Did you know? It is established that 1 out of every 4 medical devices is now connected. If we are to go to the hospital today, you would encounter at least 10 medical devices during your visit. Because of this increased connectedness of medical devices, hackers are starting to target medical devices and could Protected Health information (PHI) or even worse, hurt a patient by disabling or corrupting the functioning of these devices.
Some vulnerable medical devices
- Magnetic Resonance Imaging (MRI)
- Picture Archiving and Communication System (PACS)
- Implantable Cardioverter-Defibrillator (ICD)
- Drug Infusion Pumps
- Identification and Antibiotic Susceptibility Testing devices
As the medical device industry is transforming, implantable devices are often dependent on software to save countless lives. But how secure are they? As the examples below show, security researchers have been uncovering security flaws in medical devices for quite a few years now.
- Medical device hacks– The average hospital room can contain as many as 15-20 connected medical devices on average
- Ransomware– One-quarter of SamSam ransomware attacks targeted healthcare organizations in 2018
Hacked medical devices could wreak havoc on health systems
As this 2018 article states, “Take for example a pacemaker. When doctors replaced then-vice president Dick Cheney’s pacemaker in 2007, they asked the manufacturer to disable the device’s wi-fi hoping to keep would-be hackers out. Though it appears that no one has hacked into a pacemaker in order to hurt the person in which it resides, it’s not out of the realm of possibility, and it’s something healthcare digital security executives are working to prevent.”
In general, there are easier ways to hurt people than through the medical device. If the attackers aren’t trying to hurt you through your medical device, why are they attacking medical devices? What seems like every week we hear about some new cybersecurity breach that affects individuals and targets those affected?
Today, on the black market your credit card number is worth only about 2$ whereas your electronic health record is worth anywhere from 10-20$. Why the big difference?
If you were to notice a fraud in your credit card today, you could have the card closed and have a new card in hand in a matter of days. It’s really not that bigger inconvenience. But your electronic health record not only has your credit card number, it includes your address, your employer and insurance information. So, with that kind of information the hacker could not just use the credit card number but also open new credit cards in your name, could potentially take a bank loan or get high price narcotics from your medical insurance. How do you protect against that? How do you change your name, address or your employer? Well, you can’t and that’s what makes that information so much more valuable.
Naturally, when the application is released, hackers will bash away at it with every possible corrupted form of the protocol to create an error in the application. By pushing at the entry points of the application or by fuzzing the communication protocols, they may find a way to trip up the application and create a buffer overflow, the most frequently leveraged design error.
As this article informs us, Barnaby Jack, the director of Embedded Device Security for computer security at IOActive, developed software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. He also came up with a system that scans for any insulin pumps that connect wirelessly within 300 feet, allows you to hack into them without needing to know the identification numbers and then sets them to dish out more or less insulin than necessary, sending patients into hypoglycemic shock or ketoacidosis.
What needs to be done?
The health care industry has lagged behind other industries in protecting its main stakeholder (i.e. patients), and now hospitals must invest considerable capital and effort in protecting their systems. This is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high-end point complexity, internal politics, and regulatory pressures.
Though security and safety issues in the medical domain take many different forms there are some recommended security standards to address the risks in networked devices:
- Medical device manufacturers must emphasise on device security at the initial stage, then as an afterthought to avoid unnecessary costs and last-minute shortcuts that developers take to push in some form of the security factor.
- Use strong passwords to protect all external connection points.
- Develop on-time patch management, update IT security policies and vulnerability assessments.
- Increase awareness among all stakeholders including physicians, CMIOs (Chief Medical Information Officers) and clinical engineering teams about current and potential medical device vulnerabilities.
- Protect infrastructure from threats like malware and hacking attacks with a reliable security solution.
- Take a backup of critical information at regular intervals and keep a copy of it offline.
IT, risk and compliance staff in hospitals and clinics should anticipate future medical device security risks and address them along with the existing risks to provide patient safety and protected health information.
Secure Design and Usability
Cybersecurity is not simply a feature we can add to the system, its actually an emergent property of a well-designed system. Moreover, it is extremely important that manufacturers and companies dealing with medical devices begin to implement security strategies right from the inception of a device up to its commercialisation. Building cybersecurity into devices from the start helps reduce risks and the cost of security compliance.
What if you have passed design time so that you have a physical device, be there a prototype device or medical device already out in the field?
To do this there are Ethical Hackers who study hacking, practice hacking and hack stuff. Their job is to test the defences, tell the medical product manufacturers what type of attacks they tried and what worked. They offer advice on how to make it better and will do it all in safe circumstances. Having an ethical hacker attack a device is a great way to help design medical devices worthy of our trust.
Consider an example of an inhaler system. This inhaler system has a Bluetooth connection to the patient’s smart phone. The patient can monitor how many doses they have remaining in their inhaler and that Bluetooth connection is a threat to the device. An attacker could try to manipulate or steel information from you through that Bluetooth connection.Now though we do have a need to send data out over Bluetooth, we don’t really have a need to take any data back. Here the ethical hackers make a conscious decision at design time to simply not accept any incoming data over Bluetooth and made ourselves resilient to any known Bluetooth attacks and any future ones robust to the known or unexpected.
New paradigms are evolving cybersecurity regulations
There is no doubt that health care will increasingly be digitized in the future. The risk of computer viruses in hospitals and clinics is one side effect of this trend. Without suitable countermeasures, more data breaches and even malicious attacks threatening the lives of patients may result.
FDA (Food and Drug Administration), the main regulatory body in the US responsible for the healthcare industry began evaluating medical device connectivity issues and ultimately established cybersecurity as a requirement for product approval, offering industry little more than a “tap on the shoulder” reminder.
In October 2014, the FDA released industry guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, followed in January 2016 by Postmarket. The FDA’s premarket guidance identifies issues manufacturers should consider in the design and development of their medical device to address cybersecurity vulnerabilities. Its post-market guidance outlines a risk-based framework that manufacturers should use to ensure they respond to new cybersecurity threats once a device is in use. Most security experts agree that the new guidance is indeed a step in the right direction to boost cybersecurity in medical devices.
In May 2017, the FDA hosted a workshop to examine opportunities to “do something,” with the goal of engaging with new and ongoing research, catalysing collaboration among stakeholders, and identifying challenges to strengthening medical device cybersecurity. Those in attendance—including federal agencies, academia, medical device manufacturers, and other organizations—agreed that a thorough cybersecurity management policy is critical for healthcare organizations and medical device manufacturers.
To sum up, there is a significant opportunity for the medical device industry to come together and lead to the standards necessary to strengthen device security.
- Healthcare data has become a choice target for criminals and breaches are on the rise
- Cyber threats to data are coming from a variety of sources
- PHI (Protected Health Information) has increased in value on the black market
Now let’s not have an impression that connected medical devices are all ‘Doom and gloom’. The truth is connected medical devices allow us to provide a better quality of patient care.
For example, think of a diabetic child who is able to go to her very first sleep-over because she now has a connected insulin pump that allows her parents to remotely monitor her glucose levels and deliver insulin if she needs it. Connected medical devices like pacemakers can allow someone who may have lived a very dependent life to now leads an independent one. This connected pacemaker can now potentially call for help if that patient becomes unresponsive.
The benefit of connected medical devices are always from the risks and the ethical hackers are working really hard to make sure that the connected medical devices out there are worthy of our trust. No one product can claim to be hack-proof, but successful and responsible companies assess, mitigate, and constantly monitor the ever-present threats to critical assets.
For further reading
- Top 6 hackable medical devices https://ci.security/news/article/top-6-hackable-medical-iot-devices
- General reading on Healthcare Cybersecurity https://healthitsecurity.com/topic/healthcare-cyber-security
- FDAs cybersecurity site https://www.fda.gov/medical-devices/digital-health/cybersecurity
For more blogs click here