Rami Muleys, head of application security business development at Positive Technologies
The Internet of Things is driving incredible innovation in healthcare. “Almost any new innovative medical device is currently designed as a part of broader interconnected system,” Rami Muleys, head of application security business development at Positive Technologies, told MD+DI. “The main value of IoT is the convergence between different systems and the ability to exchange data between every device – from an insulin pump to a hospital bed.”
Healthcare is consequently “a constantly changing landscape, especially since more and more companies are finding new niches with their existing non-medical devices,” said Muleys. “A good example would be fitness devices and smart watches. Apple Watch, for example, was [granted marketing authorization through a de novo classification request] by FDA as an ECG device. Some emerging technologies are really imaginative, such as smart bra, which detects breast cancer in early stages, or UV skin sensors developed by L’Oreal.”
“In terms of statistics, numbers and market shares, according to forecasts done by Cisco, IBM, Gartner and many other respectable companies, we are already past the point where there are more IoT devices than PCs and phones, and this will only continue to grow exponentially,” he added. “According to other reports, around 1/5 of those devices globally are part of IoMT (Medical IoT). The Healthcare IoT market is expected to grow to $100-150 billion by 2020.”
But such connectivity is introducing hacking threats. “From a security point of view, this is uncharted territory with potential attack vectors restricted only by the imagination of hackers and security researchers,” Muleys said. “Even systems such as pacemakers are being manufactured with wireless connection and getting hacked.”
The hackers’ “main motivation is money,” he said. “If a criminal can find a way to make money from tampering with a pacemaker or implantable, they will do it. Fortunately, at this moment they are focused on easier targets such as confidential data in healthcare applications and systems.
“Healthcare organizations are faced with many of the same cyber-threats as technology-reliant organizations and industries," he continued. "One area of concern is data manipulation – either through loss, data leakage, or even spoofing (where a person or program successfully masquerades as another by falsifying data). Ransomware has also recently been used as a tool to attack healthcare organizations. Moving forward, there’s a chance cyber-criminals will change tactics and, instead of destroying sensitive data, use it for targeted attacks. As an example, a patient with a sexually transmitted disease could find themselves blackmailed; a patient with an allergy could be attacked with his or her allergen, etc. On the other hand, healthcare records in a hacked database could be altered to cause physicians to misdiagnose or prescribe inappropriate medication.”
For statistics on healthcare breaches, he cited a report from the HIPAA Journal: “To date, hundreds of millions of people are already victims of healthcare data breaches. The number of registered breaches by HIPPA last year is 503, which affected more than 15 million people,” he recounted.
Muleys offered a few specific examples. “One incident occurred at a Lithuanian plastic surgery clinic, when over 25,000 photos, including unclothed before and after pictures, were made public. For deleting the data, the hackers are reported to have demanded a ransom from both the clinic (about $393,000) and its clients (up to $2,300 each)."
He also pointed to pacemakers with security vulnerabilities. One example was “Abbott’s implantable pacemaker security issues, which caused the . . . recall [of] almost half a million pacemakers for a firmware upgrade," he said. "And there are more and more examples of such issues. FDA even had to put an Action Plan to promote medical device safety. Fortunately at this moment, these issues are reported by security experts and white hat hackers, but who knows what vulnerabilities and attacks are known to criminals.”
Muleys pointed to several ways that hackers could monetize attacks on healthcare equipment and applications:
- Steal data or use ransomware to extort money from the hacked company.
- Threaten patient health and life by altering stored information, leading to incorrect or even dangerous treatment.
- Use stolen data to fraudulently obtain access to medical care or controlled medications.
- Leverage the personal information of patients and, by extension, their family members.
- Resell stolen data to third parties: insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
- Sabotage websites and/or infrastructure on behalf of unscrupulous competitors.
Muleys said the best approach to secure connected devices is security-by-design. “The first step to secure your connected device is to understand how it could be hacked. Hire a penetration testing team and ask them to do a security review,” he said “It’s likely that they will be able to hack your device, but this will give you a clear understanding about its weak points and that will let you know where to start improving security.”
Hacking is more than an just IT problem, he said. “We are talking about people’s lives, and they depend on the whole system, including hardware, software, and operators. Faulty logic and the absence of “fool-proofing” could be lethal.”
And “healthcare organizations concerned about security should address those risks starting with comprehensive assessments of their organization's infrastructure by security experts and white hat hackers,” he added. “A security assessment will allow hospitals to take an inventory of the digital perimeter and internal infrastructure, identify security risks and vulnerabilities, triage them, and build a threat model appropriate for the organization.”
It can be challenging for manufacturers of connected medical devices to ensure that users follow instructions to maintain security, so they should prepare for the worst. “Unfortunately for the manufacturers, the best way to make sure users maintain security is to implement it by default and by-design, having in mind that instead of a doctor or a patient, the connected device will end in a hacker’s hands.”