Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
4/9/2020
10:00 AM
Dmitry Raidman
Dmitry Raidman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Medical Devices on the IoT Put Lives at Risk

Device security must become as important a product design feature as safety and efficacy.

Digital transformation in the healthcare industry is driven by a number of factors, including the need to scale medical services for a growing population; to serve patients in rural and remote areas lacking available doctors; and to try to reduce or contain the rapidly rising costs of healthcare. The ultimate goal is to improve patient outcomes by delivering high-quality healthcare services in a more efficient and effective manner.

Remote patient monitoring (RPM) technology is a favored tool for transforming healthcare delivery. RPM uses technology to monitor patient health outside of a traditional clinical setting and to transmit real-time data to a doctor or clinic for analysis.

For example, a person might have an implanted heart device such as a pacemaker or a defibrillator. This device, which is permanently embedded within the patient's body, communicates with an external monitor in the person's home that relays data to the doctor or clinic.

The data can be transmitted at regular intervals or when the device detects specific conditions that warrant immediate communication with the doctor, such as a change in heart rhythm. This reduces routine doctor office visits unless an urgent situation arises.

Heart monitors are just one common example of medical use of RPM technologies. Others include digital blood pressure cuffs, glucose meters for diabetics, and surveillance monitors for patients with dementia, among others.

These devices connect to the Internet to transmit data to the clinics, making them part of the Internet of Medical Things (IoMT). The global market for such devices is growing at a compound annual growth rate of 30%.

The IoMT Is Susceptible to Cyber Threats
Regulation concerning the development of medical devices has focused on their efficacy and safety — that is, how well they do their job without causing harm to the patient. To date, little has been done to direct the security of these devices and their holistic environment — i.e., the full life cycle of ensuring the devices are initially free of vulnerabilities and continue to be so, that they have inherent defenses against threats, and that they can be securely updated as needed.

Cybersecurity is a concern for devices now located in the home — well outside the secured perimeters of the hospital and clinic networks. Consider that average homeowners understand very little about how to fully secure their home-based Wi-Fi network. Insecure passwords, default IP addresses, and lack of software updates make home routers notoriously insecure and easy to hack, which puts all devices on that network at risk, including home-based medical devices.

It's scary when a home baby monitor is hacked, but it could be a matter of life and death if a medical monitoring device were to be compromised. Imagine if a man-in-the-middle attack allows a bad actor to change or delete the data that is being transmitted from home to clinic. The doctor might not know that the patient is experiencing a medical emergency until it's too late.

The devices themselves are at risk from malicious inbound commands. Medical devices run on software and firmware that occasionally need an update from the manufacturer. A communication channel inbound to the devices enables updates. An insecure channel — such as an unprotected home Wi-Fi network — could be exploited to deliver malware or malicious commands to the devices.

A Unisys Security Index survey shows most American consumers support the use of medical devices to immediately transmit significant changes in health to a doctor. However, 78% are concerned about the security of medical devices.

Their concern is warranted, considering that device vulnerabilities are pervasive. A study by Palo Alto Networks reveals that over 80% of medical imaging devices run on outdated operating systems. Fifty-six percent of imaging devices run on Windows 7, which gets limited support and patching from Microsoft, and another 27% of devices run on the long-dead Windows XP or old and decommissioned versions of Linux, Unix, Windows, and other embedded software.

Adding Life-Cycle Security to Medical Devices
Medical device manufacturers have a moral obligation and a business imperative to ensure that their products are free from vulnerabilities, continuously protected from cyber threats, and safe and effective for use throughout the product life cycle. Device security must become as important a product design feature as safety and efficacy.

Traditional cyber defenses won't work for IoMT devices. There is no antivirus software to check for intrusions, and a user can’t directly interact with devices to monitor for problems. Thus, it's up to manufacturers to build security into the life cycle of their devices.

Manufacturers must take steps to protect their devices, including:

  • Product developers must incorporate a security mindset into the DevOps process, continuously identifying, correcting and validating the fixes for security issues before the software is finalized. This continuous integration process is a software industry best practice known as DevSecOps.

  • New medical devices must be thoroughly screened to ensure they are without vulnerabilities before being deployed in the field.

  • Every device must have the inherent means to understand and protect its own state of health. It should know what a clean security posture looks like, be able to detect a disruption to that clean posture, and have the ability to fend off malicious activity to keep the device secure.

  • For firmware updates, there should be an orchestrated process that ensures only authorized administrators can make changes to the device, and that the update is applied properly. An update failure should trigger an alert so the device can be otherwise secured or replaced by another device.

  • Patients must receive clear instructions on how to install and configure the device as well as the home network to ensure proper operation and a secure connection to transmit encrypted data to the doctor.

This critical life-cycle protection allows healthcare providers and their patients to benefit from the value of connected medical devices and equipment without incurring life-threatening risks from a cyberattack.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Dmitry Raidman is a Co-Founder and CEO of Cybeats, a deep-tech Internet of Things defense cybersecurity company. Cybeats solves a critical security gap for companies that manufacture, integrate, or deploy IoT devices. Until now, IoT devices have been vulnerable to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...