More and more devices are becoming smart. We have smart thermostats, smart refrigerators, smart fitness trackers, smart security cameras, smart TVs, and a myriad of other smart devices. The network of these connected smart devices is known as the Internet of Things (IoT). By the end of the year, the population of the IoT is expected to consist of 31 billion devices, worldwide.
There is a subset of the IoT called the Internet of Medical Things (IoMT). IoMT is the theme for the week.
Some IoMT parts include standard devices with added capability. The Fitbit activity tracker can evaluate ischemic heart disease patients by simultaneously monitoring their heart rate and accelerometer data.
There are specialized IoMT devices. Neurosurgeons use robots to conduct neurosurgery as robots are steadier and more precise than the human hand. There have been experiments where brain surgery was conducted remotely. In one experiment, the surgeon was 1,500 miles away.
A new field of research is the development of “smart pills”. “Smart pills” contain microscopic sensors that can transmit data to connected devices. “Smart pills” are being developed to measure medication treatment effectiveness. Another aspect of this research involves “smart pills” that can monitor patients’ internal health and transmit data, such as core temperature to monitoring devices.
The IoMT holds great promise. However, the IoMT contains extensive cybersecurity vulnerabilities. A large percentage of monitoring devices are still using Windows XP. Windows XP is almost 20 years old. XP is extremely vulnerable to hacking attacks. Monitoring device manufacturers have not upgraded the software on much of their monitoring equipment.
According to a 2018 article, one of the networking protocols used by medical devices to monitor a patient’s condition is vulnerable to attack. The protocol does not require authentication. This makes it possible for an attacker to modify the patient’s apparent condition in real time. The lack of authentication also allows an attacker to place a rogue device on the network to mimic patient monitors. There have been recommendations that vendors implement encryption and authentication. The status of these recommendations is unknown.
There have been movies where the bad guy kills by hacking the victim’s pacemaker. This is no longer fiction and the possibility of it happening is frighteningly real.
According to Barnaby Jack, software has been written that could allow an attacker to turn off a pacemaker or an implantable cardioverter defibrillator (ICD). The researcher who wrote the software to turn off pacemakers and ICDs also wrote software that can cause the ICD to deliver an 830-volt shock to the heart, causing the heart to explode.
The same researcher also developed a method to scan for an insulin pump with wireless capability. The software can increase or decrease the amount of insulin delivered to the patient. This story is seven years old so hopefully, manufacturers have secured these vulnerabilities.
Another vulnerability is presented by pacemakers that communicate patient data via a docking station. Pacemakers can be hacked but only within Bluetooth range and only when the pacemaker is communicating data. The communication method utilized by at least one manufacturer does not require authentication nor are communications encrypted. The manufacturer recalled some of its insulin pumps to fix the vulnerability. While the pacemaker may be difficult to hack, the docking station is still a possibility.
While users can’t secure any pacemakers, ICDs, or insulin pumps we may have in use, these are definitely cybersecurity concerns to discuss with your doctor. The software of implanted devices can be patched without an operation.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has very stringent requirements regarding patient medical information. Some IoMT devices transmit a lot of patient data. Not all of this data is encrypted. While we might think that HIPAA would require IoMT devices to secure patient data, this is not presently the case. Regulators are still trying to understand the IoMT.
There is also the European General Data Protection Regulation (GDPR). Just because you’re an American, don’t think you won’t be impacted by the GDPR. The Europeans have a very broad definition of personal data. An American visiting Europe is covered by the GDPR for the duration of their visit. Your medical devices may be covered by the GDPR when visiting Europe. You might have recourse if your data is compromised while there.
A September 2019 report says 82% of healthcare organizations have experienced a cyber attack against their IoMT devices in the previous 12 months. The threat is real.
What can the individual do? Unfortunately, not much. On devices where encryption is an option, ensure that encryption is enabled. Be aware of the threat and ask your doctor what is being done for your cyber safety.
While it is not realistic to have the doctor update the operating systems on the monitors, they should be able to answer questions regarding the devices they intend to implant in your body. There is a Latin phrase, caveat emptor; that is, let the buyer beware. As with so many things, this applies to the IoMT.
Do Your Part. #BeCyberSmart