When the show ‘Homeland’ aired an episode with a hacker manipulating the Vice President’s internet-enabled pacemaker, could it have been a case of art mimicking real-life? There has been an exponential growth of internet-enabled versions of medical devices, or Internet of Medical Things (IoMT). These devices are connected via Wi-Fi or machine-to-machine (M2M) communications to healthcare IT systems that are often based in the cloud. A highly distributed and open system creates new security and privacy challenges for medical devices. In fact, these security concerns are so crucial, that Vice President Dick Cheney took the episode of Homeland to heart (literally) by having his pacemaker replaced with a non-Wi-Fi version.

Medical devices cover many areas of health, from electro-medical equipment, which includes pacemakers, to irradiation, such as MRI and X-ray machines, to surgical appliances such as orthopedic limbs. The general medical device market is massive, with predictions of value being around $398 billion in 2017. The United States is currently considered the leader in this space, due to the innovation, supply, and manufacturing we have seen from U.S based companies.

There are no doubts that medical devices are lifesaving and life improving. They cut across every aspect of our healthcare and are a vital part of a modern approach to a healthy population. However, does modern healthcare, especially in a highly connected world, mean that we have to sacrifice our security and privacy? The Federal Drug Administration (FDA) is concerned that these devices do not place security a high enough consideration during their research, development, and design phases. To counter this, the FDA has created draft guidance on helping ensure security management for medical devices. The guidelines specify that manufacturers “should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post market management of medical devices.”

Some Examples of Where Medical Devices Show Privacy or Security Concerns:

Operating Systems: In a recent study by Virta Laboratories, Inc. into post market medical device security monitoring, it was found that medical devices would often be shipped with older, unsupported operating systems. In fact, several medical devices in 2012 were shipped with the outdated Microsoft Windows XP OS. As medical devices can stay in clinical use for decades, outdated operating systems may lead to a lack of patch management. This causes the device to be highly vulnerable to malware infection. As the healthcare industry is one of the top targets for malware and theft of medical records, this is a concern that needs to be mitigated early in the manufacturing process.

Tracking and Location: A number of medical devices enable the tracking and geolocation of the user. This is a legitimate requirement and has been shown to increase improvement in patient outcomes. An example is asthma inhalers and elder care. Several inhalers use mobile apps via Wi-Fi to collect data about location and medical information, such as the time and date of an asthma attack, or in the case of elder care, general location awareness is collected from a wearable device. The use of Wi-Fi as a means to collect and share location data can increase privacy and security concerns if not correctly implemented. This can lead to man-in-the-middle attacks (MitM), resulting in stolen protected healthcare information (PHI), and even physical security concerns.

Implantable Devices: Medical devices that are physically implanted into the body (IMDs) are the most intrusive devices known. As detailed in Homeland and the hacked pacemaker, due to the devices intimate use, IMDs pose the greatest security concerns for patients and may have potentially fatal consequences. A study on IMDs by the University of Madrid in Spain found that IMDs were subject to MitM attacks across unsecured Wi-Fi connections.  The study stated that IMDs contain significant Personally Identifying Information (PII) such as name, address, social security number, and PHI which is at risk of theft from eavesdropping.

Can We Make Medical Devices Healthy?

The above examples are just some of the security and privacy issues inherent in internet-enabled medical devices. In an environment where PHI is a highly attractive commodity for a criminal, any weakness in security measures will be found. The medical device market itself is financially healthy, however we need to remember the patient. Taking basic security and privacy measures, such as ensuring that patching of operating systems and software is achievable and performed will help prevent breaches. Nonetheless, as medical devices became ever more likely to be Internet-enabled and to share data across cloud platforms, we also need to take precautions against the interception of patient data. Ensuring safe Wi-Fi implementation and setup, and using encryption for data both in transfer and at rest, will help to ensure a healthy outlook for medical devices and the patients that use them.