This conversation happened in San Francisco during RSA Conference 2018, and to be more specific it was recorded in the SandBoxes. If you hear some background noise, it is because people got really, really excited there!
Have you heard about BEHAVIORAL E-MANIPULATION yet?
Well, you are about to learn about it.
Ted Harrington, Executive Partner at Independent Security Evaluators (ISE), and Dr. Kostas Triantafillou, who is an Orthopedic Traumatology Surgeon, found the time to sit down with us and discuss their RSA talk: BEHAVIORAL E-MANIPULATION: ATTACKING VIA CARE DELIVERY WORKFLOWS
Or in other words:
What can happen when you pair technical exploits and social engineering.
How exploits on medical devices can manipulate physicians’ behavior.
How attackers can leverage care workflows to deliver payload.
Phrase it as you like, but the result doesn’t change, and it’s not pretty.
So, let’s say you hack a defibrillator that when it’s used, it delivers a very high voltage shock and kills someone. That is a straightforward attack. Now let’s say that instead, you manipulate data of a passive device, which is what health professionals like Dr Kostas interacts with hundreds of time a day, as do nurses and other care providers.
A passive device is one that is not directly administering a treatment, but instead is used to interpret a patient’s current state.
Imaging Tools - Patient Monitors - Medication Monitors Communication - EMR and so on.
So when you pair technical exploits and social engineering, you manipulate the data and you manipulate the physician’s behavior.
The result is a formula that can trigger a decision that is harmful for the patient. So you see, this is not just attacking people or products, but attacking and manipulating a process. Of course this can be applied to the Aeronautic industry as well as many other industries and scenarios. It is a potentially deadly kind of attack which could be defined as MACHINE-driven SOCIAL engineering and these techniques are extremely dangerous as they can go undetected until the worst happens.
The medical profession is a tough one: years and years of hard studying and training which focuses on recognizing patterns and make split-second, life-or-death decisions. There is no time to question that information and it would be negligent not to act on that information, whether they think it’s true or false. Cybersecurity is not their job.
Do you want to hear this conversation?