Security Concerns in Healthcare IoT Devices (Part 1)
Internet of things(IoT) is the future of the internet. The Internet has evolved from the earliest forms letting one computer send data to another through a wire, to a meshwork of devices communicating with each other wirelessly. The magic of IoT allows you to go on a vacation halfway around the world while still letting you turn on the garden sprinkler after measuring the soil humidity of your garden (which I’ve done!)
Applications of IoT devices go beyond mere convenience and novelty. IoT devices have useful applications in a variety of fields including medicine. Devices such as syringe pumps, multipara patient monitors, cardiac pacemakers, CT scanners, and X-ray machines have evolved into IoT devices. Because these IoT devices can communicate among themselves over the network, it can automate some aspects of patient care. A multipara patient monitor can continuously monitor the vital signs and automatically sound an alarm at the nurses’ statin when the vitals are off. Or even better, the data from the multipara monitor can be sent to the infusion pumps and the infusion pumps can adjust the dose of medication without human intervention.
As in everything in medicine, the use of IoTs has its own risks and benefits. Because nothing is free of risks, decisions are made considering the risk to benefits ratio. Major risks of using connected IoT devices in healthcare was the fallibility of devices. Security of IoT devices was the least concerned. Even regulatory authorities have failed to address the security concerns when checking the compliance. This has lead to less secure devices entering the market in as early as 2005. Earliest exploits allowed infusion pumps to be controlled by anybody having access to the hospital network. Sadly, the healthcare industry has not done enough to address the security concerns. More than a decade after understanding the consequences of poor cyber security, the NHS fell victim to the WannaCry ransomware.
The convenience of IoT devices should not come at the expense of flawed cyber security. It is difficult to achieve because cyber security was one of the least priorities in healthcare. Patient data and electronic health records (EHR) had undergone security audits, but not smart medical devices.
There are some unique challenges in securing smart medical devices. One is the lack of choice. Unlike choosing from a variety of medicine, whatever infusion pump available in the hospital is used. If there were many different manufactures, the doctor will have to select the best for the patient. Cyber security will hopefully be one factor he compares in selecting the best device.
Next is the use of older software. Development of medical devices is a slow process. Development begins with the latest software. But by the time the device hits the market, the software may become obsolete and its vulnerabilities exposed. As a result, software, firmware, and protocols in heath care IoT devices have well known and easily exploited flaws. Knowing this, hackers deliberately use older vulnerabilities to exploit medical devices and they often succeed.
Another is the use of proprietary software. Manufactures use their own protocols and develop their own software for their devices. A large community works to improve open source software even after the release of them. As a result, more people scrutinize it and it is very likely for flaws to be found and fixed.
A small team builds proprietary software. Errors are more likely, and they may not be discovered. If the product is discontinued, the vulnerabilities remain without being patched. It is impossible for anybody other than the manufacturer to assess the security or to patch them without a tedious reverse engineering.
These are some specific concerns for health related IoT devices. Innovation is needed to fix these. Top vulnerabilities such as insecure web interface, insufficient authorization, insecure network services, lack of encryption and insufficient security configurability are also common for health IoT devices. Because these are common, they are easier to address by adopting from other IoT devices.
