A dangerous new reality – medical device hacking
The medical industry has always been a rich target for cyber-criminals and hackers. Information contained in your medical records is significantly more valuable than typical demographic data like your date of birth or your credit card number.
But as the Internet of Things (IoT) matures and continues to connect more and more everyday objects to cyberspace, a new industry has emerged that promises to both improve healthcare for millions of patients but also introduce new security risks: connected medical devices.
Known as the Internet of Medical Things (IoMT), this fledgling industry raises the stakes for both hackers and patients. After all, anything connected to the internet is a potential target for criminals looking for new industries to exploit. What’s more, security in this young industry seems to be an afterthought as numerous manufacturers race to produce the latest cutting-edge hardware.
The current state of the industry
First, some good news: neither government officials nor security researchers have identified any incidents in which a hacker has hurt a patient through a medical device.
But that doesn’t mean it can’t be done. On August 2nd, 2019 the Veterans Affairs Office of Inspector General found numerous medical device deficiencies at the Tibor Rubin VA Medical Center in Long Beach, California that could have allowed access by hackers.
In addition, the medical device manufacturer Medtronic made news in March of 2019 when it disclosed a security flaw in many of its implantable defibrillators. The flaw could have allowed a hacker to change the settings of a defibrillator, with potentially deadly consequences.
Back in 2017, the U.S. Food and Drug Administration (FDA) recalled hundreds of thousands of pacemakers made by St. Jude because of the severe hacking potential. For instance, someone could remotely drain the batteries or change a patient’s heartbeat, both of which could result in the patient’s death.
In another instance, security researchers found that they could send a wireless signal to nearby patients with insulin pumps and reprogram the pump to deliver the wrong amount of insulin.
Deadly vulnerabilities like these sound like they are straight out of a spy movie. But these issues are very much a firm reality and need to be dealt with sooner rather than later. So, is it all doom and gloom?
The path forward
Healthcare providers often point to device manufacturers as responsible for device-related security. However, a recent survey by the College of Healthcare Information Management Executives (CHIME) showed that 76 percent of providers reported that their resources were “insufficient and too strained to adequately secure medical devices.”
It is clear that the onus to protect patients rests with both medical device manufacturers and healthcare providers.
The government has a role to play as well. The FDA recently announced a memorandum of agreement with the U.S. Department of Homeland Security (DHS) to increase coordination and information sharing about medical device vulnerabilities and threats.
According to the FDA, all medical devices carry a certain amount of benefit and risk. As the U.S. regulatory agency that approves or rejects medical devices from going to market, the FDA only approves devices “when there is a reasonable assurance that the benefits to patients outweigh the risks.”
Because many device security vulnerabilities are discovered after FDA approval, the FDA’s mandatory reporting requirements are essential. Healthcare providers and device manufacturers need to report vulnerabilities in a timely manner.
Perhaps the biggest sea change is an increase in awareness. At this year’s DefCon hacking conference in Las Vegas, healthcare security researchers are setting up a fake hospital filled with hackable medical devices. Called the BioHacking Village, space is a 2,600-square-foot “clinic” complete with hospital rooms and dozens of medical gadgets.
Alarmingly, until very recently it was illegal for security researchers to hack into medical devices to test for vulnerabilities. Medical devices secured a Digital Millennium Copyright Act (DMCA) exemption in 2016, allowing researchers to hack the devices as long as they were not connected to a patient at the time of testing.
Without this exemption, Biohacking Village couldn’t exist.
Furthermore, there is no single industry standard for the security of medical devices, or their parent industry, the Internet of Things. However, basic industry standards for the secure development of software has been around for decades. Because of this, it shouldn’t be a heavy lift to develop common practices that medical device manufacturers must adhere to, especially if patient safety is at risk.
Nonprofit organizations are working the issue as well. The Cavalry is a grassroots organization that is focused on industries where computer security intersects public safety and human life. In the interest of medical device safety, they have developed a Hippocratic Oath for Connected Medical Devices.
Part of this oath includes cyber-safety by design, third-party collaboration and resilience, and containment as principles of good medical device security.
Medical device security is everyone’s responsibility
Ultimately, the goal is improved patient outcomes. And connected medical devices provide an incredible opportunity for not only remote patient monitoring, but remote treatment as well. The capability to treat patients remotely by qualified caregivers is a huge advance in medical technology that shouldn’t be underestimated.
But with every cutting-edge technology advancement, there are risks and challenges that must be overcome. Increased public awareness, device design with security in mind, a single industry standard, government oversight, and knowledgeable healthcare providers are all essential to protect patients in our increasingly connected world.
