WEARABLE DEVICES ARE used for healthcare treatment argeting four prevalent chronic illnesses—congestive heart failure, diabetes, hypertension, and chronic obstructive pul- monary disease—but also are used for self monitoring and preventative medicine.
1 Wearable devices and mobile apps are now a part of the “medical Internet of Things” structure.
2 While these technologies advance patients’ physical health, they do come with risks. These risks are largely ignored by end users, who often assume device manufacturers manage cyber isks. It is important to note that medical devices generally do not fall under the HIPAA regulations, but instead fall under the purview of the Food and Drug Administration (FDA).
This article will explore the nature of security threats against
medical devices as well as outline several real examples of recent attacks. This article will also provide advice for providers
and developers for mitigating wearable device attacks.
Common Modes of Hacking Events
There have been several instances where hackers have infected
a wide array of medical devices, using them to create a back-door to hospital systems, called “medjacking.” This technique
creates an access point for a back-door way to find passwords
within a hospital’s IT system. One frequent vulnerability is the
fact that security patches for these devices are often out of date,
creating easily exploited systems.
3 It is unclear how prevalent
this issue is today.
One example is a dental practice in Toronto that learned their
practice activities were being streamed live in Russia on a site
called “ insecam.org,” unbeknownst to staff and patients. This
happened as a result of the practice’s decision to use a wireless
security camera system after a break-in. They left the default
password intact when they installed the system, enabling the
Russians to access the live feed and stream everything that oc-
curred in the office—which included patient and staff activi-
ties, but also clear access to private information on computer
screens. Obviously, this put protected health information in
peril. The Canadian dental office has since secured their cam-
eras, which ended the live feed.
As far back as 2007, doctors disconnected the wireless function of
Vice President Dick Cheney’s left ventricular assist device, for fear
terrorists would hack into it and kill him. More recently, Hospira’s
Lifecare Infusion Pump systems were found by independent researchers to have vulnerabilities that could allow malicious outsiders to remotely modify medication doses, potentially delivering too
much medication or too little. Both could have potentially deadly
5 The newest implantable medical devices (IMDs)
incorporate more complex communication and networking functions, or telemetry, leaving patients at risk of cyber intrusion.
In 2017 the FDA reviewed information concerning potential
cybersecurity vulnerabilities associated with St. Jude Medical’s Merlin@home Transmitter, a cardiac monitor. The FDA
confirmed that there were vulnerabilities that, if exploited,
could allow an unauthorized user to remotely access and alter
a patient’s implanted cardiac device.
The FDA was made aware of several critical vulnerabilities
in Hospira LifeCare patient-controlled analgesia (PCA) infusion systems, which also can be exploited by a remote attacker
intent on adjusting medication infusions.
Existing Threats and Real-World Attacks
A sample of real-world device attacks, according to media reports and press releases, include:
Navigating Privacy & Security / Illuminating Informatics / Standards Strategies / Road to Governance
The Next Wave of
By Roger Shindell, MS, CHPS, CISA