Wikimedia Commons
The heat is on medical device vendors, healthcare providers, and security firms to tackle the emerging problem of cyberattacks focused on the Internet of Medical Things (IoMT).
Hardly a week goes by when we don’t hear of the latest company to fall victim to hackers, but the ability to compromise medical devices may go far beyond the consequences of standard malware infections and the theft of personally identifiable information (PII).
Attacks against medical devices can occur due to social engineering and network infiltration, as well as vulnerabilities in hardware and software. The most common threats today include ransomware, man-in-the-middle (MiTM) attacks, phishing and, on occasion, physically compromising devices.
Strong networks can create a barrier between attackers and healthcare systems, but medical devices can suffer from the same vulnerabilities, exploits, outdated firmware and security flaws that plague traditional computer systems.
Medical device security hit the spotlight in 2012 when IOActive security researcher Barnaby Jack discovered transmitter security flaws which could be used to deliver lethal shocks to pacemakers. Recently, medical equipment maker St. Jude Medical was forced to patch security holes in the firm’s cardiac devices.
While medical devices may be targeted for the purposes of causing harm to individual patients or blackmail, one of the main reasons appears to be for financial gain.
In March 2016, US hospital chain MedStar’s IT infrastructure was crippled after a successful malware attack, and California’s Hollywood Presbyterian Medical Center paid attackers thousands of dollars after ransomware disrupted critical services in the same year.
Speaking to ZDNet, Jason Allaway, vice president of RES UK & Ireland, said the main threat to hospitals is ransomware due to the “devastatingly effectiveness” of attacks — and “because the consequence of losing data goes far beyond a financial cost.”
“Unlike data held by other organizations, such as those operating in finance, medical data holds a life or death value,” Allaway says. “Medical organizations can’t even give out the most basic of painkillers if their data is not fully available. […] Unless hospitals have a stringent backup policy, there is little option other than paying a ransom so that staff can continue to provide critical medical care.”
However, Allaway says there is also movement in the rise of doxware. In contrast to ransomware which locks down data, doxware threatens to release it into the wild which can be devastating for hospitals.
The executive believes that one of the main reasons attacks against healthcare providers are successful is a lack of education, with many hospitals simply assuming their staff can recognize a phishing email or malicious link.
A lack of education and vigilance against cyberattacks are an issue, but that is not the only problem.
See also: The myth of human weakness in security: How to turn staff into active network defenders
“There’s also an assumption they won’t be attacked so they bypass proven technology approaches — such as whitelisting, permission-based access, read-only blanketing and revocation of access,” Allaway says.
The question remains: why would cyberattackers want to attack medical targets? You may think that such core and critical services would be immune to these threats, but morals aside — as medical data and PII are so valuable — business is booming.
It may not be worth it for attackers to tinker with individual devices such as pacemakers or insulin pumps, but as Rick Valencia, President of Qualcomm Life told us, “The same criminal intention vectors apply in IoMT, only with higher stakes.”
“Generally, hacking is done for money, disruption, or to plant seeds (bots) to enable attacks,” Valencia says. “In healthcare, stealing data or controlling medical devices could have even more nefarious intentions.”
“Serious injury, deaths or even at the extreme, assassinations could be carried out if proper security and privacy protections are not in place for life dependent medical devices,” the executive added.
The Internet of Things (IoT), which encompasses devices ranging from your smartphone to smart lighting and modems, first revealed to us what can happen when devices with poor security are suddenly hooked up to the Internet en masse.
These devices, if enslaved, can be a devastating bot tool – such as in the case of the Mirai botnet – and the situation may be made worse with the introduction of connected, medical devices.
However, Mike Pittenger, vice president of security strategy at Black Duck Software, believes that the use of medical devices as botnets is not as much of a concern as IoT due simply to scalability.
“Accessing and compromising medical devices is likely to be more difficult and doesn’t provide the sheer number of devices required for an effective DDoS attack,” the executive commented.
While botnet creation may be of little interest to a hacker targeting medical devices, a successful attack can still place patient safety at risk. Careers and reputations may be damaged, and healthcare providers’ brands can also be tarnished.
In addition, vendors and healthcare services hold the risk of liability when PII is compromised by their networks or the devices they connect to patients.
With such an array of potential threats to deal with, healthcare providers and medical device makers have a challenge on their hands. Valencia says that medical-grade solutions and the Internet of Medical Things (IoMT) may require a higher bar of security, but this does not mean that security solutions are flawless.
Qualcomm, for example, views IoMT as similar to the Internet of Things (IoT), with the inclusion of several “key requirements,” according to the executive.
These include protected health information (PHI) and HIPAA regulatory compliance and standards required by the US Food and Drug Administration (FDA) device class ladder.
“In regulated use cases it is not unusual for connected solutions to employ data encryption while that data is handled at rest and in transit — which is not often the case in consumer IoT devices,” Valencia said.
“Data encryption partially addresses privacy concerns — where HIPAA and PHI regulations must be carefully verified — but there remain opportunities for attacks,” the executive noted.
Valencia calls encryption the “the foundation of a robust security program,” and an “absolute necessity” for PHI and medical information. As medical applications and systems become more complex and data is collected, stored, and transmitted from IoMT devices, encryption is an important facet of protecting patient data.
Another topic of discussion is the use of open-source systems and components in medical devices and their systems.
Open-source software is, by definition, released as open and copyright-free code. Many of today’s devices, apps, and popular software packages have at least some elements — whether they be scripts or protocols — which are open-source, and often has the advantage that many developers work on these projects.
The more eyeballs, the better — but without a central authority over open-source components, is this also a risk to medical device security?
One concern, for example, is that the openness of the code could allow threat actors to insert backdoors and malicious processes of such software, or they could exploit weaknesses which remain unaddressed in open-source systems.
However, the security experts speaking to ZDNet on the topic believe that the advantages outweigh the benefits.
Qualcomm Life’s executive says that open-source protocols allow public vetting of code, which can help make sure components such as encryption algorithms are up to scratch in protecting patient data.
“Closed-source software is more likely to have weaknesses and vulnerabilities that go unchecked leading to a greater likelihood of exploitation,” Valencia says. “With proper oversight and procedures, open-source can be a valuable tool in healthcare solutions.”
Aaron Higbee, co-founder & CTO at PhishMe, agrees, and also noted with the speed that today’s vendors are bringing new medical devices to market, open-source tools and libraries are key to keeping up the pace.
As many vendors do not have their own in-house security teams able to reverse engineer products and ferret out every vulnerability, Higbee believes “the more sets of eyes you can get on software or a piece of hardware, they more secure it’ll be.”
“The use of open source is not the issue,” Black Duck Software’s Mike Pittenger added. “The issue is ensuring that a medical device manufacturer’s development team is securing and managing the open source they’re using.”
“But if you aren’t aware of what open source components you’re using, or where they are in your application code base, you’re not going to be able to secure those components when vulnerabilities are disclosed,” Pittenger continued.
When it comes to management and budgets, are hospitals and healthcare vendors investing enough of their time and money? According to Higbee, in the near-20 years he has been working in IT, he has often found that the medical community “spend the least” on such concerns.
The executive says that it may be due to the purchase of equipment and diagnostics which are lumped into an IT spend, and then a portion of that is carved out for security – if anything is left at all.
However, another barrier to strong security is that when this equipment is purchased, support and maintenance contracts become part of the package – and should the devices be tampered with outside of the contact, warranty becomes null and void.
“So if you’re thinking about a very expensive piece of equipment that operates on an out-of-date version of Windows XP, the hospital does know there’s a problem there but there’s little they can do because they don’t want to void their contract,” Higbee added.
The IoMT industry is still in its infancy, but thankfully, so are threats against these devices. However, if vendors and healthcare providers are going to stay on top of security problems and maintain as much control over patient data as possible, then it is not only additional investment, training, and care which is required.
We have learned a lot from the IoT market and smart devices. We should also consider applying the lessons learned from this industry to IoMT, not only to improve medical device security but to keep ourselves as safe as possible in our daily lives.