Hacked Pacemakers and Insulin Pumps Are Just the Beginning

 

As the number of medical devices explode, protection against RF risk in the clinical setting gets more complicated.

In 2016, the healthcare industry received a wake-up call. Federal regulators discovered critical cybersecurity vulnerabilities in certain pacemakers, defibrillators and other medical devices made by St. Jude Medical. Because these devices use RF signals to transmit and receive patient data, these devices were vulnerable to intrusions and exploits that could have dire consequences for patients.    

It wasn’t the first time medical device security threats have been exposed. In 2011, hackers demonstrated how easy it was to hack an insulin pump during the Black Hat security conference. But it did reinforce the growing concern around medical device security in clinical settings.

Internet of Things (Io)T security in the clinical setting has become a top priority for healthcare delivery organizations, especially as the number of connected medical and non-medical wireless devices skyrockets. Gartner Research estimates that 25 percent of healthcare cyberattacks will originate from IoT devices by 2020 [insert source]..

One of the challenges in securing the clinical setting from wireless and RF risks is the stakeholders involved. Healthcare delivery organizations are accustomed to securing Ethernet and wireless network communications. But what about common IoT protocols like cellular, Bluetooth and ZigBee? Not so much. Furthermore, most don’t have the resources to deploy advanced white-hat security measures to really dig into threat exposure.

Considerable amounts of personally identifiable information are transmitted unencrypted over wireless and wired networks,  These systems rely upon the security of the network itself.  Given that security researchers been able to purchase used medical equipment on eBay with stored network passwords, it would be possible for an attacker to use such credentials to exfiltrate confidential information once they are on the network.

Much of the security responsibility – and vulnerability – lies at the medical device manufacturer level. Manufacturers often tweak standard protocols and make them their own, or fail to provide specs and documentation on custom RF protocols to the public. Lack of public scrutiny does no favours to patients, only making it moret difficult to understand how these devices communicate with other devices and the network, and what vulnerabilities may be present.

Patients are also becoming a key stakeholder in the security equation, as data is exchanged with patients in their homes, both by in-home medical devices and as more patient reported outcomes data is collected to improve the standard of care.

In addition, telemedicine and implanted devices create remote care environments, in the patient’s home or care home. In these cases, patients and care home providers have to take an active role in security – including things like network protection and security updates to devices.

Given the evolving threat landscape and a complex web of stakeholders, it’s understandable that many healthcare delivery organizations are overwhelmed. Where does the journey begin for securing the clinical setting from RF and wireless risks?

It starts with visibility. You can’t secure what you can’t find. Clinicians and technical resources within the clinical setting must be able to identify which devices are present in their environment – both authorized and unauthorized. Furthermore, they need visibility into all devices transmitting across the entire RF spectrum. Where are these devices located? Which RF protocols are they using? When and where is suspicious activity occurring?

There is no silver bullet to securing the clinical setting. It will ultimately require better collaboration between manufacturers, clinical environments and patients. But, there are protective measures healthcare delivery organizations can and should take now. Patient outcomes depend on it!

If you would like to learn more, please watch our webinar, Wireless MD: Addressing Wireless and RF Risk in Clinical Settings

 

"