Hacking medical devices is the next big security concern

From medical errors to superbugs, the risks during a spell in hospital can be daunting. The prospect of the medical device you are hooked being compromised by hackers is just another worry to add to the list.

Unfortunately, this is a legitimate concern, say experts. In recent years, a wide range of vulnerabilities in connected medical devices have been uncovered. As more healthcare equipment — from cardiac monitors to glucometers — is equipped with wireless connectivity and sensors, potential exposure points increase, leaving doors open to cyber criminals.

Such connected devices have many benefits, says analyst Christian Renaud of IT research firm 451 Group. They offer opportunities for continuous monitoring, telemedicine and big data analytics to uncover hidden trends and causes in illnesses.

However, Mr Renaud acknowledges, connectivity comes with the risk of “abuse by bad actors, just as it does in connected cars and industrial automation, although with much more direct ‘life or death’ consequences.”

In September 2017, for example, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the US Department of Homeland Security, warned of problems with syringe infusion pumps designed to administer small, frequent doses of medication in acute care settings and manufactured by Smiths Medical.

A security flaw, first uncovered by independent security researcher Scott Gayou, posed a potential threat. “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorised access and impact the intended operation of the pump,” says the ICS-CERT report. In other words, with enough skill, a hacker could change the quantities of medication administered to a patient.

Smiths Medical said the chances of this happening are “highly unlikely”, but has promised a software security update to resolve the issues by January 2018.

Smiths Medical is not the only device manufacturer under fire. There are plenty of others, including St Jude Medical (acquired by Abbott Laboratories in January of this year), which is currently battling lawsuits relating to vulnerabilities in its implantable cardiac defibrillators and pacemakers. These triggered a recall of some 465,000 devices in August this year, which will involve patients attending hospitals and clinics in order for the devices to be updated. No invasive surgery will be needed, but the procedure must be carried out by medical staff.

The responsibility for the problem, however, does not lie solely at the doors of device manufacturers. Hospitals and clinics, too, must rethink how they manage, monitor and protect these devices, says May Wang, co-founder and chief technology officer at cyber security company Zingbox.

US hospitals currently average between 10 and 15 connected devices per bed, she says, citing research conducted by the company earlier this year. However, Ms Wang adds, “There is a lot more that hospitals should be doing to protect themselves.”

In conversations with healthcare providers, she often hears reports of devices going unpatched, data traffic going unencrypted and an unhelpful separation of the duties carried out by IT teams responsible for information systems, on one hand, and clinical engineering teams who directly manage medical devices on the other.

“When we ask how many Internet of Things devices are connected to the hospital’s network, these two teams have different answers. Often, neither team is sure. They simply don’t have an answer,” she says. “That strongly suggests more oversight is needed.”

The problem is widespread, it seems. Earlier this year, security firm Trend Micro conducted a study using Shodan, a search engine that indexes internet-connected devices, and found over 100,000 records relating to medical equipment and hospital computers worldwide that are openly exposed and potentially vulnerable to attack.

“While device manufacturers, to my mind, have a clear duty of care to ensure that their devices have built-in security and can be regularly patched and updated, there’s dual responsibility here, because hospitals must ensure that they’re carrying out that work and that they are implementing these devices in a secure way and connecting them to hospital networks appropriately,” says Caroline Rivett, head of cyber security in the healthcare practice at KPMG UK.

What is needed, she says, is a clear-eyed upfront assessment by hospital administrators of the clinical rewards and patient benefits associated with using this equipment, versus the risks involved.

In the meantime, should patients avoid using connected medical devices? Probably not, says Ms Wang at Zingbox. Hackers are still one step behind on launching the kinds of sophisticated attack that would be needed to threaten patient health and hold hospitals to ransom, she says. But, she adds, “If had to go into hospital, I’d still be very concerned.”