Hackers can make your pacemaker or your insulin pump kill you
The recent WannaCry attack has proved that cyber-security is not just about keeping data safe. It is about keeping patients safe. The WannaCry virus led to one of the most devastating cyber attacks on the UK National Health Service to date.
This is often missing from discussions about cyber-security. The investigation by the National Audit Office revealed that the NHS was much harder hit than at first thought, with more than one in three NHS trusts affected, 19,000 appointments cancelled and almost 600 GP practices disrupted.
It was not the first time the NHS has succumbed to an attack – and it will not be the last. Hundreds of operations and outpatient appointments were cancelled across Lincolnshire in 2016 after the local NHS trust fell victim to a virus.
Freedom of Information requests to NHS trusts in 2015-16 revealed that as many as half were hit by ransomware in the preceding year. And this week hackers targeted the London Bridge Plastic Surgery clinic and its celebrity client list and threatened to release photos of the procedures undertaken.
Healthcare is one of the most targeted sectors globally by cyber-criminals for two simple reasons: it is a rich source of data and a soft target. Medical records are worth more than credit card details on the dark web because they contain personal identifying details that can be used to open bank accounts, obtain loans or acquire a passport. A credit card can be replaced but a birth date cannot be reset. In 2015, criminals stole 80m records from Anthem, a US health insurance company, with a market value estimated at $1 billion.
So far, attacks on healthcare have been principally for financial gain. But we have to face the prospect that they could, intentionally or otherwise, cause direct, physical harm – say by altering blood groups or test results.
One well-known US hacker called Barnaby Jack has demonstrated how an insulin pump could be hacked remotely to deliver a lethal dose of the hormone. As wireless and implantable devices become more widespread – from Fitbits to deep brain stimulators – the risk is bound to grow.