“How can I trust my heart when it’s running on proprietary code?”
With this unsettling question, cybersecurity researcher Marie Moe – who successfully hacked her own pacemaker – crystallizes the vulnerability of life-saving medical devices running on software code and connected to the Internet.
Without effective cybersecurity protection, any connected medical device – including infusion pumps, pacemakers, smart pens, vital signs monitors, and more – is at risk of attack, whether it is connected to a hospital network or is one of the millions of distributed devices not connected to any network. This jeopardizes the lives of the millions of patients who depend on them.
With multiple IoT devices connected to the hospital’s network containing no security, they are bound to serve as the gateway of choice for hackers seeking the easiest way in. Entire hospital networks could then be infected with crippling ransomware. In a joint cybersecurity advisory issued in October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, and the Department of Health and Human Services warned of “an increased and imminent cybercrime threat” to hospitals and healthcare providers amid the COVID-19 pandemic, signaling that hackers are seeking to exploit the crisis.
Among the latest victims of this upsurge in criminal activity is the University of Vermont Health Network, which had to delay chemotherapy treatments, biopsies, and mammogram appointments as it grappled with the fallout of an attack that began the week of October 25th. Leaving Internet of Medical Things (IoMT) devices unprotected risks more such episodes, with disruptions in treatment, exposure of confidential patient data, and significant financial losses. Indeed, 82 percent of healthcare organizations had already been targeted by IoT device attacks in 2019, before the COVID-era spike in cybercrime and the ensuing escalating threats to IoMT devices.
Given the diverse range of threats – from potentially catastrophic infiltrations of entire healthcare networks to possibly lethal hacks of individual distributed devices – improving cybersecurity protection for connected medical devices is imperative.
Device manufacturers must assume the burden of responsibility for ensuring that their devices are equipped with uncompromising cybersecurity protection. The stakes – the lives of millions of patients who depend on IoMT devices – could not be higher.
The Threat to Patients
Take the estimated 1.25 million permanent pacemakers implanted across the globe every year. A cybercriminal who hacks one of them could reduce the pacemaker’s battery longevity or increase the device’s activity, destabilizing the user’s heart functions. Because of these very risks, in 2017 the Food and Drug Administration recalled 465,000 pacemakers manufactured by Abbott’s.
Meanwhile, the insulin pumps relied upon by patients with chronic conditions like diabetes are also vulnerable to cyberattacks. For instance, CISA recently issued an advisory regarding a vulnerability discovered in Becton Dickenson’s Alaris 8015 PC Unit and Systems Manager. This vulnerability could potentially serve as a gateway for a denial of service (DoS) attack.
DoS attacks could be devastating in any circumstance, but the threat is particularly severe at a time when hospital manpower and resources are being taxed to the limit.
While the potential for fatalities is reason enough to take IoMT cybersecurity seriously, the risk also extends to patient privacy. Case in point: The “smart pens” that medical professionals utilize to quickly access patient records. The Mozilla Foundation has classified these devices as “privacy not included” due to backdoor vulnerabilities that could lead to the leak of patient information. Similarly, vital sign monitors generally come with poor encryption protocols for Bluetooth connectivity, raising the prospect that hackers could use these devices as entry points into health systems’ networks, where they could steal patient data for financial gain.
The Gateway Threat
Therein lies a critical point about IoMT cybersecurity: protecting individual devices is critical to also protecting entire health networks. Hospitals and healthcare systems are particularly attractive targets for malicious cyber actors given that they store vast amounts of sensitive, sellable data that could be held at ransom.
These risks do not exist at the merely hypothetical level. Indeed, it is possible that the dramatic spike in cyber-attacks targeting healthcare facilities amid COVID-19 can be attributed at least in part to hospitals’ increased reliance on IoT telemedicine devices to provide patient care.
The simple truth is that these networks are only as secure as their weakest link – and with an estimated 161 million IoMT devices on the market, the sheer scale of vulnerability is difficult to quantify.
Many of those devices are distributed and not connected to hospital networks, but as Moe’s hack of her own pacemaker attests, even those devices are vulnerable to attack. With more patients receiving at-home, virtual care during the COVID-19 pandemic and using connected devices to manage their care, the ability to protect these mission-critical devices in the most sophisticated way possible is crucial.
Without on-device cybersecurity protection, IoMT devices are ticking time bombs. But because network-level threats are the most potentially damaging, the emphasis has traditionally been on providing cybersecurity protection to the healthcare network itself.
Yet it should be abundantly clear by now that this approach is insufficient. In fact, it is akin to locking your front door, only to leave all the house’s windows open. By the time an intruder enters, it is already too late.
Scalability is critical to IoMT cybersecurity, as there is no single magic-bullet solution that will address all vulnerabilities on all devices across all systems. But when IoMT devices are secured from within, devices and networks will be better fortified against cybercriminals.
Innovation in medical technology has given rise to a veritable plethora of devices that are saving the lives and improving the quality of life for millions of patients around the world. The IoMT industry’s transformative impact is difficult to overstate – and in the years to come, millions more are slated to benefit from its groundbreaking solutions. To continue protecting patients, the industry must commit to protecting the devices they rely upon.