Internet of Medical Things: When Hacking becomes Life Threatening
What is the Internet of Medical Things?
According to Forbes, Internet of Things, at its core, is just the simple connecting of any device that gets turned on or off to the Internet. This includes medical equipment that has started to adapt to software-based and interconnectivity. Hence, the term Internet of Medical Things (IoMT) refers to the collection of medical devices and applications that connect to healthcare IT systems through online computer networks.
Security Vulnerability of IoTM
Without a doubt, Recent technical advances have resulted in transformations in health care delivery, which have the capacity and capability to improve patient care. Increased connectivity of medical devices to computer networks have provided numerous advantages to the medical technology field. A prime example of this is the increase in interconnectivity between medical devices and other clinical systems.
However, all devices connected to the Internet provide an unwanted opportunity to be the hotbed and prime target of hackers that aim to exploit the cybersecurity vulnerabilities of such devices, including medical equipment. This interconnectivity leaves medical devices vulnerable to security breaches in the same way other networked computing systems are vulnerable. As a result, potential cybersecurity issues with medical apparatus, unlike other networked computing devices, can directly impact health care patient’s safety and, in severe cases, can even have life-threatening repercussions. Fortunately, Health entities such as the Food and Drug Administration (FDA) enforces several initiatives to better improve the cybersecurity of biomedical devices.
In this article, we have listed several examples of connected medical devices that, if left unchecked, can lead to potentially life-threatening situations:
Examples of Vulnerable Medical Devices
Malicious Medical Device Hacks
A major cyber-attack hit healthcare infrastructures throughout the world. The main tool used by the hackers was a stolen National Security Agency (NSA) tool that left dozens of countries healthcare companies in a panic state. For instance, Britain’s public health system sent patients home and their critical healthcare applications were compromised. Security Experts found vulnerabilities on medical devices that were also exploited in the attack. They found that they could remotely alter the configuration files in a hospital’s critical equipment. For example, the CT scan radiation exposure limits that set the number of radiation patients can be altered by attackers.
Computers with Patient Records
A ransomware attack happened on England’s National Health Service (NHS), that crippled the whole healthcare operations and left confidential patient’s records open to biohackers. The incident on NHS and several other healthcare organizations were targeted by the ransomware attack. As per the investigation, this was made possible through backdoor entry of infected computers and medical devices.
Vulnerable Insulin Pumps
A well-known company Johnson & Johnson is well aware of the dangers of compromised biomedical security. Their company-owned Insulin pump was vulnerable to security attacks. Fortunately, J&J reported that they never had cases of attempted hacking attacks on the insulin pump. Nevertheless, they had issues warnings to their patients and provided advice in order to address the issue.
Flawed Medical Supply System
As part of regular security checks to ensure secured Personally identifiable information (PII), or Sensitive Personal Information (SPI), security auditors found 1,418 remotely exploitable flaws in CareFusion’s Pyxis SupplyStation medical dispensing system. 715 of those vulnerabilities in “automated supply cabinets used to dispense medical supplies” have a severity rating of high or critical. The Pyxis SupplyStation system is a “secure storage device” for medical supplies that documents supply usage and interfaces with software to bill the patient. Security experts had found that an attacker with low hacking skills would be able to exploit most of the reported vulnerabilities.
Most Hospital IT infrastructure and biomedical devices remain unprotected and ill-equipped to address longstanding cybersecurity challenges that raise both privacy and potentially fatal health concerns. Surveys performed on the healthcare industry and their IT Security procedures show that most put securing their biomedical devices as a low priority. They can get away with this since Food and Drug Administration (FDA) remain lenient with sanctions and penalties for those that violate the required healthcare regulatory frameworks about the IT biomedical security. This results in healthcare systems having difficult controlling cybersecurity in evolving and expanding medical networks particularly their medical devices.
In the healthcare setting, patient safety will always come before cybersecurity requirements. The challenge is to close the gap between the two objectives, minimizing compromise and ensuring patient safety while being responsive to the evolving cybersecurity threat environment. Medical devices are now an integral component of medical networks and therefore their security should be an integral component of cybersecurity protection. This will require increased collaboration between the medical physicists and IT professionals, as well as collaboration with leading healthcare security solutions that provide services such as secured biomedical devices, anomaly detection, and secured healthcare systems.
Sjir has over 15 years of experience in information technology, having done various positions at companies such as Blizzard Entertainment, TV4, and Basefarm. He now wields multiple security, cloud, and IT certifications he currently works as an information security engineer.