Though quick to capitalize on connected health devices and the coming Internet of Medical Things, hardware manufacturers may be moving too slowly when it comes to building the necessary protections into the back end.
The National Security Agency last month told participants in a defense technology summit in Washington that it was looking into hacking connected medical devices.
The agency’s interest is confined to researching the possibility of hacking IoMT devices, for now, and the fruit of its labor may be just another “tool in the toolbox,” according to NSA Deputy Director Richard Ledgett.
However, if the NSA is looking into hacking such devices, consumers can be sure that the black hats are on it too.
Where There’s a Web, There’s a Way
The cost of connected health programs will challenge the cultivation of the IoMT, as well the user experience and user interfaces, observed Scott Sellers, CEO of Azul Systems. Underneath it all lies a threat to the security of consumers’ most intimate data.
IoMT challenges “include slow or uneven regulatory responses to changes in approach, mostly focusing around data security and, in some markets, reliability of communications,” Sellers told TechNewsWorld, “especially when traveling, or if patients are in rural areas with less robust network infrastructures.”
In theory, any Internet-connected device can be hacked, said Brian Wassom, leader of Honigman’s social, mobile and emerging media industry group.
Cybersecurity attacks thus far have focused on large networks — systems that have plenty of access points, are rich with high-value data, and are built on computer languages common enough to invite exploitation, he pointed out.
“None of these conditions were met when connected medical devices were in the experimental stage,” Wassom told TechNewsWorld.
Carriage and Horse
The Federal Trade Commission last year kicked off the conversation about getting out in front of possible security and privacy issues sure to proliferate as the number of IoT and connected medical devices pile up in coming years.
The Food and Drug Association for the past three years has been issuing guidance on improving the safety and security standards of connected medical devices, noted Stu Bradley, vice president of cybersecurity at SAS.
“The proliferation of IoMT technology, and the healthcare industry’s enthusiasm to adopt it, has put the veritable cart before the horse in terms of security,” he told TechNewsWorld.
Manufacturers will need to embed more robust security solution into IoMT devices, meaning they must proactively address security concerns instead of retroactively responding, Bradley said.
“This poses a real challenge for manufacturers whose core competency has historically been device, not software, development,” he added.
Manufacturers of connected devices generally have focused on building systems to deliver “the needed functionality of a device as cheaply and precisely as possible,” noted Matt Gross, director of the SAS health care and life sciences global practice.
“Manufacturers, in turn, use the cheapest underlying platforms — usually open source — to keep costs down and accelerate time to market,” he told TechNewsWorld. “That leaves these devices quite vulnerable to compromise.”
Roughly 70 percent of IoT devices were vulnerable to cyberattacks as of two years ago, Honigman’s Wassom noted, citing an HP study.
Weaknesses in admin tools, paltry means for updating firmware, and a lack of transport encryption were among the 250 vulnerabilities researchers found.
Bad habits die hard — and the practice of using basic passcodes carried over to IoT devices, the study revealed. About 80 percent of passwords securing IoT devices were “1234” and the like.
“Medical devices are not immune to this minimalistic approach to data security,” Wassom said.
Two researchers detailed how they remotely accessed a hospital’s neonatal monitors in a presentation Wassom attended at last year’s DEFCON.
“In many cases, hospital employees may not even realize that certain devices even have Internet connectivity, much less how to secure them,” he said.
Another hacker found an easy way to take charge of an infusion pump, a device that delivers fluids to patients and is common in hospital rooms.
“In theory, he could have emptied an entire vial of medication into a patient,” said Wassom, “and a hospital staff person monitoring the device from a central location would never have known.”
While hackers could leverage exploits to modify systems and cause physical harm to other humans, it’s more likely they’ll be motivated to use stolen data for financial gain, said SAS’ Gross.
They likely will use ill-gotten information to gain access to other systems, or encrypt it for use in ransomware attacks, he suggested. “Until the first major breach occurs, however, focus will stay on more immediate threats.”