Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:00 AM
Dmitry Raidman
Dmitry Raidman
Connect Directly
E-Mail vvv

Medical Devices on the IoT Put Lives at Risk

Device security must become as important a product design feature as safety and efficacy.

Digital transformation in the healthcare industry is driven by a number of factors, including the need to scale medical services for a growing population; to serve patients in rural and remote areas lacking available doctors; and to try to reduce or contain the rapidly rising costs of healthcare. The ultimate goal is to improve patient outcomes by delivering high-quality healthcare services in a more efficient and effective manner.

Remote patient monitoring (RPM) technology is a favored tool for transforming healthcare delivery. RPM uses technology to monitor patient health outside of a traditional clinical setting and to transmit real-time data to a doctor or clinic for analysis.

For example, a person might have an implanted heart device such as a pacemaker or a defibrillator. This device, which is permanently embedded within the patient's body, communicates with an external monitor in the person's home that relays data to the doctor or clinic.

The data can be transmitted at regular intervals or when the device detects specific conditions that warrant immediate communication with the doctor, such as a change in heart rhythm. This reduces routine doctor office visits unless an urgent situation arises.

Heart monitors are just one common example of medical use of RPM technologies. Others include digital blood pressure cuffs, glucose meters for diabetics, and surveillance monitors for patients with dementia, among others.

These devices connect to the Internet to transmit data to the clinics, making them part of the Internet of Medical Things (IoMT). The global market for such devices is growing at a compound annual growth rate of 30%.

The IoMT Is Susceptible to Cyber Threats
Regulation concerning the development of medical devices has focused on their efficacy and safety — that is, how well they do their job without causing harm to the patient. To date, little has been done to direct the security of these devices and their holistic environment — i.e., the full life cycle of ensuring the devices are initially free of vulnerabilities and continue to be so, that they have inherent defenses against threats, and that they can be securely updated as needed.

Cybersecurity is a concern for devices now located in the home — well outside the secured perimeters of the hospital and clinic networks. Consider that average homeowners understand very little about how to fully secure their home-based Wi-Fi network. Insecure passwords, default IP addresses, and lack of software updates make home routers notoriously insecure and easy to hack, which puts all devices on that network at risk, including home-based medical devices.

It's scary when a home baby monitor is hacked, but it could be a matter of life and death if a medical monitoring device were to be compromised. Imagine if a man-in-the-middle attack allows a bad actor to change or delete the data that is being transmitted from home to clinic. The doctor might not know that the patient is experiencing a medical emergency until it's too late.

The devices themselves are at risk from malicious inbound commands. Medical devices run on software and firmware that occasionally need an update from the manufacturer. A communication channel inbound to the devices enables updates. An insecure channel — such as an unprotected home Wi-Fi network — could be exploited to deliver malware or malicious commands to the devices.

A Unisys Security Index survey shows most American consumers support the use of medical devices to immediately transmit significant changes in health to a doctor. However, 78% are concerned about the security of medical devices.

Their concern is warranted, considering that device vulnerabilities are pervasive. A study by Palo Alto Networks reveals that over 80% of medical imaging devices run on outdated operating systems. Fifty-six percent of imaging devices run on Windows 7, which gets limited support and patching from Microsoft, and another 27% of devices run on the long-dead Windows XP or old and decommissioned versions of Linux, Unix, Windows, and other embedded software.

Adding Life-Cycle Security to Medical Devices
Medical device manufacturers have a moral obligation and a business imperative to ensure that their products are free from vulnerabilities, continuously protected from cyber threats, and safe and effective for use throughout the product life cycle. Device security must become as important a product design feature as safety and efficacy.

Traditional cyber defenses won't work for IoMT devices. There is no antivirus software to check for intrusions, and a user can’t directly interact with devices to monitor for problems. Thus, it's up to manufacturers to build security into the life cycle of their devices.

Manufacturers must take steps to protect their devices, including:

  • Product developers must incorporate a security mindset into the DevOps process, continuously identifying, correcting and validating the fixes for security issues before the software is finalized. This continuous integration process is a software industry best practice known as DevSecOps.

  • New medical devices must be thoroughly screened to ensure they are without vulnerabilities before being deployed in the field.

  • Every device must have the inherent means to understand and protect its own state of health. It should know what a clean security posture looks like, be able to detect a disruption to that clean posture, and have the ability to fend off malicious activity to keep the device secure.

  • For firmware updates, there should be an orchestrated process that ensures only authorized administrators can make changes to the device, and that the update is applied properly. An update failure should trigger an alert so the device can be otherwise secured or replaced by another device.

  • Patients must receive clear instructions on how to install and configure the device as well as the home network to ensure proper operation and a secure connection to transmit encrypted data to the doctor.

This critical life-cycle protection allows healthcare providers and their patients to benefit from the value of connected medical devices and equipment without incurring life-threatening risks from a cyberattack.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Dmitry Raidman is a Co-Founder and CEO of Cybeats, a deep-tech Internet of Things defense cybersecurity company. Cybeats solves a critical security gap for companies that manufacture, integrate, or deploy IoT devices. Until now, IoT devices have been vulnerable to ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-24
A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.
PUBLISHED: 2021-02-24
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.
PUBLISHED: 2021-02-24
Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
PUBLISHED: 2021-02-24
A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
PUBLISHED: 2021-02-24
Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. It finally leads to a file download and execution via access to crafted web page.