Medical Devices on the IoT Put Lives at Risk

Digital transformation in the healthcare industry is fully underway. It’s being driven by a number of factors, including the need to scale medical services for a growing population; to serve rural and remote patients in areas lacking available doctors; and to try to reduce (or at least contain) the rapidly rising costs of healthcare. Of course, the ultimate goal is to improve patient outcomes by delivering high quality healthcare services in a more efficient and effective manner.

Remote patient monitoring (RPM) technology is a favored tool for transforming healthcare delivery. RPM uses technology to monitor patient health outside of a traditional clinical setting and to transmit real-time data to a doctor or clinic for analysis.

For example, a person might have an implanted heart device such as a pacemaker or a defibrillator (known as an implantable cardioverter defibrillator, or ICD). This device, which is permanently embedded within the patient’s body, communicates with an external monitor in the person’s home that in turn relays data to the doctor or clinic. 

The data can be transmitted at regular intervals – sort of like a routine check-up – or when the device detects specific conditions that warrant immediate communication with the doctor, such as a change in heart rhythm or oxygen levels in the blood. The idea is to reduce routine office visits to see a doctor unless an urgent situation arises.

Heart monitors are just one common example of medical use of RPM technologies. Others include digital blood pressure cuffs, glucose meters for diabetics, surveillance monitors for patients with dementia, at-home tests for patients with substance abuse issues, and many more. 

Given that such devices connect to the Internet to transmit data to the clinics, they are part of a growing cadre of healthcare devices that make up the burgeoning Internet of Medical Things (IoMT). The global market for these devices is growing at a compound annual growth rate of 30%.  

The IoMT is susceptible to cyber threats

Regulation concerning the development of medical devices has primarily focused on their efficacy and safety; i.e., how well they do their intended job without causing harm to the patient. To date, little has been done to direct the security of these devices and their holistic environment; i.e., the full lifecycle of ensuring the devices are initially and continue to remain free of vulnerabilities, that they have inherent defenses against threats, and that they can be securely updated as needed. 

Cybersecurity is a real concern for the many devices now located in the home—well outside the secured perimeters of the hospital and clinic networks. Consider that the average homeowner understands very little about how to fully secure their home-based WiFi network. With insecure passwords, default IP addresses, and lack of software updates, home routers are notoriously insecure and easy to hack, and that puts all devices on that network at risk, including the home-based medical devices.

It’s scary when a home baby monitor is hacked, but it could be a true matter of life and death if a medical monitoring device were to be compromised by an attacker. Imagine if a Man-in-the-Middle attack allows a bad actor to change or delete the data that is being transmitted from home to clinic. The doctor might not know that the patient is experiencing a medical emergency until it’s too late to help.

Not only is outbound data at risk, but the devices themselves are at risk from malicious inbound commands. Medical devices, whether embedded or external, run on software and firmware that occasionally need an update from the manufacturer. There must be a communication channel inbound to the devices to allow for these updates. An insecure channel – such as an unprotected home WiFi network – could be exploited to deliver malware or malicious commands to the devices. 

A Unisys Security Index survey shows that the majority of American consumers support the use of medical devices, such as pacemakers or blood sugar sensors, being able to immediately transmit any significant changes in health to a doctor. However, 78% are concerned about the security of medical devices. 

Their concern is well warranted, considering that device vulnerabilities are real and pervasive. A new study by Palo Alto Networks reveals that over 80% of medical imaging devices run on outdated operating systems. Fifty-six percent of the imaging devices run on Win 7, which gets limited support and patching from Microsoft now, and another 27% of these devices run on the long-dead Windows XP, as well as old and decommissioned versions of Linux, Unix, Windows, and other embedded software.

Adding lifecycle security into medical devices

Medical device manufacturers have a moral obligation as well as a business responsibility to ensure that their products are free from vulnerabilities, continuously protected from malware and other threats, and safe and effective for use by medical providers and patients throughout the product lifecycle. This means that device security has to become as important a product design feature as safety and efficacy.

Traditional defenses against cyber threats won’t work for IoMT devices. There is no anti-virus software to check for intrusions, and there’s no way for a user to directly interact with the devices to monitor for problems. Thus, it’s up to device manufacturers to build security into the lifecycle of the devices. 

There are numerous steps that device manufacturers must take to protect their devices:

• Product developers must incorporate a security mindset into the DevOps process. As security issues are found during the software development process, the information is fed back into the DevOps workflow so they can be corrected and security validation can be done before the software is finalized. This continuous integration process is known as DevSecOps and is becoming a software industry best practice.
• New medical devices must be thoroughly screened to ensure they are without vulnerabilities before being deployed in the field.
• Every device must have the inherent means to understand and protect its own state of health. That means it should know what a clean security posture should look like, be able to detect if something is trying to disrupt that clean posture, and have the ability to fend off that malicious activity to keep the device secure. 
• When firmware needs to be updated, there should be an orchestrated process to ensure that only authorized administrators can make changes to the device, and that the update is indeed applied properly. If the update fails to take hold, there must be a process to alert on the failure so the device can be otherwise secured or replaced by another device.
• The medical device provider must give patients clear instructions on how to install and configure the device as well as the home network to ensure proper operation and a secure connection to transmit encrypted data to the doctor or clinic.

This critical lifecycle protection allows healthcare providers and their patients to benefit from the value of connected medical devices and equipment without incurring life-threatening risks from a cyber-attack.