Could Cybercriminals Target Medical Devices Next?

Next year hackers may begin extorting victims in an entirely new, and potentially dangerous, way.

According to a new report from Forrester Research, the health care industry’s ongoing struggle with protecting sensitive data may open the door to even more cybercriminals taking advantage of the vulnerability.

“When it comes to preparedness, they’re woefully behind, and that, to me, is the most concerning thing,” Forrester analyst Stephanie Balaouras told NBC News.

“They’ve done it begrudgingly, and they’ve done it as something that they need to comply with at the lowest possible cost, as opposed to something they really embrace,” she said.

In its “Predictions 2016: Cybersecurity Swings To Prevention” report, Forrester said that in the coming year hackers will shift to releasing ransomware for a medical device or wearable as a new way to get ahold of valuable medical data.

According to the report, medical-related information tends to sell for higher prices on the black market compared to payment data or identity information, making it highly sought after by cybercriminals.

“When you think of a medical record, it encompasses a lot of the same personally identifiable information that a cybercriminal might gain from breaching a retailer,” Balaouras explained. “But now, they also have more extensive medical information about you.”

Typically, ransomware is deployed onto devices like phones or computers to essentially hold the item hostage until a victim pays up. Recently, bitcoin has taken on a new role as being the currency involved in the modern day criminal heist that involves demanding a ransom from vulnerable consumers.

The idea that these same extortion tactics could be used on medical devices is not only concerning but also potentially life-threatening.

“It’s definitely feasible from a technical standpoint,” medical device security researcher Billy Rios told Vice’s Motherboard late last week. “Given the urgency associated with these devices, I could see it as something that could happen next year. All that would be required from an attacker standpoint is small modifications to the malware to make it work.”