Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:00 AM
Dmitry Raidman
Dmitry Raidman
Connect Directly
E-Mail vvv

Medical Devices on the IoT Put Lives at Risk

Device security must become as important a product design feature as safety and efficacy.

Digital transformation in the healthcare industry is driven by a number of factors, including the need to scale medical services for a growing population; to serve patients in rural and remote areas lacking available doctors; and to try to reduce or contain the rapidly rising costs of healthcare. The ultimate goal is to improve patient outcomes by delivering high-quality healthcare services in a more efficient and effective manner.

Remote patient monitoring (RPM) technology is a favored tool for transforming healthcare delivery. RPM uses technology to monitor patient health outside of a traditional clinical setting and to transmit real-time data to a doctor or clinic for analysis.

For example, a person might have an implanted heart device such as a pacemaker or a defibrillator. This device, which is permanently embedded within the patient's body, communicates with an external monitor in the person's home that relays data to the doctor or clinic.

The data can be transmitted at regular intervals or when the device detects specific conditions that warrant immediate communication with the doctor, such as a change in heart rhythm. This reduces routine doctor office visits unless an urgent situation arises.

Heart monitors are just one common example of medical use of RPM technologies. Others include digital blood pressure cuffs, glucose meters for diabetics, and surveillance monitors for patients with dementia, among others.

These devices connect to the Internet to transmit data to the clinics, making them part of the Internet of Medical Things (IoMT). The global market for such devices is growing at a compound annual growth rate of 30%.

The IoMT Is Susceptible to Cyber Threats
Regulation concerning the development of medical devices has focused on their efficacy and safety — that is, how well they do their job without causing harm to the patient. To date, little has been done to direct the security of these devices and their holistic environment — i.e., the full life cycle of ensuring the devices are initially free of vulnerabilities and continue to be so, that they have inherent defenses against threats, and that they can be securely updated as needed.

Cybersecurity is a concern for devices now located in the home — well outside the secured perimeters of the hospital and clinic networks. Consider that average homeowners understand very little about how to fully secure their home-based Wi-Fi network. Insecure passwords, default IP addresses, and lack of software updates make home routers notoriously insecure and easy to hack, which puts all devices on that network at risk, including home-based medical devices.

It's scary when a home baby monitor is hacked, but it could be a matter of life and death if a medical monitoring device were to be compromised. Imagine if a man-in-the-middle attack allows a bad actor to change or delete the data that is being transmitted from home to clinic. The doctor might not know that the patient is experiencing a medical emergency until it's too late.

The devices themselves are at risk from malicious inbound commands. Medical devices run on software and firmware that occasionally need an update from the manufacturer. A communication channel inbound to the devices enables updates. An insecure channel — such as an unprotected home Wi-Fi network — could be exploited to deliver malware or malicious commands to the devices.

A Unisys Security Index survey shows most American consumers support the use of medical devices to immediately transmit significant changes in health to a doctor. However, 78% are concerned about the security of medical devices.

Their concern is warranted, considering that device vulnerabilities are pervasive. A study by Palo Alto Networks reveals that over 80% of medical imaging devices run on outdated operating systems. Fifty-six percent of imaging devices run on Windows 7, which gets limited support and patching from Microsoft, and another 27% of devices run on the long-dead Windows XP or old and decommissioned versions of Linux, Unix, Windows, and other embedded software.

Adding Life-Cycle Security to Medical Devices
Medical device manufacturers have a moral obligation and a business imperative to ensure that their products are free from vulnerabilities, continuously protected from cyber threats, and safe and effective for use throughout the product life cycle. Device security must become as important a product design feature as safety and efficacy.

Traditional cyber defenses won't work for IoMT devices. There is no antivirus software to check for intrusions, and a user can’t directly interact with devices to monitor for problems. Thus, it's up to manufacturers to build security into the life cycle of their devices.

Manufacturers must take steps to protect their devices, including:

  • Product developers must incorporate a security mindset into the DevOps process, continuously identifying, correcting and validating the fixes for security issues before the software is finalized. This continuous integration process is a software industry best practice known as DevSecOps.

  • New medical devices must be thoroughly screened to ensure they are without vulnerabilities before being deployed in the field.

  • Every device must have the inherent means to understand and protect its own state of health. It should know what a clean security posture looks like, be able to detect a disruption to that clean posture, and have the ability to fend off malicious activity to keep the device secure.

  • For firmware updates, there should be an orchestrated process that ensures only authorized administrators can make changes to the device, and that the update is applied properly. An update failure should trigger an alert so the device can be otherwise secured or replaced by another device.

  • Patients must receive clear instructions on how to install and configure the device as well as the home network to ensure proper operation and a secure connection to transmit encrypted data to the doctor.

This critical life-cycle protection allows healthcare providers and their patients to benefit from the value of connected medical devices and equipment without incurring life-threatening risks from a cyberattack.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Dmitry Raidman is a Co-Founder and CEO of Cybeats, a deep-tech Internet of Things defense cybersecurity company. Cybeats solves a critical security gap for companies that manufacture, integrate, or deploy IoT devices. Until now, IoT devices have been vulnerable to ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...