Thus far, we've focused on manufacturing and retail, but another huge area for IoT attacks is the health care vertical. In the same way that operations and facility departments are not in the habit of having light bulbs and door locks approved by IT, their hospital counterparts are not used to getting standard medical systems, such as X-ray and ultrasound machines, approved by IT, either.
"Those are under the control of the clinicians, not IT," says Tomás Byrnes, CEO at ThreatSTOP, referring to medical clients including a a hospital that was found to have their MRI and CT scanning machines sending images to China and a whitehat who spends much of his time hacking into heart pumps and pacemakers.
For example, an ultrasound machine will email the generated image to the doctor who authorized the test. "These devices are connected to your network and usually they can't be patched," Byrnes says.
Complicating things further in the health care area is that the U.S. Food and Drug Administration (FDA) has to approve specific configurations of these medical devices. In short, they can't easily be tweaked, even for security, without government approval on the off chance that a security change might have an adverse impact on its diagnostic capabilities or might risk more harm to patients. "The FDA approves a particular configuration," Byrnes says.
But not only big, networked devices are at risk in the medical field. In 2013, former Vice President Dick Cheney told CBS's 60 Minutes that he was aware of the danger of his pacemaker being hacked. Cheney says he was concerned about an assassination attempt via his pacemaker, so in 2007 he had his doctors disable the wireless connection to the device. Years later, the TV show Homeland used a hacked pacemaker as a plot device for an episode on terrorism.
