How Secure Are Medical Devices From Hacking
Are Wireless Medical Devices Safe?
Although it is difficult to exploit hardware, there is a lot of interest in device hacking as it gives so much more control over devices. As the security of software becomes more robust, attackers are looking in other areas to control systems. Very commonly we heard of USB hacking, Bluetooth hacking, WiFi hacking, etc but one extremely worrying area is medical device hacking, where hackers target medical devices like heart implants, insulin pumps, and pacemakers. In hospitals, medical devices are vulnerable to cyber attacks as they are often connected wirelessly to hospital networks.
No doubt about the fact that the advancement in the field of medical science has given life to many people by curing and preventing them from dreadful diseases. There is an increase in the reduction of infectious diseases, the development of new vaccines and antibiotics, proper treatment of cardiovascular diseases has reduced the mortality rate caused due to it, etc. We have seen substantial progress in many fields—biomedicine, biotechnology, engineering, nanotechnology, digital technology, robotics, artificial intelligence (AI)—all with the potential for improving health
Medical science has undergone dramatic and incredible changes over the past few years. Let’s have a look on to that:
- Devices used to be connected physically to the patients i.e. by the use of physical products but now a day’s these kinds of devices are connected wirelessly to the patients and the devices include software, in fact, health databases are available.
- Data obtained from the devices are written in the paper but nowadays the data are automatically saved and stored on the computer.
- Care is hand administered at a health care location but now a day’s care is available to patients in the palm of their hands through certain apps.
- In the earlier days, physical access is needed to view health data but now a day’s health data can be accessed anywhere on the earth.
Medical devices are now a day’s an easy target for attackers to enter into the network. These medical devices which are connected by the network have the ability to disrupt its normal functioning once they are infected by malware. And this, in turn, leads to the concern of patient’s safety.
Medical devices operate in different modes; some are having receive-only mode, some are meant exclusively for sending the information rather than receiving it and some are having both send and receive mode, in fact, they are the ones that are highly vulnerable to hacking. In short, it can be said that any device that is connected to the internet is at the highest risk. The risk of malicious cyberattacks increases exponentially as more hospitals connect medical imaging equipment to the internet. Thus many new technologies and scientific advances raise national security concerns.
Once a device is hacked it leads to various potential problems:
- Patients are the ones who are actually harmed and sometimes it may lead to the death of the person.
- There are chances of losing protected health data which ultimately leads to losing the trust from the devices.
Right from pacemakers to infusion pumps to ventilators, all these medically connected devices not only appeal to clinical users but cybercriminals as well. The devices which are at the highest risk include Infusion pumps, Imaging devices, Bedside monitoring consoles, Medication cabinets, Surgical/Anesthesia Devices, Heart telemetry devices, Ventilators, Neurostimulators, Interconnected Capital Equipments, etc.
Than wired medical devices, usually, the wireless medical devices are more prone to cyber-attacks. Tampering implanted devices may cause the death of the patient and ruin the manufacturer’s reputation. In fact, wireless devices can be hacked from a distance of 300 feet. As implanted devices are not self-powered, they cannot be made to run security measures continuously. Moreover, access to invivo devices cannot be password protected and authorizations to access medical devices cannot be set at present. Medical devices are increasingly getting connected to the internet, smartphones, networks, and apps making them susceptible to cyber-attacks.
Medical devices can be hacked by known vulnerabilities, unknown bugs, and social engineering. There has been:
- Dozens of cases of viruses infecting computers that control laboratory equipment and X-ray machines.
- A massive overdose of radiation was developed to several patients, killing at least 5 because of a bug in the software of a radiotherapy machine.
- Between 1999 and 2005, in America, one in 3 of all software-based devices sold were recalled for software failures.
Future vulnerabilities in a few of the most used medical devices:
Pacemaker: Now, security vulnerabilities of remote attacks on the body are possible due to the convenience of wireless transmitters. Using a company computer that may briefly interact with an implant or through a Malware installed on a hospital computer or laptops hacking of the devices can easily be done. Through hacking, the device can be made to reprogram or command, infect or even perform a more lethal function.
Insulin Pumps: A deadly dose of the hormone could be made to deliver through the wireless transmitters and cause serious problems. For insulin pumps that can hook up to WiFi and be controlled via a web browser, now there are patents. Since exploits to compromise web interfaces are developed daily, there is huge potential for exploits.
A proposed solution for this could be:
- Tightening the processes to detect and troubleshooting known and unknown bugs.
- Through sandboxing restricting the data access even if attacked.
- Enhanced detection and preventive measures can be taken.
- Incorporating the use of antivirus solutions.
Millions of people are put at risk if nothing is done about it. However, patients can carry on through everyday life normally as medical professionals will still be able to change the settings without the use of medical procedures.
STEPS TO BE TAKEN WHILE BUILDING CONNECTED DEVICES:
- Always prevent unauthorized users from getting access.
- Keep a watch on health devices and provide patches when vulnerabilities are identified.
- Whenever going to use the device for the first time always set new credentials.
- Always feed the data less that is needed to operate.
- Center for Medicare and Medicaid Services(CMS)
- Food and Drug Administration(FDA)
- Department of Health and Human Services(HHS)
- Department of Defense(DOD)
- Department of Veteran Affairs(VA)
- Department of Homeland Security(DHS)
It is inevitable from anyone’s part to build a 100% secure device — moreover, hackers are well trained, skilled and highly motivated. As sophisticated technologies are continuously emerging — greater the consequences of a malicious medical device to be hacked. All stakeholders, including healthcare organizations, care providers, patients, and device manufacturers must be responsible for cybersecurity. To ensure that the use of these devices does not pose an unacceptable level of security risk, the cybersecurity experts and the FDA should also do their part.
The future of medical device security will be largely defined by the steps we take today. So take it properly.
- Identify. Identify processes and assets needing protection;
- Protect. Define available safeguards;
- Detect. Devise incident detection techniques;
- Respond. Formulate a response plan; and
- Recover. Formalize a recovery plan
In the next decade, transformative changes will take place in health and medicine resulting from rapid advances in science and technology in the Fourth Industrial Revolution. Medical and technological breakthroughs will provide new tools and approaches that will transform health and health care, rendering them more connected, precise, democratized, and people-centered with better outcomes and improved population health. Because of the advancement in technology and medical devices, a number of wireless, implantable and biomedical devices will be exploited that will control the health, life, death of patients.
However, emerging technologies inevitably have risks. It will be more challenging as well. The extent to which the benefits are maximized and the risks mitigated depends on the quality of governance—the policies, norms, standards, and incentives that shape the development and deployment of these emerging technologies. We must proactively assess technologies on the horizon and their societal implications and take intentional measures to mitigate their risks. There is a need for a coordinated proactive approach that includes standard cybersecurity control and assessment, together with specific medical device data and workflow considerations, to ensure the future protection of medical devices in a networked world.
Patient’s safety will always come before cybersecurity requirements in the health care setting. While being responsive to the evolving cybersecurity threat environment, minimizing compromise by closing the gap between the two objectives and ensuring patient safety is the challenge. The security of medical devices must be an integral component of cybersecurity protection as these devices are now an integral component of medical networks. Inputs from cybersecurity experts might be needed, along with increased collaboration between network vendors and medical device manufacturers, between IT professionals and medical physicists.
Let’s not forget to be safe & smart with these smart devices.
Author: Divya S
Editor’s Note: How Secure Are Medical Devices From Hacking, Are Wireless Medical Devices Safe? How Secure Are Medical Devices From Hacking, Are Wireless Medical Devices Safe? How Secure Are Medical Devices From Hacking, Are Wireless Medical Devices Safe? How Secure Are Medical Devices From Hacking, Are Wireless Medical Devices Safe?