Cybersecurity for medical devices. PHOTO: Cybercrime Magazine.

Patient Insecurity: Explosion Of The Internet Of Medical Things

How Vulnerable is the IoMT to Cyber Threats?

Steve Morgan, Editor-in-Chief

Northport, N.Y. — Feb. 19, 2019

This 2019 Medical Device Report is sponsored by Sensato, developer of MD-COP — which provides a single, comprehensive security solution that addresses the administrative, technical, and operational requirements of HIPAA, NIST 800-53, and FDA Post-Market Guidance for Medical Device Cybersecurity.

The rapid growth of Internet connected medical devices — known as the Internet of Medical Things or IoMT — has created serious cybersecurity and data privacy risks. Combine that with more sophisticated hackers targeting the healthcare space and we’ve got the perfect storm brewing.

Historic data breaches compromised patient data and software. But now, hundreds of thousands — and possibly millions — of people can be hacked via their wirelessly connected and digitally monitored implantable medical devices (IMDs) — which include cardioverter defibrillators (ICD), pacemakers, deep brain neurostimulators, insulin pumps, ear tubes, and more.

Medical Device Hacks

In 2008, a University of Massachusetts Amherst researcher, Kevin E. Fu, showed that an implantable heart defibrillator is vulnerable to hacking. Fu’s research was aimed at helping to protect the next generation of Internet connected medical devices.

At the 2011 Black Hat USA security conference, Jay Radcliffe, an ethical hacker and diabetic, demonstrated that it wasn’t difficult to take control of an insulin pump and deliver a lethal dose to a patient.

In late 2018, Billy Rios, a veteran cybersecurity researcher, told CBS News that there’s nothing stopping him from taking medical devices apart and hacking them. Jonathan Butts, another researcher, was quoted as saying, “We’ve yet to find a device that we’ve looked at that we haven’t been able to hack.”

In order to demonstrate a potentially deadly hack, Rios and Butts presented at the Black Hat information security conference, where they remotely disabled an implantable insulin pump, preventing it from delivering the lifesaving medication, and then took total control of a pacemaker system, allowing them to deliver malware directly to the computers implanted in a patient’s body.

Now, a decade after UMass’s high-profile revelation of medjacking (a term used to describe medical device hacking), the next generation medical devices are in widespread use, and they’re shockingly insecure.

FDA Oversight

The FDA’s (U.S. Food and Drug Administration) ongoing efforts to protect the public health from cybersecurity vulnerabilities has been stepped up with new measures. But the pressure on medical device manufacturers to speed up market entry sometimes leads to post-market (instead of pre-market) cybersecurity testing, or in some cases — no testing at all.

The FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient. But the FDA has issued recalls of medical devices like pacemakers and insulin pumps that had security issues.

A common myth is that the FDA tests all medical devices for vulnerabilities. The truth is that the FDA does not conduct pre-market testing of medical devices and it’s the responsibility of the manufacturers to do so.

An inspector general’s report in late 2018 found the FDA’s “plans and processes were deficient for addressing medical device cybersecurity compromises,” according to a CBS News story. The FDA disputes that and says it “has worked proactively” on the issue.

Data Points

The editors at Cybersecurity Ventures have vetted and synthesized research from numerous sources in order to paint a picture of the medical device attack surface.

Patient Harm

The big concern around the insecurity of medical devices is patient safety.

It’s only a matter of time before a patient is harmed through medical device hacking, and journalists have many resources to probe whether their local health providers are able to prevent or respond to such an event, said a panel of experts at Health Journalism 2018 in Phoenix.

John Gomez, CEO at Sensato, a Red Bank, N.J. based cybersecurity company specializing in the healthcare sector, and a founding member of the Medical Device Cybersecurity Task Force, warns that healthcare organizations — and hospitals in particular — are using 2010 solutions aimed at tackling 2020 problems, and it’s not working.

In particular, Gomez is concerned about the lack of security policies around medical devices. He told Cybercrime Magazine that hospital CIOs and IT leaders often ask him why they need additional policies around those devices when they already have them in place for their infrastructure. Gomez advises that whereas most cybersecurity policies focus on protecting data, medical device policies can save lives.

Not Market Hype

Is there any market hype around medical device security?

Kathy Hughes, CISO at Northwell Health, one of the nation’s largest healthcare systems, told Cybercrime Magazine that IoT (Internet of Things) devices are, in her opinion, computers with operating systems (OS), similar to other types of computers — and those devices are susceptible to the same cyber threats. She added that IoT devices have a small OS and that security is a bolt-on rather than built-in.

U.S. Vice President Dick Cheney feared for his life in 2007 and had his doctors disable the wireless capabilities in an implantable medical device (to regulate his heartbeat) to prevent against a possible assassination attempt, according to ABC News. Cheney believed that hackers could break into certain medical devices and kill their owners. “I was aware of the danger, if you will, that existed,” he said in an interview with 60 Minutes at the time.

When the vice president of our nation is taking precautions to protect his own life, you can rest assured that there’s no hyping of the cyber threat to patients with implantables. Although that was twelve years ago, experts in our field still have the same concerns that Cheney did.

If there is any market hyping, then it’s isolated and surely not inventing the risk. Vendor FUD (fear, uncertainty, and doubt) is one thing, but concrete evidence (researched and reviewed by Cybersecurity Ventures) from a multitude of reliable sources is an altogether different thing. Make no doubt about it, medical device cybersecurity is a serious issue.

Security Distractions

Healthcare CIOs and CISOs (chief information security officers) can be easily distracted from the medical device risk.

It’s predicted that healthcare will suffer 2-3X more cyberattacks in 2019 than the average amount for other industries, according to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac. Woefully inadequate security practices, weak and shared passwords, plus vulnerabilities in code exposes hospitals to perpetrators intent on hacking treasure troves of patient data.

Ransomware attacks on healthcare organizations are predicted to quadruple between 2017 and 2020, and will grow to 5X by 2021.

Between all of this, and a workforce shortage that is predicted to result in 3.5 million unfilled cybersecurity positions globally by 2021, many hospitals are struggling to keep their heads above water with their IT security — and medical devices can become an afterthought.

In order to reduce the vulnerability of IoMT and maximize patient safety, all governments, the entire healthcare industry, all hospitals, and every medical device manufacturer need to be dead serious about security. Otherwise, somebody may wind up dead.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Sponsored by Sensato

Sensato is a top-500 cybersecurity innovator located in Red Bank, N.J. Founded in 2013, Sensato provides risk assessment, penetration testing, security operations, executive guidance, and software. CEO and founder John Gomez is an internationally-known cybersecurity expert, author, and speaker. Sensato’s programs, systems, services, training, and intelligence gathering are the product of designing the highest level of security for those who provide critical services that impact human health and safety: healthcare, medical, pharmacological, and related organizations; law enforcement, fire, and emergency services; clean water, power, and heat providers.

Sensato is a founding member of the Medical Device Cybersecurity Task Force, conducting ongoing medical device cybersecurity research and threat assessment. Sensato created MD-COP to provide a single, comprehensive security solution that addresses the administrative, technical, and operational requirements of HIPAA, NIST 800-53, and FDA Post-Market Guidance for Medical Device Cybersecurity.