The Internet of Things: Advanced Threats Against Medical Devices

The internet of things refers to the vision of all manner of “things” having network connectivity so that they can send and receive data independently of human interaction. This vision holds much promise in terms of convenience, greater connectivity and improved quality, but it also creates many new challenges. Among these are the increased likelihood of advanced threats causing potential hacks and security breaches, privacy issues, and fraud that can occur when security vulnerabilities are exploited.

The things that can be included in such an uber-network range from home automation systems, to health systems and medical devices, enterprise and industrial automation systems, and public health and security systems. By some estimates, there could be up to 50 billion things connected in the internet of things by 2020.

The SANS Institute recently conducted a survey concerning the current and future security issues related to the internet of things. The survey found that consumer mobile devices, smart building and industrial control systems are considered to be the sorts of new devices that will need to be secured against advanced threats in the near future, followed by medical devices.

Recent technological advances have shown much promise in the medical field, allowing more efficient control over equipment through network connectivity, including wireless. New types of wearable and implantable medical devices offer many opportunities for improving the quality of healthcare delivery, but they also throw up new security challenges. Networked medical equipment and devices have for the main part not been designed with security in mind. They often lack sufficiently secure mechanisms for access control and authentication, and are used to store large volumes of sensitive medical data, often in unencrypted form. Often connected over unsecured wireless networks, the privacy of this data could be put at risk through eavesdropping, man-in-the-middle attacks, or from lost or discarded devices being misappropriated.

Currently, many people may see medical device security as belonging in the world of fiction. An episode of the popular US TV Series “Homeland” portrayed a terrorist remotely hacking into the pacemaker of the vice president of the US, causing his death. While many commentators have dismissed this as being far-fetched, the late security researcher, Barnaby Jack, has shown in recent years how various medical devices, including pacemakers and insulin pumps, could be exploited. In June 2013, the US government issued a warning of vulnerabilities found in 300 medical devices from 40 vendors that could be exploited, even by those with little technical knowledge.

In fact, the problem seems to be widespread—so much so that, in August 2012, the US Government Accountability Office (GAO) issued a report entitled “Medical devices: FDA should expand its consideration of information security for certain types of devices.” In the report, GAO singled out a number of key information security control areas that should be considered for medical devices:

  • Software testing, verification and validation
  • Risk assessments
  • Risk management
  • Access control
  • Vulnerability and patch management
  • Technical audit or accountability
  • Security incident response
  • Contingency planning

In response, the FDA (Food and Drug Administration) confirmed in June 2013 that it had indeed uncovered severe vulnerabilities regarding the security of medical devices and hospital equipment, ranging from malware that disabled devices to data accessed on monitoring equipment and implanted devices owing to insecure wireless connectivity. Passwords were also found to be vulnerable, allowing for inappropriate levels of access to highly sensitive applications and multiple problems were found with older software that included lack of available patches and missing authentication mechanisms. These factors led the FDA to issue guidance for cybersecurity for medical devices and hospital networks regarding safeguards that device manufacturers and healthcare facilities should put in place to counter vulnerabilities. While this guidance is not prescriptive, it provides pointers as to what steps should be taken to address security issues in the medical sector and highlights the importance of medical device security.

In order for the internet of things to become reality, security is a vital aspect that must be considered as, or even before, systems and devices are networked. As the vulnerabilities so far uncovered with medical devices clearly show, security aspects are far too important to be left to chance. The implications for other devices and systems, including public safety, that will make up the internet of things are vast. The threats are real and, in the case of the medical sector, could lead to significant damage or even loss of life. Security needs to be made a prime consideration and should be baked in, rather than considered as an afterthought.

No Comments