Healthcare information security

The Most Vulnerable and Hackable Medical Devices

Beth Osborne
August 29, 2018 by
Beth Osborne

 

The Internet of Things (IoT) adds convenience and capabilities in both personal and professional applications. Smart device usage in the medical field is growing by leaps and bounds: in fact, over 161 million smart devices will be installed by 2020. The demand for these IoT devices is obvious. But what about security concerns?

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

While these tools can improve patient care, it's imperative to understand any security concerns as well as the benefits.

Standalone Equipment Becomes Part of the Network

Most pieces of equipment that are now smart were once standalone and independent. Now they are part of the network. The IV dispensing medicine and the sensors monitoring vital signs are no longer segregated; they communicate with other devices to exchange data and automate actions.

An integrated network has many benefits for healthcare. It helps care be more responsive, with automated features performing special tasks like adjusting the flow of medication from the IV. It is clearly improving care, but without proper security, the risks can outweigh the rewards.

Medical Device IoT Threats

Without proper security, smart medical devices are easily breachable. To a hacker, they only need one weak device to penetrate a network. The threat is real: McAfee Labs' Threat Report reveals a 210 percent increase in disclosed security incidents related to healthcare.

This surge means that hackers are finding programs on the network that are vulnerable. In fact, there are some specific areas identified by many in the community to be the most vulnerable, including those running Windows as well as cloud-connected and Bluetooth-enabled devices.

The Most Vulnerable Medical Smart Devices

While there are inherent risks with any device on a network, some smart devices are even more vulnerable. Let's look at some of those that would be a prime target for cyber criminals.

Applications Running Windows

Windows, as an operating system, doesn't have many fans among experts. One of the biggest issues is the "blue screen" that Windows can default to during issues. However, Windows is pervasive and can be found running a variety of equipment from CT scanners to infusion pumps.

An example of the Windows weakness was the WannaCry ransomware attack. This attack paralyzed many hospitals, including the UK's NHS hospital system. What was the culprit? The incident was linked to a Windows vulnerability. If a medical device is Windows-powered, more vigorous strategies need to be in place, including applying security patches as soon as they are released.

Cloud-Connected Devices

The capabilities that cloud-connected device provide have enabled better communication for medical teams. That's because these devices can actively send data to the cloud, which pushes notifications to clinicians. These "phone home" data sends are integral to better patient care but expand the risk. Any single device creates new targets for malicious hackers.

Included in this category are implantable devices, such as pacemakers and ICDs. This adds yet another layer or concern. These implanted devices send valuable information to the cloud. But as shown by the vulnerabilities reported for the St. Jude Merlin at-home devices, just about anything with a connection is hackable.

Another example is infusion pumps which deliver different IV medicines or nutrients to patients. These have Ethernet ports to monitor and administer the dosage. Research also revealed that these devices were vulnerable. If hacked, it would be possible to deliver a fatal dose of a drug to a patient.

Obviously, the medical community shouldn't just shut down smart device usage. It's a big part of the future of healthcare. This pressure is back on the device manufacturers to create secure by design products. This will increase costs and time to market, but it's not really not a negotiable subject. Healthcare organizations aren't going to purchase equipment they think is not secure.

Bluetooth Devices

When medical devices communicate with other devices, it's often Bluetooth Low Energy (BLE) that enables it. BLE is a wireless communication protocol which allows this interaction to happen between equipment within a few feet from one another.

In addition to these devices, most smartphones are Bluetooth-enabled. Many healthcare organizations have BYOD (Bring Your Own Device) policies so that medical workers can communicate (however, it's not secure or compliant without using a secure app!).

An example of a Bluetooth device is a vital sign monitor, which could help clinicians better understand meaningful changes both while in the hospital and after discharge at home. The BLE version 4.0 even has specific fields for this type of device.

Blood glucose management for those with diabetes is another use case. Patients could easily monitor their levels via smartphone. Most of these monitors do have smartphone apps, allowing for data logging and alerts.

The important thing for security is that BLE is configurable for encryption so as to deter any hacking activity. A hacking attempt would, however, require that the person was near the device. It doesn't mean it can't happen though and software and hardware players in this space need to address existing vulnerabilities.

Steps to Better Smart Device Security

For healthcare to leverage the advantages of smart devices, security concerns must be addressed. If breaches occur because of a network that wasn't robust, it's going to be viewed as an avoidable incident. To thwart any type of breach and hack, be proactive with these best practices.

  1. Seek devices that are secure by design, meaning the development life cycle is secure and reverse-engineering protection has been tested.
  2. Establish if devices are tamper-proof. Often smart medical devices are not configured properly. Some have unencrypted code, which is a target hackers are seeking. Without both encryption and authentication to these devices, risk remains
  3. Concentrate on encryption of all sensitive data, especially personal health information (PHI). With PHI, you must be vigilant in efforts to keep it safe as well as in compliance with HIPAA. While this seems to be a no-brainer, the level of incidents because of this continue to occur
  4. Institute more security measures after initial configuration by the manufacturer. You should be able to update and adjust security settings throughout the life of the product.

Conclusion

Smart medical devices are revolutionizing patient care and filling important needs. They also have the opportunity to reduce direct costs of treatment. The data these machines collect can also be used to study certain diseases or situations, further improving care.

With so much opportunity for good, security protocols shouldn't be ignored. They should be top-of-mind for any healthcare organization using these devices. This means your IT staff needs to have the proper training and skill sets to handle these new entrants into the network.

Sources

Estimated healthcare IoT device installations worldwide from 2015 to 2020, Statista

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals, McAfee Labs

Beth Osborne
Beth Osborne