When I read this story at the Trib:
The Homeland Security Department warned Tuesday about an unusual cybersecurity flaw for one manufacturer’s implantable heart devices that it said could allow hackers to remotely take control of a person’s defibrillator or pacemaker.
Information on the security flaw, identified by researchers at MedSec Holdings in reports months ago, was only formally made public after the manufacturer, St. Jude Medical, made a software repair available Monday. MedSec is a cybersecurity research company that focuses on the health-care industry.
it reinforced my belief that cyber-attacks should be taken much more seriously than they are and that equipment vendors should have strict liability.
Imagine this scenario. You’re sitting at your desk or at home, minding your own business, and you get a phone call. “Give us $10,000 or we’ll give you a fatal heart attack” (or $100,000 or whatever). In this scenario the equipment manufacturer’s security flaw made the exploit possible but you probably can’t show malicious intent or negligence. And they’ve probably got a disclaimer in their warranty.
Businesses just don’t have enough incentives to ensure that their products are secure. That’s not limited to medical equipment manufacturers. It’s true of all equipment manufacturers (which is why is distrust the Internet of Things), banks, even the federal government.
I suspect this is not the hacking on people’s minds today.
Just help raise the price of pacemakers through the roof.
So it’s a “heart a-hack?”
Sorry, couldn’t resist. I do share your skepticism of the “internet of things.” Security is abysmal and a lot of these devices aren’t designed to be patchable.
Or brick if there’s a hiccup.