The Internet of Things (IoT) grants a fantastic array of conveniences. It allows you to preheat your oven, set your burglar alarm, or watch a live stream of your pup at doggie day care, all from a remote location.
The Internet of Medical Things (IoMT) is revolutionizing the healthcare industry in a similar way. IoMT allows patients and doctors to treat medical conditions without the inconvenience of an office visit.
Unfortunately, IoT and IoMT are also similar in another way: they are both terribly insecure.
What makes IoMT so scary is that its vulnerabilities offer hackers potential ways to cause harm or even death. IoMT has an impact on human lives, and presents cyber-challenges to the healthcare industry.
Healthcare is predicted to be the most targeted industry for cyberattacks in 2017. It’s a rich source of personal information that can be easily monetized. The rapid growth of IoMT creates a dangerous new vulnerability for patients who use this technology.
The Internet of Medical Things
Hospitals use dozens of machines and devices that are connected to the internet. They include but aren’t limited to:
- Heart monitors
- Blood gas analyzers
- X-Ray machines
- MRI machines
- Infusion pumps
- Dialysis machines
- Radiology information systems
Connecting medical devices to the internet lets vendors service equipment remotely. It allows doctors to analyze patient information from afar. It makes it easy for patients to administer their own medication.
All this is wonderful, except for a big problem: there are almost no security protections on many IoMT devices.
Exacerbating the problem is the ability of many IoMT devices to connect to one other in a myriad of ways. They are connected through hospital networks. They are connected to other medical machines. They are accessed through smartphones and personal computers.
IoMT Threats: ‘An Open Door’
“Medical devices have become an open door to the healthcare environment by virtue of the relatively lax security posture,” said Brian Selfridge, a partner at Meditology Services, at a Health Care Compliance Association Webinar.
Even basic security measures, such as anti-virus software or up-to-date operating systems, are often lacking. This opens the door to a number of potential threats.
Hacked to death
The most alarming type of potential attack is the manipulation of a medical device that could cause illness or death.
While improbable, it is possible to remotely hack a pacemaker to deliver a deadly jolt. It’s also possible to hack a device that administers medication to deliver a lethal dose.
A more likely threat is the ease with which IoMT devices can be infected with malware and added to a hacker’s botnet. The devices can then be used to flood targets with waves of traffic in a DDoS attack.
Another likely threat is the use of IoMT devices as an entry point for larger attacks. By hacking medical devices, an attacker may find an ‘open door’ to a hospital’s network, using it as an entry point to mount a larger attack against patient data, monitoring systems, or other devices.
Medical devices ransomed
The number of ransomware attacks on IoMT devices is rising, and experts suggest the trend will continue for two to four years.
“Unethical attackers will see these medical devices as the next step in their journey beyond hospital ransomware attacks,” according Intel Security’s recent McAfee Labs 2017 Threats Predictions Report.
Spying and privacy
Another concern is the invasion of privacy. Selfridge performed an act of “ethical hacking” to prove his point. He accessed a sleep center through a medical device vendor. He was able to watch patients in real time, while they were hooked up to sleep monitoring devices.
A warning about a hard-coded password vulnerability affecting 300 medical devices covered by 40 or so vendors was discovered by Cylance researchers and announced in a 2013 ICS-CERT alert. The vulnerability could allow a hacker to change critical settings, or modify device firmware.
Affected devices could include:
- Surgical and anesthesia devices
- Drug infusion pumps
- External defibrillators
- Patient monitors
- Laboratory equipment
In 2015, the FDA advised hospitals to stop using medical device company Hospira’s Symbiq infusion system. The system, which delivers medications directly into patient’s bloodstream, was vulnerable to penetration from an unauthorized user, who could then manipulate the dosage. It was the first FDA warning of its kind.
Since then, security researcher Billy Rios has identified five different Hospira pumps with vulnerabilities.
Johnson & Johnson sent a warning letter in 2016 to doctors and about 114,000 patients, alerting them to a cyber security bug in one of its J&J Animas OneTouch Ping insulin pumps that could let a hacker influence dosage levels.
In January 2017, St. Jude Medical issued a patch for its Merlin@home Transmitter, a “smart” monitoring system of implantable defibrillators and pacemakers. The vulnerability could have allowed an unauthorized user remotely modify programming through the patient’s transmitter.
Governmental Oversight of IoMT Issues
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is part of the National Cybersecurity and Integration Center, a Division of the Department of Homeland Security’s Office of Cybersecurity and Communications.
ICS-CERT assists the vendors of control systems with the following:
- Identification of security risks
- Analysis and response to control system incidents
- Digital media, vulnerability and malware analysis
- Threat analysis sharing through product information and alerts
- Information sharing with Federal, state and local agencies
Because the potential vulnerabilities of medical devices are so unique, ICS-CERT is working closely with the Food and Drug Administration (FDA) to address these issues.
Who Should Take Precautions:
An FDA Safety Communication regarding remote controlled medical devices was issued in 2013. The target audience included:
- Medical device manufacturers
- Medical device user facilities
- Healthcare IT and procurement staff
- Biomedical Engineers
FDA Best Practices and Recommendations
The absence of simple best practices to separate business and personal information on shared laptops, mobile devices and PCs is the greatest hole in critical technology solutions, according to a 2016 Govtech report.
Healthcare IT staff and medical device makers can take simple precautions to protect themselves and their patients.
- Limit unauthorized access to devices
- Stop the uncontrolled distribution of passwords
- Identify the presence of malware, particularly on mobile devices that use wireless technology to access implanted patient devices and monitoring data systems
- Avoid hard-coded passwords
- Deploy validated security patches in a timely manner
- Design “fail-safe modes,” to ensure the critical functionality of a device even when the security has been compromised
- Create response plans for restoration and recovery of compromised devices
- Disable unnecessary ports and services
The IoMT offers a lot of great products, but faces an uphill security battle as it strives to meet the demands of consumers, and avoid the long arm of cybercrime.