Despite the increasing use of Internet-connected medical devices, professionals from both sides of the equation -- medicine and technology-- are still in the process of fully understanding the strong overlap between the two industries. Current views in both fields still largely hold medical device manufacturers responsible for secure programming, while the responsibility of securing the clinic or hospital network and protecting health information on systems belong to healthcare administration.
In particular, the increasing number of endocrine medical devices entering the Internet of Things (IoT) arena that are controlled by mobile phones means product manufacturers as well as healthcare IT staff and management will need to better collaborate to secure this technology against network attacks. Specifically, the mobile nature of devices for the management of type 1 diabetes leaves them vulnerable to various wireless threats via Bluetooth and serial port.
Devices at risk for wireless network and mobile attacks typically fall victim via sniffing. That is, a threat actor gains access to the network on which the IoT device operates and can immediately view critical asset information about the device.
The privacy implications are significant for patient health information stored on these products. Moreover, if an attacker obtains sufficient control to actually alter the amount of insulin the device provides a patient or a pump's ability to notify a patient of hypoglycemia or hyperglycemia, the consequences could be deadly.
Given the rise in cyberattacks targeting the medical industry during the pandemic, I consulted with University of California San Francisco endocrinologist Dr. David Klonoff regarding the latest developments in cybersecurity risks surrounding endocrine medical devices, as well as the state of policy regulating the use of this technology. Dr. Klonoff, a clinical professor in endocrinology and metabolism at the UCSF School of Medicine, also founded the Diabetes Technology Society to formally regulate the secure use of endocrine medical technology at the federal level.
During our conversation, he told me views patient access to these devices while maintaining wireless security to be a critical challenge for IoT devices used for diabetes management.
Although no hacks of diabetes devices have been reported, Dr. Klonoff is concerned about the ability and risk of attackers uncovering SSID and similar asset information about such devices based on available data from older product versions. According to vulnerability testing already conducted by the Diabetes Technology Society for endocrine medical devices, possible primary penetration vectors include RFID detection and interception via attacker sniffing.
Regarding patient concern over diabetes device security and usage, many users have shown trepidation over potential lockout from their devices when a suspected intrusion is detected by either the device itself or the IoT network on which the device operates, Dr. Klonoff says. To better streamline procedures surrounding endocrine device security management, Dr. Klonoff has collaborated with organizations such as the US Food and Drug Administration, the IEEE, and the US Department of Homeland Security to devise regulations detailing the cybersecurity risks associated with diabetes-related medical technology.
But still, many experts on both the medical and technology sides have hesitated to acknowledge the overlap between these industries. In healthcare, many professionals are still learning to migrate data systems to the cloud, largely depending on the clinic or hospital IT staff to manage all technology-related issues.
On the other hand, although the healthcare industry is the target for the greatest number of cyberattacks, cybersecurity and other engineering-oriented organizations such as the IEEE have been slow to develop policy geared toward medical technology.
Whether mitigating risks to medical devices within a hospital wireless network or a patient's home network, it's essential to be transparent regarding the threats posed to these patients and hospital systems. Patients have a right to maintain their health-information privacy and should be able to depend on the availability of their medical device. Patients should get solid training on how to use their devices, and there should be full-scale information sharing (that is, between patients and their healthcare providers) regarding the wireless networks on which their device functions.
An attacker using a wireless access tool such as Kismet to sniff and compromise an insulin pump or heart monitor could prove deadly. Therefore, engineers and manufacturers must collaborate to implement these devices with individualized intrusion-detection systems.
On a realistic level, for a modestly sized medical device, such as a continuous glucose monitor for diabetes, intrusion prevention could begin with a simple alert mechanism to notify the patient of any external signals attempting to penetrate an RFID blocker. Once informed, the patient may choose whether to contact the manufacturer's security team for further recommendation.