frequency-enabled pacemakers have been advised to visit their healthcare provider to receive a firmware update that fixes several cybersecurity issues.

“Firmware” is a specific type of software embedded in the hardware of a medical device (e.g. a component in the pacemaker).

“To address these cybersecurity vulnerabilities and improve patient safety, St. Jude Medical has developed and validated this firmware update as a corrective action (recall) for all of their RF-enabled pacemaker devices, including cardiac resynchronization pacemakers”, the DFA stated.

“The FDA has approved St. Jude Medical’s firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm.”

Latest on “accidental hero” of the Wannacry attack

Marcus Hutchins, or as he refers to himself as, the “accidental hero” of the global Wannacry attack seems to be making the most of his “stay” in the US.

The 23-year-old recently pleaded not guilty to creating and selling Kronos malware designed to steal people’s online banking details. It was in relation to the WannaCry ransomware attack that crippled the NHS and many other companies around the world.

He was released on bail, facing six counts of hacking-related charges dating to 2014 and 2015 – charges that could result in a 40-year prison sentence.

According to his twitter, “Malwaretech”, Hutchins seems to be enjoying the sunshine and time with friends.

According to The Guardian, since his arrest, members of the cybersecurity community have rallied behind him. He is a popular member of the community known as a skilled and curious researcher who spent his teenage years writing software as a hobby and running a tech blog.

His current employer, the Los Angeles-based Kryptos Logic, hired him a year ago after being impressed by his approach to finding, reverse-engineering and analysing malicious software.

The Guardian reported that when he was given a $10,000 reward by HackerOne for his role in stopping WannaCry, he donated it to charity. Friends have set up a crowdfunding campaign to raise money for legal fees.

UK’s 20 Women of Influence in cyber-security revealed

SC Magazine UK together with cybersecurity writer Kate O Flaherty, have come up with a list of 20 women of influence in cybersecurity in the UK, as part of their efforts to promote female cybersecurity role models. They stated having found an abundance of talent to choose from.  

“There are indeed many old friends of SC among the selection and others we would like to have included, but each of those included in our final shortlist deserves their place to be honoured for their achievements.   This isn’t an award, there is no prize, just – we hope – a bit of kudus for having their success recognised and applauded by the industry.” – as stated on the magazine’s website.

SC Women of Influence in UK Cybersecurity 2017 include; Caroline Rivett – KPMG global cybersecurity lead for life sciences, Jane Frankland – CISO advisor, speaker, author, Nicola Whiting – chief operating officer at Titania, Angela Sasse – head of information security research at University College London (UCL) and director of the GCHQ/EPSRC-funded national research institute for the Science of Cyber Security, Elizabeth Denham – UK information commissioner, Carmina Lees – vice president, security, UK and Ireland at IBM and Ruth Davis- head of cybersecurity strategy, BT Security.

Click here for the full list.

Government should foot the ransom bill in cyberattacks, report reveals

Top10VPN.com reveals statistics that nearly half of the UK population believe the government should pay the ransom if the NHS is hacked.

Computer Business Research (CBR) reported that those under the age of 25 were most in favour of the government taking financial responsibility in the event of the NHS being locked down by ransomware, with 75% answering in agreement – while 33% of over 55 year olds agreed that the government should foot the bill.

Overall, 48% of the entire UK population are in favour of the government being responsible in this scenario.

Simon Migliano, head of research at Top10VPN.com told CBR that: “Brits are clearly concerned that the NHS remains in the crosshairs of cyber-criminals… These fears will likely be compounded by the fact that this vital public service was reeling from severe underfunding even before WannaCry struck to demonstrate the need for major investment in cybersecurity measures.”

“With the necessary funds unlikely to be made available in the near future, it’s little wonder so many people expect the Government to pay a ransom, given how many of us rely on the NHS in our daily lives.”