Internet of Things (IoT) devices have helped to improve patient care in the health sector in a number of ways.
Pacemakers that allow accurate heart rate monitoring and adjustment of impulses, infusion pumps that can inject controllable doses of blood or saline, and smart pens that store written patient information are examples of medical IoT devices.
However, recent investigations have shown how susceptible these devices are to malicious interference.
A recent report from HP stated that nearly 70% of IoT devices have been found to contain security vulnerabilities.
Kaspersky also detected 105 million attacks on IoT devices in the first half of 2019, a ninefold increase compared to the first half of 2018.
Attackers could even exploit flaws in the security of these devices to hold patients to ransom.
While within close physical proximity to the target, hackers could use a device’s Wi-Fi or Bluetooth connection to remotely access and modify its data.
In this way, the perpetrator could change the way the device operates, with potentially dangerous consequences for the person with the medical implant.
At the Black Hat USA cybersecurity conference in 2011, Jay Radcliffe showed how easy it was to hack an insulin pump and deliver a lethal dose to a patient.
Hacking a heart
Medtronic, the world’s largest medical device company, has been caught out twice with devices that could be exploited by hackers.
In 2017, researchers identified a dangerous security vulnerability in Medtronic’s pacemakers which allowed hackers to alter the impulses that stimulate a person’s heartbeat.
In June of this year, the US Food and Drug Administration warned health care providers and patients of using Medtronic’s MiniMed 508 and MiniMed Paradigm insulin pumps, stating that the devices may be susceptible to hacking.
Medtronic subsequently recalled the affected pumps.
Managing Director for Medtronic in the Southern Africa Region, Peter Mehlape, said that the design and manufacture of the company’s products are “as safe and secure as possible”.
“We have a strong product security program that leverages internal and external security and medical device experts, rigorous development processes and current security practices to enable the highest levels of security and usability.”
Medtronic also stated that the likelihood of a breach of a patient’s device is low, and it is not aware of any breaches involving patients that use its medical devices.
What the security experts say
CI Security (CISO) is a cybersecurity company that specializes in guarding healthcare institutions against attacks that target their equipment or infrastructure.
Founder of CISO, Mike Hamilton, said these devices can be beneficial to healthcare in general.
“Small networked monitoring devices are being attached to medical technologies and people, to create efficiencies and better serve patients by constantly monitoring their conditions and medicine consumption without a human constantly being in attendance,” Hamilton said.
He added that although none of the security vulnerabilities have led to any actual deaths, healthcare institutions have historically been targets for cyber attacks.
“There have been instances where IoT like cameras were used as denial of service cannons. It is not clear how many health sector organizations were caught up in this.”
“Medical IoT has not been attacked for the purpose of causing death, although indiscriminate ransomware has the potential to do that.”
Hamilton said that aside from ensuring devices are free of known security defects out of the box, several steps can be taken to ensure that patients are not exposed to vulnerable devices.
These include creating a quality standard in the form of security certification for medical devices along with a plan to identify and patch vulnerabilities.
Hamilton said the result of a lack of action could be devastating.
“Someone might be intentionally killed, hospitals will continue to be extorted or a nation-state or terrorist organization could disrupt the health sector, and make us not trust our medical institutions.”