Now that the Internet of Things (IoT) market is booming, cybersecurity has become a hot topic. While even just a few months ago this was still a taboo subject as regards medical and health devices, recent events have turned the spotlight on their potential vulnerability to computer hacker attacks.
Nowadays implants and many other medical devices such as pacemakers and insulin pumps are ‘connected’ – i.e. able to transmit data on their own current function status and on the patient, and also to receive instructions. Given the tremendous advantages for the patient’s well-being and medical monitoring, especially for chronic conditions, this is clearly a technological achievement, but it also carries a risk. Chemical and pharmaceutical firm Johnson&Johnson has just contacted 114,000 patients in the United States and Canada to warn of a security fault in one of its insulin pump models. Vulnerabilities have been detected in the control box, such that if the device were to be hacked, the pump could for instance be instructed to inject a potentially fatal dose of insulin into the patient.
Jay Radcliffe, Senior Security Consultant and Researcher at computer and network security company Rapid7, who is himself diabetic, demonstrated that as the data links are not encrypted, it is technically possible to intercept exchanges of data and infiltrate modifications. The absence of any kind of encryption shows that the designers of these implants have so far been neglecting the cybersecurity aspect of their products, no doubt due to technical constraints and also the pressure to achieve short time-to-market.
Manufacturers still immature in terms of cybersecurity
The fact is that, with their rather modest processing power, these devices are often unable to host sophisticated protection systems. Thomas Gayet, Head of the ‘CERT-UBIK’ Computer Emergency Response Team at Paris-based Digital Security, points out that the level of maturity among manufacturers of these medical devices – and makers of connected objects in general – varies a great deal when it comes to cybersecurity. "Surprisingly, the level of security of connected objects does not generally correspond to the actual security needs. Some connected objects that one might regard as mere gadgets are highly secure, while on the other hand many connected healthcare devices do not incorporate any security measures at all!" he warns.
While computer security for a connected bracelet used by weekend sportspeople is important rather than essential from a user viewpoint, this is certainly not the case for a defibrillator, an insulin pump or a pacemaker. Fans of the American TV series Homeland will remember the scene where Vice President William Walden is assassinated remotely by a hacker who obtains control of his pacemaker.
A pacemaker is basically a tiny computer controlled by around 80,000 lines of code, which consequently offers security loopholes that a hacker could potentially exploit. "It’s interesting that we’re starting to be contacted by startups looking to incorporate security into their products, by taking the approach we call Secure by Design. They’ve understood that, going forward, security will be a key differentiator in the 'IoT market,” Gayet reveals.
Hospital equipment also under threat
Just as connected implants have potential security loopholes, this is also true for the medical equipment used in hospitals. In 2015, the United States Food and Drug Administration ordered the withdrawal from the market of Symbiq infusion pumps made by US firm Hospira. These pumps enable exact doses of medication to be administered to patients, but it was found that the doses to be injected could be altered remotely via the hospital’s cable network or WiFi – with obvious risks for patients.
Nowadays a great deal of hospital equipment such as CT and MRI scanners are connected and thus potentially vulnerable to hacking attacks. Source: Philips Healthcare
The same lack of security also affects major items of equipment such as CT and MRI scanners. In 2015 the Industrial Control Systems Cyber Emergency Response Team ICS-CERT – which comes under the US Department of Homeland Security – to whom manufacturers must report any security breach discovered in their systems, listed 14 security incidents in the health sector during the year. Among the alerts published by this surveillance authority was one relating to the Philips Xper Information Management Connect system – medical data management software produced by Philips Healthcare. The Advisory note pointed out 460 vulnerabilities in a solution using Windows XP, an operating system for which Microsoft had ceased support.
"In addition to heart implants and insulin pumps, medical and biomedical equipment such as scanners, including MRI scanners, also have problems with security," reveals Tristan Savalle, Senior Information Security Consultant at French Information Security firm aDvens, adding: “We’re currently working hard on making this kind of equipment secure, because all hospitals use it and security is often really lacking." The unfortunate fact is that not all hospitals take the necessary precautions to protect their medical equipment from malicious attacks. Moreover, staff are not empowered to intervene directly, for example to install simple anti-virus software on a machine. Such equipment is therefore a potential target for computer hackers, who might be tempted to freeze these expensive machines and blackmail the hospital authorities into paying a ransom.
Apparatus must be made secure from the outset
While equipment security is still largely insufficient, things are now changing. On the one hand, when experts reveal security breaches that are then reported in the media, this constitutes a real business risk for the manufacturers concerned. St. Jude Medical Inc stock fell sharply by close to 5% in the wake of a claim that its implanted heart devices were vulnerable to cyber-attacks. Company bosses are now alive to the fact that a scandal in the media following the death of a patient as a result of a cyber-attack might prove to be the death-blow for their business.
Security experts argue that the first step equipment designers should take is to begin integrating the cybersecurity component upfront, at the initial design stage, instead of at the very end of the cycle. "If you want to ensure that a healthcare object is secure, you need to integrate the cybersecurity element very early in the design process. You have to analyse the threats to that particular device and decide upfront on the responses you want to make to those threats," explains the consultant, adding: "You have to realise that MRI and CT scanner designers do put a lot of effort into improving their equipment, but computer security is not currently part of their job." The mere fact of having USB ports on the control panel of a piece of equipment presents a real risk. A French analysis laboratory had to pay a heavy price recently when one of its machines became infected by a virus emanating directly from a maintenance technician’s USB stick.
Quite apart from the business aspects, the regulatory framework also needs to evolve in order to take a more accurate account of the risks. While hosting personal medical data in countries such as France requires the provider to apply for accreditation or work in conjunction with an accredited medical data host, regulation governing connected equipment is lagging well behind. "Legislation has always been very strict for this type of equipment, but it still takes very little account of the cybersecurity aspect," laments Tristan Savalle.
However, people are now becoming more aware and are pushing manufacturers to arm their machines against cyber-attacks. At the moment things are still at the recommendation stage. In October 2014, the US Food and Drug Administration published a short internal guide to cybersecurity for medical equipment, while in France the HAS (National Health Authority) has gone further and published a guide containing 101 best practice rules with the aim of encouraging more secure designs for healthcare-related connected objects. "However, we are still at the stage of drawing up best practice guidelines rather than issuing regulations," Savalle points out. The next step will doubtless be to introduce certification procedures for medical equipment that incorporates the cybersecurity aspect, including for example the use of penetration tests carried out by ‘good guy’ hackers such as those working for the French National Digital Security Agency, ANSSI. This is already being done for IT security equipment and is now starting to become standard for equipment used in various sectors of industry as well.