COVID-19 highlights poor security in medical IoT devices

Article By : Bernard Brode

While advances in medical devices may help doctors to treat patients infected with COVID-19, at the moment this increased efficacy comes at a significant price: reduced security...

The COVID-19 pandemic is transforming many sectors of the tech economy, from retail to cybersecurity. While many of these trends will take years to come to fruition, in recent months analysts have raised more immediate concerns. In order to fight the pandemic, governments and healthcare providers around the world have turned to medical IoT devices. Unfortunately, many of these devices come with significant security vulnerabilities.

These concerns are not new. For years, we’ve been pointing out both the opportunities and challenges of medical electronics, and argued that IoT security needs to be given higher priority. The pandemic might, finally, have provided a more effective wake up call.

In this article, we’ll look at how embedded devices are being used in the fight against coronavirus, the security concerns around them, and what engineers can do to mitigate them.

Smart machines dominate modern operating rooms. (Source: Pixabay)

The Pandemic and Medical IoT

Many of the IoT systems that are being used to fight COVID-19 have been in place for years, but in the context of the pandemic are struggling to cope with historic surges in demand. This is due to two reasons.

The first is that hospitals have a poor record when it comes to cybersecurity. Reports show that ransomware and other cyberattacks are rising around the world, and that healthcare is one of the biggest targets. Some of these attacks are extremely sophisticated: researchers in Israel recently announced that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients.

The Need for Security

Given the expansion of the user base for medical IoT devices, recent weeks have seen a renewed focus on their security vulnerabilities.

Some of these concerns have been with us for years. There has long been a tension in the healthcare sector between cybersecurity experts who want to secure hospital systems and doctors who are focused on patient care. While it’s true that over-eager security protocols can slow down the functioning of hospital IoT systems, or make them too complex for healthcare professionals to use effectively, the truth is that cybersecurity and patient health are intimately connected. Research by Choi showsthat data breaches increase a hospital’s 30-day mortality rate. Given this, it’s crucial that healthcare professionals come to understand the importance of cybersecurity.

Then there is the second, larger problem. Allowing patients to use medical IoT devices via their smartphone empowers healthcare providers to increase the scope and power of their patient monitoring systems. Unfortunately, it also increases the attack surface area of these systems. In a world where many patients don’t know the basic process to secure their smartphone, allowing these devices access to sensitive medical information is a major risk. There have been several well publicized attacks on insulin pumps, for instance, mainly because modern insulin pumps are built to communicate with smartphones via insecure bluetooth protocols.

These vulnerabilities are worrying enough on their own, but in the context of the pandemic many healthcare providers (and the governments that oversee them) have responded to increased demand by rolling out consumer-focused medical IoT solutions. According to the New York times, for instance, Kinsa Health has sold over one million thermometers to households, often on the advice of doctors. This has raised concerns, because these are “smart”, connected thermometers and therefore potentially vulnerable to hackers causing false readings. In addition, governments have encouraged their citizens to download track and trace apps, despite concerns over the security of these solutions.

The Solutions

For IoT engineers, meeting these challenges will be difficult. Nevertheless, improving the security of medical IoT devices is crucial if the industry is ever to mature. Along the way there have, of course, been attempts to codify and improve the security of medical IoT devices.

The FDA guide, “Management of Cybersecurity in Medical Devices”, published in 2016, remains the most detailed attempt to date. This framework specifies that all of the data that medical IoT devices collect and share should be encrypted, both while at rest and during transit. This, in principle, would offer an  effective way of protecting patient data from hackers and unintentional breaches. The problem is that many IoT devices – and the systems that they rely on to function – aren’t capable of performing this encryption.

This is because many IoT device manufacturers – and even those producing devices to be used in medical contexts – have prioritised connectivity and cost over security. As a result, many of these devices simply don’t have enough computing power to encrypt and decrypt the data they work with. Though research into “lightweight” cryptographic algorithms is showing promise, there is not really an ideal solution to this problem on the market at the moment.

There are a variety of security element devices designed specifically to provide cryptographic functionality to resource-constrained IoT designs, but they come with significant limitations. Using them forces developers to increase the size, cost, and complexity of their IoT devices, and these security elements can’t just be “bolted on” to existing designs.

For this reason, IoT engineers need to take a more pragmatic approach to IoT medical device security. This should start with a renewed focus on endpoint security in healthcare provider systems, and specifically at the cybersecurity of the systems being used in hospitals. Many network engineers, in this context, have turned back to air gapping, which provides security by physically separating secure and non-secure domains.

One button cybersecurity is not a reality yet. (Source: Picpedia)

The Future

This approach, of course, will not do anything to protect the medical data of citizens who have been compelled (or encouraged) to use IoT devices at home. And for this reason, it’s crucial that we look again at the risks that these apps and devices represent. While advances in medical devices may help doctors to treat patients infected with COVID-19, at the moment this increased efficacy comes at a significant price: reduced security. And until we fix the long-running concerns with the security  of IoT devices, that will continue to be the case.

Bernard Brode is a product researcher at Microscopic Machines

Leave a comment